Neowin Login Not Secure?

[Riggers]

You wouldn`t need anything like EV-SSL, simple DV would easily suffice for what is required. For me a site like Neowin should be actively encouraging this type of practise, it writes about it enough on the front pages. I`m not saying that our passwords for this forum are something that a MITM attacker would necessarily wan`t just that if it helps spread the usage of such methods and brings awareness to the issues then surely that`s a good thing.

[DaveLegg Developer]

No it's not. I've listed to all 392 episodes of Security now, and the answer of

"I login to Neowin at home, then when I'm on the road with my laptop, I'm already logged in, so no real issue of transmitting my credentials over wifi in clear text."

would make them shake their heads. No hard feelings!

It's not an excuse, merely a commentary on a (probably) normal usage pattern of the website.

BudMan, you are correct, cookies for the session info etc are still sent in plain text, but this is something that happens with many websites. For example, the default on Facebook is to login via https, and then use unencrypted http for the rest of the session, but they have an option to force https for the whole session if you wish.

[+BudMan MVC]

"but they have an option to force https for the whole session if you wish."

Is this something that might be an option once the SSL cert is obtained? I really don't think such a site as neowin requires such action, and could be unwarranted strain on the servers in general. But might be a nice option for those more security minded users.

I do believe it would be possible to implement some current security practices without too much effort on the developers part and min extra work for the servers and cost, etc. It would be good thing for neowin to lead by example in the field and quite possible to show how neowin is ahead of the curve when it comes to security compared to other such sites.

edit: Maybe the whole site https option could be an option for subscribers only, etc. This might get a few more to join that rank and help neowin offset any added cost in such an implementation?

[JonnyLH]

More worried about local wifi sniffers, that quite often could be kids just out for some lulz, etc. Now those can be mitigated with a secure connection across the open wifi like vpn or ssh tunnel for browser traffic, etc. But if best practices where followed, the login info would be secure anyway - which would reduce the risk of some kids out for some fun using a browser addon and simple wifi sniff. Again I am not too worried about someone sniffing my traffic while at home or work, etc. Or place of business that has a secure wifi connection.

Your worries are right but I'm afraid it isn't just as easy as securing the connection, adding server certificates. There are network flaws which simply can't be fixed, this is because of the RFC's related to the OSI Stack.

A hacker could join onto a public hotspot and essentially hijack all the popular websites he'll see results on. This could be Facebook, Amazon, Best Buy whatever. These websites will all have SSL certs, security measures in place. When he hijacks a website, the SSL certificate is in-tact (if done properly) and everything should appear fine, again if done properly. The hacker will still take logins, credit-card details. There's just nothing you can do. Even a security minded individual would have trouble spotting it. I wouldn't know.

So in terms of Neowin being secure, I know IPB is very good in that area. Regarding SSL, it wouldn't even be necessary. For the guys, it would more so be there just to make the people visiting feel happy.

Also, to reflect on the hacking technique I mentioned above, this would have to be planned and developed with quite a bit of time and effort. I wouldn't worry about joining your local Starbucks wifi anytime soon.

[Guth]

Just wanted to say that for those saying "its just a forum" what about the fact some people link their twitter

if you posted a status update on the forum and said "post to twitter also" (which is an option" then you could post tweets to someone elses twitter!

[DaveLegg Developer]

"but they have an option to force https for the whole session if you wish."

Is this something that might be an option once the SSL cert is obtained? I really don't think such a site as neowin requires such action, and could be unwarranted strain on the servers in general. But might be a nice option for those more security minded users.

I do believe it would be possible to implement some current security practices without too much effort on the developers part and min extra work for the servers and cost, etc. It would be good thing for neowin to lead by example in the field and quite possible to show how neowin is ahead of the curve when it comes to security compared to other such sites.

It's something we'll look into, we'll have to measure the extra load that it puts on the servers and judge if that is something we're able to cope with.

In terms of back-end security, the way we prevent malicious scripts from being uploaded and executed, I think we're pretty strong, we used to have issues with flaws in IPB that would allow scripts to be uploaded as attachments, and then accessed by the malicious user to run commands on the servers, and do all kinds of things. Now even if IPB still has those flaws, the scripts won't work. We also have code in place that ensures that none of our files have been modified by anyone other than our devs.

[+BudMan MVC]

I think a sophisticated mitm attack such as what your talking about is way beyond the scope of the original point of this topic.

Not saying such an attack is not possible, but just because sophisticated attacks are possible does not remove the responsibility of due diligence in providing protection against less complex attacks, etc.

Lets take some baby steps, and methods that would be required for neowin to mitigate such attacks would have no justification in cost in time/effort and support by the users in using methods and practices that prevent or identify such an attack. Now if neowin was where I did my banking, it might be a different story ;)

edit: I am very happy with the staff response to the query, and satisfied that after the upgrade this practice will change. If not, I will be sure to remind them of this thread ;) hehehe

[JonnyLH]

I think a sophisticated mitm attack such as what your talking about is way beyond the scope of the original point of this topic.

Not saying such an attack is not possible, but just because sophisticated attacks are possible does not remove the responsibility of due diligence in providing protection against less complex attacks, etc.

Lets take some baby steps, and methods that would be required for neowin to mitigate such attacks would have no justification in cost in time/effort and support by the users in using methods and practices that prevent or identify such an attack. Now if neowin was where I did my banking, it might be a different story ;)

If Neowin was hackable easily, it would of been done by now.

Less complex attacks like sniffing on a public wifi spot use the same flaws I mentioned for the attacks above, just looked at in a different manner. The bad thing is about security is that the best security engineers are the ones who used to be hackers.

I'd like to point out just for the sake of Neowin. The discussion topic is not a FLAW. Its simply a understanding of how these processes work.

[f0rk_b0mb]

Well. Kudos to Budman for finding this flaw. :punk:

I for one, will be changeing all of my passwords for kicks and giggles when I get home. :)

[+BudMan MVC]

"If Neowin was hackable easily, it would of been done by now."

I am not saying that neowin is hackable because they don't secure the transmission of the uses login info. What I wanted to point out, that in this day an age there is little reason to send such info in the clear.

I was surprised that it was to be honest. Now I just checked on another forum site I frequent, and they are doing the same sort of thing posting such info via http vs https. But their code is hashing the password before transmission, not a great solution for many reasons already mentioned. But they too have a thread where someone (not me) brought up the oversite. They have responded that after the upgrade to new version of their forum software they would be making the change to https in the posting of such info as well.

I am not trying to say that neowin dropped the ball in anyway shape or form, many many sites do the same thing. Not saying that neowin is not a secure site, just wanted some clarification to what was pointed out to me, and I verified was happening.

Again I have been very happy with the response from the staff, and in general it's not really that big of an issue taking into account the nature of the site, etc. But it sure couldn't hurt to encrypt such info, and then maybe tackle the session cookies in the clear issue ;)

[JonnyLH]

"If Neowin was hackable easily, it would of been done by now."

I am not saying that neowin is hackable because they don't secure the transmission of the uses login info. What I wanted to point out, that in this day an age there is little reason to send such info in the clear.

I was surprised that it was to be honest. Now I just checked on another forum site I frequent, and they are doing the same sort of thing posting such info via http vs https. But their code is hashing the password before transmission, not a great solution for many reasons already mentioned. But they too have a thread where someone (not me) brought up the oversite. They have responded that after the upgrade to new version of their forum software they would be making the change to https in the posting of such info as well.

I am not trying to say that neowin dropped the ball in anyway shape or form, many many sites do the same thing. Not saying that neowin is not a secure site, just wanted some clarification to what was pointed out to me, and I verified was happening.

Again I have been very happy with the response from the staff, and in general it's not really that big of an issue taking into account the nature of the site, etc. But it sure couldn't hurt to encrypt such info, and then maybe tackle the session cookies in the clear issue ;)

Oh yeah, I definitely agree with you. Sorry, we've been bouncing back and forward ha.

SSL should definitely be implemented. Its just in good nature that one of the largest tech forums/news sites incorporates it. My point was, if you did this it still wouldn't make the password secure.

Regarding local encryption with vBulletin, all it is, is a md5 function. Once retrieved you can just pop it in one of many md5 decrypts on the internet. Hopefully it then re-hash's that password. If it just takes the md5 from the client, then uses a salt to encrypt then thats less secure because you can retrieve the md5 hash before its salted.

Just goes on and on...

[#Michael]

Also - I did not mean to open a can of worms here, as mentioned multiple times -- this is just a forum and really nothing should be here that is of a critical nature to ones privacy or security. But even in this day and age, some users continue to use bad passwords, same password on multiple sites. I would not be surprised if some users here use the same password they use for their registered email account with neowin as their email password, and shutter to think even their banking websites, etc.

That really isn't true. How many users here link their facebook/skype/im/personal websites to their user profiles. I am guessing quite a bit. If the site were to be compromised then there is a chance that this information could be gotten also.

[+BudMan MVC]

"if you did this it still wouldn't make the password secure."

It would be much more secure than the current clear text method of sending it :rofl:

But yeah I agree with you method of transmission does not always mean its "secure" For all we know 87% of users passwords here on neowin are "P@55w0rd1" And if someone wanted they could just pick a user at random and try a couple of common passwords and get in to those accounts.

I wonder what neobonds password is? You going to be at starbucks or something sometime soon? ;)

[SuperKid]

I don't see a major issue here? your password you send to the server is always unencrypted and that's the way it is, HTTPS does make things more secure though because it stops people sniffing around to get that password but I think you'd have to be pretty unlucky to have that happen to you anyway.

Comodo is the cheapest way to get an SSL Certificate and does work on most browsers, but obviously the real good ones like Verisign cost a lot of money. The cost of a Verisign Certificate could actually be used for an extra server at neowin to improve speed loads its that expensive..

[vcfan]

this. isn't. a. banking. website. get a grip people.

[+Warwagon MVC]

this. isn't. a. banking. website. get a grip people.

W......T........F

So because this isn't a banking website people should just be ok that stuff flying back and forth in the clear?

[TAZMINATOR]

this. isn't. a. banking. website. get a grip people.

What if someone got your password and logged in and went to your neowin profile editor to steal your email address then log out... so he/she can send spams using your email address?

Think about it... I agree and understand what Budman have said about the concerns over logins.

clear text based login is a NO NO. I am surprised that Neowin didn't do a thing about it until Budman brought it up.

[trek]

Godaddy SSL Certs start at $69/year for one domain... Just sign neowin.net and only use it for the login post action...

[Timan Veteran]

Would be nice to have, though I am curious. Anyone know any other forums that offer secure login?

[+Warwagon MVC]

Godaddy SSL Certs start at $69/year for one domain... Just sign neowin.net and only use it for the login post action...

I've heard horror stories about Godaddy

[TAZMINATOR]

Would be nice to have, though I am curious. Anyone know any other forums that offer secure login?

Yes a few of them do... some of them have options in the panel to enable secure mode. Such as phpbb

Google around and you will see what you find.

[nub]

So why did this turn into a SSL discussion, when the cheaper and easier solution that also doesn't nag about the site being mixed https and http so to simply encrypt/hash/salt the password before sending. and not store the clear text password in the database.

Because its useless. All it does is transform you password into another form. The attacker can just send your pw hash as your password. Bam you're into the account. The only useful thing it does is prevent the attacker using the hash on another website that uses a different hash algorithm or no hashes.

[HawkMan]

I've heard horror stories about Godaddy

just because for some reason web hosts have fanboys, and because GoDaddy is so huge they have a lot of haters for some reason.

[threetonesun]

just because for some reason web hosts have fanboys, and because GoDaddy is so huge they have a lot of haters for some reason.

Well, that and their customer support blows *** and their administration site looks like it was designed by a 12 year old, but otherwise I guess they're fine.

[FiB3R]

just because for some reason web hosts have fanboys, and because GoDaddy is so huge they have a lot of haters for some reason.

In the last few years, GoDaddy has come under fire plenty of times ? and for plenty of reasons.

Not only has the company used sexual advertising several times to promote its services, which has led to backlash several times, but in early 2011 then-CEO Bob Parsons killed a wild elephant in Zimbabwe, which many believed was just another sign that the company was willing to engage in unethical practices. (This includes buying domain names users search for and then inflating the value of these domains when users return to purchase them so GoDaddy makes a larger profit on the transaction.)

In late 2011, GoDaddy also initially supported SOPA, which also indicated the company was not willing to support its customers freedom of speech and activity on the internet. (GoDaddy reversed their opinion shortly after a call to boycott the company because of this.)

Seems like enough reasons to me.