Jump to content



Photo

Neowin Login Not Secure?

question suggestion

  • This topic is locked This topic is locked
108 replies to this topic

#31 articuno1au

articuno1au

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 20-March 11
  • Location: Brisbane, Australia

Posted 26 February 2013 - 10:00

Going to leave this right.. here..

Posted Image




#32 nekkidtruth

nekkidtruth

    I'm sorry, do you still exist?

  • Joined: 10-March 07
  • Location: Canada
  • OS: Windows 7 64-bit
  • Phone: Stock LG Nexus 5

Posted 26 February 2013 - 10:07

Don't worry about it :)


My poke wasn't directed at Neowin (staff), it was towards the fact that for the most part the folks that use Neowin are technologically savvy individuals and someone was just coming across this now (Or so it was believed before Dave posted the old thread). When you quoted the length of time, it literally made me laugh. I just found it ironic.

I think Neobond merely misinterpreted the first post, as not having SSL is something we've discussed in the past (as shown by the link in my previous post)


I'm chalking it up to early money brain cloud (for those of you just waking up) and late night brain cloud (for those like me who are just about to come off a 12 hour overnight shift) ;)

Ook? Ook. Ook! Ook! (sorry, can't resist.. :p )


Lol :p

As for the issue, I don't really think it's that big of a deal.

#33 Mike

Mike

    Neowinian Senior

  • Joined: 11-August 02

Posted 26 February 2013 - 10:10

Ones that are fully trusted, and don't create browser alerts yeah.. expensive.


$15 isn't expensive ;)

#34 DaveLegg

DaveLegg

    Coderator at heart

  • Tech Issues Solved: 10
  • Joined: 31-October 04
  • Location: Oxford, UK

Posted 26 February 2013 - 10:13

I think in general, if your traffic is being sniffed, you probably have a bit more to worry about than your Neowin password being stolen

#35 Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 61
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 26 February 2013 - 10:27

My poke wasn't directed at Neowin (staff), it was towards the fact that for the most part the folks that use Neowin are technologically savvy individuals and someone was just coming across this now (Or so it was believed before Dave posted the old thread). When you quoted the length of time, it literally made me laugh. I just found it ironic.

I'm chalking it up to early money brain cloud (for those of you just waking up) and late night brain cloud (for those like me who are just about to come off a 12 hour overnight shift) ;)


I had just woke up (was on first coffee) :p

#36 joemailey

joemailey

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 21-January 09

Posted 26 February 2013 - 11:16

The way I see it, a lot of people use the same passwords for different sites.
I'm pretty sure people do it here.

It's all well in saying use a different password etc etc. but standard users won't do that.

So for a small fee of an SSL cert. I'm sure we could do a whip around and get the cash raised pretty easliy. I'll donate a few dollars no problem :-)
To me sites need to protect the user, just as much as the user needs to protect themselves.

Even if the info isn't that important, some of the stuff could be used for social engineering attacks.

#37 cork1958

cork1958

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 04-October 02

Posted 26 February 2013 - 11:17

There was a previous discussion about this here: http://www.neowin.ne...ds-https-login/


Not bad. It's ONLY been 7 years since that topic was started!!

Neowin is right on top of it. Certs ARE NOT that expensice now a days, as has already been pointed out, but with all the issues this site has every time they update the board, certs would only screw it up more, I'm sure! :rofl:

#38 ashpowell

ashpowell

    Neowinian

  • Joined: 13-November 06
  • Location: UK
  • OS: Windows 8.1
  • Phone: Nexus 5

Posted 26 February 2013 - 11:43

So reading a thread and came across this statement

"Even the neowin login page is not encrypted"

Now I thought to myself - that can not be true.. I know the page itself is not fully encrypted, but that is not an issue the sending of the username and password could be using a https post, etc.

So figured I would take a look see.... Oddly enough, the post for the login looks to be in the clear from the page source

	<form action="http://www.neowin.net/forum/index.php?app=core&amp;module=global&amp;section=login&amp;do=process" method="post" id='login'>

Now I said -- hmmm, I know a little bit about html, but maybe I am missing something and I am looking at it wrong or something. So I did what I know better and that is looking at network sniffs... So I took one while logging in..

And what you know - my password right there in the clear?? That is not a very safe practice... I know its only a forum and such, and I agree you sure don't have to encrypt the whole site - but not the sending of the username and password?? That needs to be corrected!!

Now my password is complex random - but I assure you it was in the clear.



Not sure what that auth part is there I highlighted, but hid it as well.

So am I correct in that everyone that is logging into neowin is sending username and password in clear??



Off-topic a bit, but how did you do that? I'd like to test a few sites

#39 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 26 February 2013 - 11:54

So why did this turn into a SSL discussion, when the cheaper and easier solution that also doesn't nag about the site being mixed https and http so to simply encrypt/hash/salt the password before sending. and not store the clear text password in the database.

you'd think the fact that the passwords are stored in clear text would be the real worry here.

How many people's clear text passwords could someone steal by hacking the neowin database. but at least neowin is secure and always running the latest up to date IPB version so there should be no worries of that... ;) :p

#40 Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 61
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 26 February 2013 - 11:58

So why did this turn into a SSL discussion, when the cheaper and easier solution that also doesn't nag about the site being mixed https and http so to simply encrypt/hash/salt the password before sending. and not store the clear text password in the database.

you'd think the fact that the passwords are stored in clear text would be the real worry here.

How many people's clear text passwords could someone steal by hacking the neowin database. but at least neowin is secure and always running the latest up to date IPB version so there should be no worries of that... ;) :p


Erm, except it's not US sending cleartext passwords, it is the person logging in sending a password that could be sniffed with a keylogger or something. Our member passwords are encrypted/hashed/salted on our servers.

#41 Nick H.

Nick H.

    Neowinian Senior

  • Tech Issues Solved: 12
  • Joined: 28-June 04
  • Location: Switzerland

Posted 26 February 2013 - 12:00

On topic, how about setting up a donation page? Then annoy the hell out of your users, a'la Wikipedia?

We already have a donations page. Except we don't call those people donors, we call them subscribers. ;)

#42 DrakeN2k

DrakeN2k

    Neowinian

  • Joined: 04-December 10

Posted 26 February 2013 - 12:00

I believe SSL this should be added or HTTPS , note: im not tech savy with the web.

#43 Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 61
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 26 February 2013 - 12:04

This needs to be sorted , every other day sites and people get hacked this is not helping , if neowin gets hacked how many 1000s of people details will be lost.

I know this is just you to the server problem.


As I already pointed out, nothing about your password is stored on our servers as plain text, What YOU send however could be picked up by network sniffing, just like someone could steal your phone and then call any of your contacts on it (if the phone was unlocked).

#44 DrakeN2k

DrakeN2k

    Neowinian

  • Joined: 04-December 10

Posted 26 February 2013 - 12:06

As I already pointed out, nothing about your password is stored on our servers as plain text, What YOU send however could be picked up by network sniffing, just like someone could steal your phone and then call any of your contacts on it (if the phone was unlocked).


After i read your post above i edited my post , sorry for not reading the whole thread before i posted.

#45 Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 61
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 26 February 2013 - 12:07

After i read your post above i edited my post , sorry for not reading the whole thread before i posted.


No worries :)



Click here to login or here to register to remove this ad, it's free!