Jump to content



Photo

Neowin Login Not Secure?

question suggestion

  • This topic is locked This topic is locked
108 replies to this topic

#61 Harrison H.

Harrison H.

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 21-August 04
  • Location: Florida
  • OS: Windows 8.1
  • Phone: Nokia Lumia 1520

Posted 26 February 2013 - 14:25

I was talking about $50 certificates vs $300 /year certificates. If you look at the verisign page, they have more expensive certificates that give you more benefits. I wouldn't think a $40 certificate would be very good. It would make me pause about implementing that in my own site. I would rather go with the very popular and secure ones vs a cheapo one.

Microsoft, Google, Mozilla, and others use very expensive Verisign (and other top notch providers) certificates.

A cheap certificate is perfectly acceptable. It's real purpose is to encrypt the traffic, which is really all we're asking for here. Those expensive certs are basically the same thing. The difference is the amount of work you have to do to get them. See http://www.ehow.com/...rtificates.html


#62 Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 68
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 26 February 2013 - 14:28

IPB dropped OpenID support afaik.

#63 ]SK[

]SK[

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 12-October 04
  • Location: Nottingham, UK
  • OS: Windows 8.1
  • Phone: Nexus 5

Posted 26 February 2013 - 14:33

A cheap certificate is perfectly acceptable. It's real purpose is to encrypt the traffic, which is really all we're asking for here. Those expensive certs are basically the same thing. The difference is the amount of work you have to do to get them. See http://www.ehow.com/...rtificates.html


Exactly. As long as the certificate is trusted then your end users will not get annoying certificate alerts. As said the main purpose is to secure the authentication process upon user logon. Any SSL is better than plain text!

I use an SSL Certificate from StartSSL to secure my home Remote Gateway Server. It's trusted in all browsers and costed exactly nothing.

#64 shozilla

shozilla

    Neowinian Senior

  • Tech Issues Solved: 6
  • Joined: 11-January 09

Posted 26 February 2013 - 14:47

I was talking about $50 certificates vs $300 /year certificates. If you look at the verisign page, they have more expensive certificates that give you more benefits. I wouldn't think a $40 certificate would be very good. It would make me pause about implementing that in my own site. I would rather go with the very popular and secure ones vs a cheapo one.

Microsoft, Google, Mozilla, and others use very expensive Verisign (and other top notch providers) certificates.


It doesn't matter... expensive and cheap SSL certs are same which they both use up to 256 bit encryption systems.

If Neowin isn't a LLC or an Incorporation, then they can not afford to get SSL certs from Verisign or whoever. But they can get SSL from other SSL providers such as RapidSSL for less expensive. If they are a LLC or Inc., then do not forget that they pay for the servers to keep them up running and maintenance costs, etc. They might not have enough $ to get SSL from Verisign.

For example, you have SSL from Verisign, they will raise their rate to about $1000 a year, you will be surprised, then you will move your SSL to alternative provider for cheap rate to save money for your company. Simple.

You will do same way when you buy a car.... in your local town, car cost $25,000... in other state, car cost $15,000.. would you go out of state to get that car? Yeah? See people would get cheap one with same features as the local car has. It is about save money.

#65 OP +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 26 February 2013 - 14:52

If what neowin wanted was to VERIFY they are who they say they are and own the domain, etc. Then ok maybe the more costly certs might be in order, you have to jump through some hoops in the verification process for some of those certs.

But we are talking just the encryption of the username and password, for that matter just the password would work. As long as the transmission is secured does not matter if its a FREE cert (as long as trusted by many browsers) Even if not trusted, neowin could provide the means of trusting said cert for those users that wanted to not be nagged and didn't want to make exception in their browsers (for those that support that).

So any sort of cert would be better than no cert, yes even a FREE one. So can we get a clear answer - will neowin be changing to SSL for the login or not? I really don't see how a <$50 cert should be an issue. Do we really need to take up a collection? ;)

I agree its just a forum, and most of the info does not justify encryption of the traffic. But what I would like to see is the login sent in a secure manner - this is just common best practice. Now it might be true that many site run in this fashion where login info is not encrypted. I will be checking all of the ones I frequent. They are all tech related sites, you would have to assume a tech related forum would use best practices, especially something so simple to implement.

#66 JonnyLH

JonnyLH

    I say things.

  • Joined: 15-February 13
  • Location: UK
  • OS: W8, W7, WP8, iOS, Ubuntu
  • Phone: Nokia Lumia 920

Posted 26 February 2013 - 14:52

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.


Took the words completely out of my mouth. I really do doubt anyone browses without JS on these days on the other hand, most modern websites as you know, just wouldn't work.

Even if you implemented a client-side encryption method, if it was md5 or salt based hashing, you'd still provide your encryption technique for the world to see. This thread has been blown way out of proportion. Any website which isn't https will do the same. What the OP displays is just a simple HTTP POST.

If you have an entity snooping your internet traffic. Then you have more of a serious problem and isn't probably just looking for simple forum passwords, its very sneaky business.

Just to worry you more, there is a very good middle man technique which actually keeps the integrity of a SSL cert. So, if you had someone with the intent of doing something, an SSL cert wouldn't completely stop them.

#67 DaveLegg

DaveLegg

    Coderator at heart

  • Tech Issues Solved: 10
  • Joined: 31-October 04
  • Location: Oxford, UK

Posted 26 February 2013 - 15:04

So can we get a clear answer - will neowin be changing to SSL for the login or not?

That's up to Neobond and Redmak to decide

#68 Redmak

Redmak

    Neowinian Senior

  • Tech Issues Solved: 39
  • Joined: 09-July 01
  • Location: Netherlands
  • OS: Windows 8
  • Phone: HTC One

Posted 26 February 2013 - 15:10

So can we get a clear answer - will neowin be changing to SSL for the login or not?


We will, but I'm not sure if it will happen before the IPB 3.4 upgrade

#69 OP +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 26 February 2013 - 15:17

"If you have an entity snooping your internet traffic. Then you have more of a serious problem and isn't probably just looking for simple forum passwords, its very sneaky business."
"So, if you had someone with the intent of doing something, an SSL cert wouldn't completely stop them."

I am not so worried about a man in the middle attack, which sure is possible. And I am not worried about some point along the path sniffing the traffic - but then a ssl would protect against that even.

What I am concerned about, came about in another thread where OP there was asking security options while on a open wifi network. During the process of discussion on what the exact concerns were. It is impossible to suggest a mitigation method unless you understand the risk your trying to mitigate it was posted that neowins logins where not even encrypted.

I personally did not believe it, so I double checked - and to my dismay it was in fact true. Which was the reason for my query to the matter here on the site and forum issue. Maybe it might of been a subject better discussed in the mvc/staff area? But it security topic that should be discussed with the community at large using the site.

My concern is not some one without inappropriate access along the the path collecting forum logins, yes your mitm comment is still valid with any sort of SSL, but again this was not the reason for the query.

More worried about local wifi sniffers, that quite often could be kids just out for some lulz, etc. Now those can be mitigated with a secure connection across the open wifi like vpn or ssh tunnel for browser traffic, etc. But if best practices where followed, the login info would be secure anyway - which would reduce the risk of some kids out for some fun using a browser addon and simple wifi sniff. Again I am not too worried about someone sniffing my traffic while at home or work, etc. Or place of business that has a secure wifi connection.

I doubt I would stop using neowin if they don't change this method. But it would be nice to get a answer from the staff to why they don't feel its a concern, and why they don't use SSL to post the login info. Sofar info has been given to why they don't hash the info before posting it, but I have not seen a reason for not using ssl to post this info?

edit: Thanks for the clear answer Redmak, looking forward to the upgrade ;) This is a clear answer to my question, and satisfies my concerns. It has been running like this since the get go it seems, so a few more weeks/months should not be too big of an issue.

#70 DaveLegg

DaveLegg

    Coderator at heart

  • Tech Issues Solved: 10
  • Joined: 31-October 04
  • Location: Oxford, UK

Posted 26 February 2013 - 15:22

As a side point BudMan, I login to Neowin at home, then when I'm on the road with my laptop, I'm already logged in, so no real issue of transmitting my credentials over wifi in clear text. I imagine this is the same for many people, unless they're using a 3rd party device, or have a practise of logging out from the site. But yes, as Redmak says, we'll be bringing SSL in sometime soon.

#71 Shadrack

Shadrack

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 20-December 01

Posted 26 February 2013 - 15:42

Another reason why NOT to use the same password everywhere on the Internet.

#72 OP +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 26 February 2013 - 15:45

^ well that brings up a whole new can of worms with session hijacking and non secure cookies used to store this logged in state - does it not? ;)

If the logins are not posted via SSL, I doubt the cookies are being sent that way??

That might be a good info to pin, since this is tech site and lots of security minded people here. Would it be possible to put together a info sheet on the security methods used by neowin to secure login and user info. It can wait til the upgrade I am sure and use of ssl to post login info.. But there have been many headline story of sites being compromised and user info stolen - some sort of writeup on the steps neowin takes to mitigate these issues, be it sniffing login creds, session hijacking, how info is stored in the database, etc. etc.

edit: Nothing to involved, pointless to give out info that could be used to exploit the measures.. But general terms that even the most nontech savy users could understand would be a great addition to let the community know that neowin is looking after their users info, etc.

Also - I did not mean to open a can of worms here, as mentioned multiple times -- this is just a forum and really nothing should be here that is of a critical nature to ones privacy or security. But even in this day and age, some users continue to use bad passwords, same password on multiple sites. I would not be surprised if some users here use the same password they use for their registered email account with neowin as their email password, and shutter to think even their banking websites, etc.

#73 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 26 February 2013 - 15:53

When in doubt just ask yourself "What would Steve Gibson think". Even I had a Gibsonian Response to this thread.

#74 OP +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 26 February 2013 - 15:55

^ So I take it that is suppose to be one of those "warwagon" jokes?? ;)

#75 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 26 February 2013 - 15:56

^ So I take it that is suppose to be one of those "warwagon" jokes?? ;)


No it's not. I've listed to all 392 episodes of Security now, and the answer of

"I login to Neowin at home, then when I'm on the road with my laptop, I'm already logged in, so no real issue of transmitting my credentials over wifi in clear text."

would make them shake their heads. No hard feelings!

To summarize." if you don't want your traffic sniffed, just log into Neowin before leaving the house"....really?