Jump to content



Photo

Neowin Login Not Secure?

question suggestion

  • This topic is locked This topic is locked
108 replies to this topic

#46 +GreenMartian

GreenMartian

    Neowinian Senior

  • Joined: 28-August 04
  • Location: adelaide, au

Posted 26 February 2013 - 12:11

We already have a donations page. Except we don't call those people donors, we call them subscribers. ;)

Some people might 'donate' more if they know the money will be going towards certificate signing. I, for one, would.
But looking at the comments here, this seems unlikely to happen..


#47 Ambroos

Ambroos

    Neowinian Senior

  • Tech Issues Solved: 7
  • Joined: 16-January 06
  • Location: Belgium
  • OS: Windows 7 + 8.1
  • Phone: Sony Xperia Z2

Posted 26 February 2013 - 12:11

Or secure yourself and sign in using Facebook or Twitter. As an added bonus you only need to sign in once and you can log in to many sites without having to enter anything at all.

But I agree, logging in should really go over SSL. Certificate cost shouldn't be a problem, RapidSSL's certificates are perfectly fine and trusted in all browsers and operating systems and only cost $49 for neowin.net or $199 for *.neowin.net. That shouldn't be too hard.

Your password can't just get sniffed on your computer but on any public network you connect to. When our school's WiFi wasn't secured we could sniff hundreds of passwords in a few minutes by just launching a Firefox plugin. You can't completely secure yourself as a user, but when Neowin decides to let logins go over SSL you are perfectly fine.

It's 2013 now, we've come to a point where even regular Google searches happen over SSL. Any site where you can only login over an unencrypted connection should be banned from the internet.

#48 OP +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 26 February 2013 - 12:36

To be honest, I do find it funny that it has not come up since that 2006 thread. To be honest, I was in the middle of posting how a site does not have to be fully https to have a secure login in that other thread.. I was quite sure that neowin would be doing the best practice thing of using https for the login portion.

But as always - better check your facts.. And figured I would use the code as example of how its done, etc..

So is this something that is going to be fixed? Could not seem to tell which way this is going.. Now back in 2006 the likely hood of wifi sniff was a lot less, not everyone was on a tablet surfing the web whenever and wherever, etc.. But as mentioned, in 2013 there is a browser addon to gather such info ;)

I normally don't like using fb or twitter logins - but if they are secure I might have to switch. Is there a actual openid method of logging in?

#49 Ambroos

Ambroos

    Neowinian Senior

  • Tech Issues Solved: 7
  • Joined: 16-January 06
  • Location: Belgium
  • OS: Windows 7 + 8.1
  • Phone: Sony Xperia Z2

Posted 26 February 2013 - 12:40

Only Facebook and Twitter for OAuth logins...

#50 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 26 February 2013 - 13:05

Erm, except it's not US sending cleartext passwords, it is the person logging in sending a password that could be sniffed with a keylogger or something. Our member passwords are encrypted/hashed/salted on our servers.


So it's the USERS fault that your login page doesn't pre-encrypted/hashed before being sent, or using SSL.

a keylogger is kind of invalid argument since at that point your computer is already fully compromised and it doesn't matter where it's encrypted unless you have a keyboard with a TPM chip that encrypts the password before the computer sees it, which is kind of unreasonable and besides the point :)

point is the password can be hashed client side before they're sent without "expensive" SSL certs.

As it is, even if they're not stored as clear text, someone could inject bad code to your site, and have all the cleartext passwords sent to you every day passed on .

#51 OP +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 26 February 2013 - 13:19

^ I agree even if not over a secure connection, at the very min the username and passwords should be hashed, this would keep out the wannabbee addon users sniffing this stuff for fun.

But I really don't think the cost of the ssl cert should be an issue these days https://www.cheapssls.com/

I am fairly sure you can get a trusted cert for like $5 a year if need be. There are quite a few options that are under $20

#52 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 26 February 2013 - 13:23

There are some free certs you can get that last a year or whatnot.
Doesn't need SSL anyway, can do JS-MD5 if they're using the default IPB login.

Anyway you think this is bad? Go take a look at faceparty, not only does it transmit your password in plain text - they're STORED in plain text, you can have them emailed out to you AND the 'mods' of the site can view your password!
That I think is probably the most laughable system I've seen in years.

#53 DaveLegg

DaveLegg

    Coderator at heart

  • Tech Issues Solved: 20
  • Joined: 31-October 04
  • Location: Oxford, UK

Posted 26 February 2013 - 13:23

So it's the USERS fault that your login page doesn't pre-encrypted/hashed before being sent, or using SSL.

a keylogger is kind of invalid argument since at that point your computer is already fully compromised and it doesn't matter where it's encrypted unless you have a keyboard with a TPM chip that encrypts the password before the computer sees it, which is kind of unreasonable and besides the point :)

point is the password can be hashed client side before they're sent without "expensive" SSL certs.

As it is, even if they're not stored as clear text, someone could inject bad code to your site, and have all the cleartext passwords sent to you every day passed on .

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.

#54 xWhiplash

xWhiplash

    Neowinian Senior

  • Joined: 07-March 08

Posted 26 February 2013 - 13:32

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.


Agreed, this seems to be an IPB issue not just a Neowin issue. The only way to solve this while allowing people without Javascript to log in would be to use an SSL certificate it seems.

#55 Riggers

Riggers

    Neowinian

  • Tech Issues Solved: 4
  • Joined: 03-March 08

Posted 26 February 2013 - 13:34

Just thinking, maybe with site as big as this it might be worth approaching a cert authority to see if they can do you a deal. You know they then get free(ish) advertising with the login secured by XYZ logo perhaps on the mian page.

#56 OP +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 26 February 2013 - 13:35

Or how about add other options for login like generic openID vs FB and twitter. Not everyone uses those services, and if they do -- maybe they don't want to link their neowin account with those accounts, etc.

#57 Ambroos

Ambroos

    Neowinian Senior

  • Tech Issues Solved: 7
  • Joined: 16-January 06
  • Location: Belgium
  • OS: Windows 7 + 8.1
  • Phone: Sony Xperia Z2

Posted 26 February 2013 - 13:37

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.


Exactly, that would be overly complicated and still not the way it should be.

So please tell me why you won't just do it all the easy way and implement SSL for logins?

#58 xWhiplash

xWhiplash

    Neowinian Senior

  • Joined: 07-March 08

Posted 26 February 2013 - 13:43

Forum software is not very secure. Most of them still use MD5 hashing. Unless you have the money and power to write your own forum software. You can write hooks and light mods to change the hashing and other things, but when there is an IP.Board update, you have to do that all again. And it could potentially open up a security hole for other hacking methods.

There is really nothing you can do besides SSL. I do not see what the big deal is though, it is not the site owner/developers fault if people use the same passwords, and IP.Board is just a community. Anything critical like purchases are done though PayPal WHICH IS HTTPS.

Exactly, that would be overly complicated and still not the way it should be.

So please tell me why you won't just do it all the easy way and implement SSL for logins?


Last time I looked, GOOD SSL certificates were $400 or more per year (like verisign here - http://www.symantec....sl-certificates). I wouldn't trust ones for $50, those must have very light security and such.

#59 ]SK[

]SK[

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 12-October 04
  • Location: Nottingham, UK
  • OS: Windows 8.1
  • Phone: Nexus 5

Posted 26 February 2013 - 13:50

If Microsoft, Google, Mozilla etc trusts an SSL provider in their browsers why shouldn't you trust them? That's all a certificate authority is, a trusted source.

#60 xWhiplash

xWhiplash

    Neowinian Senior

  • Joined: 07-March 08

Posted 26 February 2013 - 14:19


If Microsoft, Google, Mozilla etc trusts an SSL provider in their browsers why shouldn't you trust them? That's all a certificate authority is, a trusted source.


I was talking about $50 certificates vs $300 /year certificates. If you look at the verisign page, they have more expensive certificates that give you more benefits. I wouldn't think a $40 certificate would be very good. It would make me pause about implementing that in my own site. I would rather go with the very popular and secure ones vs a cheapo one.

Microsoft, Google, Mozilla, and others use very expensive Verisign (and other top notch providers) certificates.