Neowin Login Not Secure?

By +BudMan
in Site & Forum Issues

 Share

Recommended Posts

Grand Master

articuno1au

Posted
Posted

I was going to say. There's dozens of certified signing authorities that do SSL cert pricing for reasonable money O.o

Comodo will sign a multi-domain cert through namecheap for $91..

http://www.namecheap.com/ssl-certificates/comodo.aspx

Mentor

nekkidtruth

Posted
Posted

It's humorous that you don't understand that this isn't actually a huge problem, and can only be resolved by purchasing an expensive SSL certificate for 3 servers, or have a free one cry about it being self signed (creating an unnecessary browser alert for my site).

So...because I found humor in the length of time it took someone on a tech site to notice something such as this, automatically equates to my having no understanding. Ooook.

Grand Master

DaveLegg Developer

Posted
  • Developer
Posted

So...because I found humor in the length of time it took someone on a tech site to notice something such as this, automatically equates to my having no understanding. Ooook.

I think Neobond merely misinterpreted the first post, as not having SSL is something we've discussed in the past (as shown by the link in my previous post)

Mentor

GreenMartian

Posted
Posted

So...because I found humor in the length of time it took someone on a tech site to notice something such as this, automatically equates to my having no understanding. Ooook.

Ook? Ook. Ook! Ook! (sorry, can't resist.. :p )

On topic, how about setting up a donation page? Then annoy the hell out of your users, a'la Wikipedia?

Or at least have optional secure login using self-signed cert for those worried about sniffing but not too bothered with an extra browser warning?

Mentor

nekkidtruth

Posted
Posted

Don't worry about it :)

My poke wasn't directed at Neowin (staff), it was towards the fact that for the most part the folks that use Neowin are technologically savvy individuals and someone was just coming across this now (Or so it was believed before Dave posted the old thread). When you quoted the length of time, it literally made me laugh. I just found it ironic.

I think Neobond merely misinterpreted the first post, as not having SSL is something we've discussed in the past (as shown by the link in my previous post)

I'm chalking it up to early money brain cloud (for those of you just waking up) and late night brain cloud (for those like me who are just about to come off a 12 hour overnight shift) ;)

Ook? Ook. Ook! Ook! (sorry, can't resist.. :p )

Lol :p

As for the issue, I don't really think it's that big of a deal.

Grand Master

Steven P. Administrators

Posted
  • Administrators
Posted

My poke wasn't directed at Neowin (staff), it was towards the fact that for the most part the folks that use Neowin are technologically savvy individuals and someone was just coming across this now (Or so it was believed before Dave posted the old thread). When you quoted the length of time, it literally made me laugh. I just found it ironic.

I'm chalking it up to early money brain cloud (for those of you just waking up) and late night brain cloud (for those like me who are just about to come off a 12 hour overnight shift) ;)

I had just woke up (was on first coffee) :p

Community Regular

joemailey

Posted
Posted

The way I see it, a lot of people use the same passwords for different sites.

I'm pretty sure people do it here.

It's all well in saying use a different password etc etc. but standard users won't do that.

So for a small fee of an SSL cert. I'm sure we could do a whip around and get the cash raised pretty easliy. I'll donate a few dollars no problem :-)

To me sites need to protect the user, just as much as the user needs to protect themselves.

Even if the info isn't that important, some of the stuff could be used for social engineering attacks.

Grand Master

cork1958

Posted
Posted

There was a previous discussion about this here: http://www.neowin.ne...ds-https-login/

Not bad. It's ONLY been 7 years since that topic was started!!

Neowin is right on top of it. Certs ARE NOT that expensice now a days, as has already been pointed out, but with all the issues this site has every time they update the board, certs would only screw it up more, I'm sure! :rofl:

Experienced

ashpowell

Posted
Posted

So reading a thread and came across this statement

"Even the neowin login page is not encrypted"

Now I thought to myself - that can not be true.. I know the page itself is not fully encrypted, but that is not an issue the sending of the username and password could be using a https post, etc.

So figured I would take a look see.... Oddly enough, the post for the login looks to be in the clear from the page source

	<form action="https://www.neowin.net/forum/index.php?app=core&module=global&section=login&do=process" method="post" id='login'>

Now I said -- hmmm, I know a little bit about html, but maybe I am missing something and I am looking at it wrong or something. So I did what I know better and that is looking at network sniffs... So I took one while logging in..

And what you know - my password right there in the clear?? That is not a very safe practice... I know its only a forum and such, and I agree you sure don't have to encrypt the whole site - but not the sending of the username and password?? That needs to be corrected!!

Now my password is complex random - but I assure you it was in the clear.

post-14624-0-50929000-1361862547.png

Not sure what that auth part is there I highlighted, but hid it as well.

So am I correct in that everyone that is logging into neowin is sending username and password in clear??

Off-topic a bit, but how did you do that? I'd like to test a few sites

Grand Master

HawkMan

Posted
Posted

So why did this turn into a SSL discussion, when the cheaper and easier solution that also doesn't nag about the site being mixed https and http so to simply encrypt/hash/salt the password before sending. and not store the clear text password in the database.

you'd think the fact that the passwords are stored in clear text would be the real worry here.

How many people's clear text passwords could someone steal by hacking the neowin database. but at least neowin is secure and always running the latest up to date IPB version so there should be no worries of that... ;) :p

Grand Master

Steven P. Administrators

Posted
  • Administrators
Posted

So why did this turn into a SSL discussion, when the cheaper and easier solution that also doesn't nag about the site being mixed https and http so to simply encrypt/hash/salt the password before sending. and not store the clear text password in the database.

you'd think the fact that the passwords are stored in clear text would be the real worry here.

How many people's clear text passwords could someone steal by hacking the neowin database. but at least neowin is secure and always running the latest up to date IPB version so there should be no worries of that... ;) :p

Erm, except it's not US sending cleartext passwords, it is the person logging in sending a password that could be sniffed with a keylogger or something. Our member passwords are encrypted/hashed/salted on our servers.

Grand Master

Steven P. Administrators

Posted
  • Administrators
Posted

This needs to be sorted , every other day sites and people get hacked this is not helping , if neowin gets hacked how many 1000s of people details will be lost.

I know this is just you to the server problem.

As I already pointed out, nothing about your password is stored on our servers as plain text, What YOU send however could be picked up by network sniffing, just like someone could steal your phone and then call any of your contacts on it (if the phone was unlocked).

  • articuno1au
  • Like 1
Experienced

DrakeN2k

Posted
Posted

As I already pointed out, nothing about your password is stored on our servers as plain text, What YOU send however could be picked up by network sniffing, just like someone could steal your phone and then call any of your contacts on it (if the phone was unlocked).

After i read your post above i edited my post , sorry for not reading the whole thread before i posted.

Mentor

GreenMartian

Posted
Posted

We already have a donations page. Except we don't call those people donors, we call them subscribers. ;)

Some people might 'donate' more if they know the money will be going towards certificate signing. I, for one, would.

But looking at the comments here, this seems unlikely to happen..

Grand Master

Ambroos

Posted
Posted

Or secure yourself and sign in using Facebook or Twitter. As an added bonus you only need to sign in once and you can log in to many sites without having to enter anything at all.

But I agree, logging in should really go over SSL. Certificate cost shouldn't be a problem, RapidSSL's certificates are perfectly fine and trusted in all browsers and operating systems and only cost $49 for neowin.net or $199 for *.neowin.net. That shouldn't be too hard.

Your password can't just get sniffed on your computer but on any public network you connect to. When our school's WiFi wasn't secured we could sniff hundreds of passwords in a few minutes by just launching a Firefox plugin. You can't completely secure yourself as a user, but when Neowin decides to let logins go over SSL you are perfectly fine.

It's 2013 now, we've come to a point where even regular Google searches happen over SSL. Any site where you can only login over an unencrypted connection should be banned from the internet.

  • Harrison H., GreenMartian, DrakeN2k and 1 other
  • Like 4
Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

To be honest, I do find it funny that it has not come up since that 2006 thread. To be honest, I was in the middle of posting how a site does not have to be fully https to have a secure login in that other thread.. I was quite sure that neowin would be doing the best practice thing of using https for the login portion.

But as always - better check your facts.. And figured I would use the code as example of how its done, etc..

So is this something that is going to be fixed? Could not seem to tell which way this is going.. Now back in 2006 the likely hood of wifi sniff was a lot less, not everyone was on a tablet surfing the web whenever and wherever, etc.. But as mentioned, in 2013 there is a browser addon to gather such info ;)

I normally don't like using fb or twitter logins - but if they are secure I might have to switch. Is there a actual openid method of logging in?

Grand Master

HawkMan

Posted
Posted

Erm, except it's not US sending cleartext passwords, it is the person logging in sending a password that could be sniffed with a keylogger or something. Our member passwords are encrypted/hashed/salted on our servers.

So it's the USERS fault that your login page doesn't pre-encrypted/hashed before being sent, or using SSL.

a keylogger is kind of invalid argument since at that point your computer is already fully compromised and it doesn't matter where it's encrypted unless you have a keyboard with a TPM chip that encrypts the password before the computer sees it, which is kind of unreasonable and besides the point :)

point is the password can be hashed client side before they're sent without "expensive" SSL certs.

As it is, even if they're not stored as clear text, someone could inject bad code to your site, and have all the cleartext passwords sent to you every day passed on .

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Upgrade for cheap to Windows 11 Pro or Home Edition digital license

      By News Staff · Posted

      Upgrade for cheap to Windows 11 Pro or Home Edition digital license by Steven Parker Today's highlighted deal comes via our Apps + Software section of the Neowin Deals store, where you can save up to 94% off on a Microsoft Windows 11 Home, or Pro digital license. Upgrade your computing experience with Windows 11 Pro. This cutting-edge operating system boasts a sleek new design and advanced tools to help you work faster and smarter. From creative projects to gaming and beyond, Windows 11 delivers the power and flexibility you need to achieve your goals. With a focus on productivity, the new features are easy to learn and use, enhancing your workflow and efficiency. Whether you're a student, professional, gamer, or creative, Windows 11 Home has everything you need to take your productivity to the next level. New interface. easier on the eyes & easier to use Biometrics login*.Encrypted authentication & advanced antivirus defenses DirectX 12 Ultimate. Play the latest games with graphics that rival reality. DirectX 12 Ultimate comes ready to maximize your hardware* Screen space. Snap layouts, desktops & seamless redocking Widgets. Stay up-to-date with the content you love & the new you care about Microsoft Teams. Stay in touch with friends and family with Microsoft Teams, which can be seamlessly integrated into your taskbar** Wake & lock. Automatically wake up when you approach and lock when you leave Smart App Control. Provides a layer of security by only permitting apps with good reputations to be installed Windows Studio Effects. Designed with Background Blur, Eye Contact, Voice Focus, & Automatic Framing Touchscreen. For a true mouse-less or keyboard-less experience TPM 2.0. Helps prevent unwanted tampering Windows 11 Pro also includes a number of productivity-focused features, such as the ability to snap multiple windows together and create custom layouts, improved voice typing, and a new, more powerful search experience. Personal and professional users will enjoy a modern and secure computing experience, with improved performance and productivity features to help users get more done. Only on Windows 11 Pro If you require enterprise-oriented features for your daily professional tasks, then Windows 11 Pro is a better option. Set up with a local account (only when set up for work or school) Join Active Directory/Azure AD Hyper-V Windows Sandbox Microsoft Remote Desktop BitLocker device encryption Windows Information Protection Mobile device management (MDM) Group Policy Enterprise State Roaming with Azure Assigned Access Dynamic Provisioning Windows Update for Business Kiosk mode Maximum RAM: 2TB Maximum no. of CPUs: 2 Maximum no. of CPU cores: 128 Good to know This license is for Windows 11 only. It is NOT intended to be used for upgrading Microsoft Office (MSO) included in Parallels Pro. However, it will still work with Parallels Pro and allow you to run Windows applications including MSO, but it DOES NOT include an upgrade MSO itself. It is still compatible with Microsoft Office ONLY if you have a separate license for it. Length of access: lifetime Redemption deadline: redeem your code within 30 days of purchase Access options: desktop Max number of device(s): 1 Version: Windows 11 Pro Updates included Queries on legality of this deal, here A Windows 11 Pro retail license normally costs $199, with Windows 11 Home usually costing $139 but you can pick either one up for just $9.97 for a limited time. For a full description, specs, and license info, click the link below. Get Windows 11 Pro for just $9.97 (was $199) Get Windows 11 Home for just $9.97 (was $139) Although priced in U.S. dollars, this deal is available for digital purchase worldwide. Support queries If you have queries or need support for any of the Neowin Deals, please use the contact form here. Neowin Deals are managed and sold by StackCommerce who represent Neowin on an affiliate basis. Why we post these deals We post these because we earn commission on each sale so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. So for those that keep moaning and complaining, be thankful we're still online for you to even do that. Other ways to support Neowin Whitelist Neowin by not blocking our ads Create a free member account to see fewer ads Make a donation to support our day to day running costs Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: Neowin benefits from revenue of each sale made through our branded deals site powered by StackCommerce.
    • Politically funny images of the World

      By Dan~ · Posted

      Why say “Retarded” then? Lol 
    • Microsoft confirms Windows 11 26H2 to finally get one of the most requested features

      By sphbecker · Posted

      If you don't care to read what I said, then you prove my point. Maybe written media is beyond your attention span. Titles are not summaries my friend.
    • Politically funny images of the World

      By +Nik Louch · Posted

      Nobody asked... in fact, I said "I don't care about political leanings"  
    • Microsoft confirms Windows 11 26H2 to finally get one of the most requested features

      By Elliot B. · Posted

      TLDR. Here is a far better title (just a basic example): Windows 11 26H2 to allow disabling Web search results

  • Recent Achievements

    • Dedicated
      tuben earned a badge
      Dedicated
    • Week One Done
      mnsgroup earned a badge
      Week One Done
    • Conversation Starter
      sumytbe earned a badge
      Conversation Starter
    • One Year In
      B4dM1k3 earned a badge
      One Year In
    • One Year In
      DarkWun earned a badge
      One Year In

  • Popular Contributors

    1. 1
      +primortal
      519
    2. 2
      +Edouard
      199
    3. 3
      PsYcHoKiLLa
      95
    4. 4
      Michael Scrip
      82
    5. 5
      Steven P.
      67
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!