Jump to content
Posted 26 February 2013 - 15:59
Posted 26 February 2013 - 16:02
It's not an excuse, merely a commentary on a (probably) normal usage pattern of the website.
No it's not. I've listed to all 392 episodes of Security now, and the answer of
"I login to Neowin at home, then when I'm on the road with my laptop, I'm already logged in, so no real issue of transmitting my credentials over wifi in clear text."
would make them shake their heads. No hard feelings!
Posted 26 February 2013 - 16:14
Posted 26 February 2013 - 16:18
More worried about local wifi sniffers, that quite often could be kids just out for some lulz, etc. Now those can be mitigated with a secure connection across the open wifi like vpn or ssh tunnel for browser traffic, etc. But if best practices where followed, the login info would be secure anyway - which would reduce the risk of some kids out for some fun using a browser addon and simple wifi sniff. Again I am not too worried about someone sniffing my traffic while at home or work, etc. Or place of business that has a secure wifi connection.
Posted 26 February 2013 - 16:19
Posted 26 February 2013 - 16:19
It's something we'll look into, we'll have to measure the extra load that it puts on the servers and judge if that is something we're able to cope with.
"but they have an option to force https for the whole session if you wish."
Is this something that might be an option once the SSL cert is obtained? I really don't think such a site as neowin requires such action, and could be unwarranted strain on the servers in general. But might be a nice option for those more security minded users.
I do believe it would be possible to implement some current security practices without too much effort on the developers part and min extra work for the servers and cost, etc. It would be good thing for neowin to lead by example in the field and quite possible to show how neowin is ahead of the curve when it comes to security compared to other such sites.
Posted 26 February 2013 - 16:28
Posted 26 February 2013 - 16:33
If Neowin was hackable easily, it would of been done by now.
I think a sophisticated mitm attack such as what your talking about is way beyond the scope of the original point of this topic.
Not saying such an attack is not possible, but just because sophisticated attacks are possible does not remove the responsibility of due diligence in providing protection against less complex attacks, etc.
Lets take some baby steps, and methods that would be required for neowin to mitigate such attacks would have no justification in cost in time/effort and support by the users in using methods and practices that prevent or identify such an attack. Now if neowin was where I did my banking, it might be a different story
Posted 26 February 2013 - 16:35
Posted 26 February 2013 - 16:53
Posted 26 February 2013 - 16:57
"If Neowin was hackable easily, it would of been done by now."
I am not saying that neowin is hackable because they don't secure the transmission of the uses login info. What I wanted to point out, that in this day an age there is little reason to send such info in the clear.
I was surprised that it was to be honest. Now I just checked on another forum site I frequent, and they are doing the same sort of thing posting such info via http vs https. But their code is hashing the password before transmission, not a great solution for many reasons already mentioned. But they too have a thread where someone (not me) brought up the oversite. They have responded that after the upgrade to new version of their forum software they would be making the change to https in the posting of such info as well.
I am not trying to say that neowin dropped the ball in anyway shape or form, many many sites do the same thing. Not saying that neowin is not a secure site, just wanted some clarification to what was pointed out to me, and I verified was happening.
Again I have been very happy with the response from the staff, and in general it's not really that big of an issue taking into account the nature of the site, etc. But it sure couldn't hurt to encrypt such info, and then maybe tackle the session cookies in the clear issue
Posted 26 February 2013 - 16:59
Also - I did not mean to open a can of worms here, as mentioned multiple times -- this is just a forum and really nothing should be here that is of a critical nature to ones privacy or security. But even in this day and age, some users continue to use bad passwords, same password on multiple sites. I would not be surprised if some users here use the same password they use for their registered email account with neowin as their email password, and shutter to think even their banking websites, etc.
Posted 26 February 2013 - 17:09
Posted 26 February 2013 - 17:10