108 replies to this topic

[Riggers]

You wouldn`t need anything like EV-SSL, simple DV would easily suffice for what is required. For me a site like Neowin should be actively encouraging this type of practise, it writes about it enough on the front pages. I`m not saying that our passwords for this forum are something that a MITM attacker would necessarily wan`t just that if it helps spread the usage of such methods and brings awareness to the issues then surely that`s a good thing.

[DaveLegg]

warwagon, on 26 February 2013 - 15:56, said:

No it's not. I've listed to all 392 episodes of Security now, and the answer of

"I login to Neowin at home, then when I'm on the road with my laptop, I'm already logged in, so no real issue of transmitting my credentials over wifi in clear text."

would make them shake their heads. No hard feelings!

It's not an excuse, merely a commentary on a (probably) normal usage pattern of the website.

BudMan, you are correct, cookies for the session info etc are still sent in plain text, but this is something that happens with many websites. For example, the default on Facebook is to login via https, and then use unencrypted http for the rest of the session, but they have an option to force https for the whole session if you wish.

[+BudMan]

"but they have an option to force https for the whole session if you wish."

Is this something that might be an option once the SSL cert is obtained? I really don't think such a site as neowin requires such action, and could be unwarranted strain on the servers in general. But might be a nice option for those more security minded users.

I do believe it would be possible to implement some current security practices without too much effort on the developers part and min extra work for the servers and cost, etc. It would be good thing for neowin to lead by example in the field and quite possible to show how neowin is ahead of the curve when it comes to security compared to other such sites.

edit: Maybe the whole site https option could be an option for subscribers only, etc. This might get a few more to join that rank and help neowin offset any added cost in such an implementation?

[JonnyLH]

BudMan, on 26 February 2013 - 15:17, said:

More worried about local wifi sniffers, that quite often could be kids just out for some lulz, etc. Now those can be mitigated with a secure connection across the open wifi like vpn or ssh tunnel for browser traffic, etc. But if best practices where followed, the login info would be secure anyway - which would reduce the risk of some kids out for some fun using a browser addon and simple wifi sniff. Again I am not too worried about someone sniffing my traffic while at home or work, etc. Or place of business that has a secure wifi connection.

Your worries are right but I'm afraid it isn't just as easy as securing the connection, adding server certificates. There are network flaws which simply can't be fixed, this is because of the RFC's related to the OSI Stack.

A hacker could join onto a public hotspot and essentially hijack all the popular websites he'll see results on. This could be Facebook, Amazon, Best Buy whatever. These websites will all have SSL certs, security measures in place. When he hijacks a website, the SSL certificate is in-tact (if done properly) and everything should appear fine, again if done properly. The hacker will still take logins, credit-card details. There's just nothing you can do. Even a security minded individual would have trouble spotting it. I wouldn't know.

So in terms of Neowin being secure, I know IPB is very good in that area. Regarding SSL, it wouldn't even be necessary. For the guys, it would more so be there just to make the people visiting feel happy.

Also, to reflect on the hacking technique I mentioned above, this would have to be planned and developed with quite a bit of time and effort. I wouldn't worry about joining your local Starbucks wifi anytime soon.

[Guth]

Just wanted to say that for those saying "its just a forum" what about the fact some people link their twitter
if you posted a status update on the forum and said "post to twitter also" (which is an option" then you could post tweets to someone elses twitter!

[DaveLegg]

BudMan, on 26 February 2013 - 16:14, said:

"but they have an option to force https for the whole session if you wish."

Is this something that might be an option once the SSL cert is obtained? I really don't think such a site as neowin requires such action, and could be unwarranted strain on the servers in general. But might be a nice option for those more security minded users.

I do believe it would be possible to implement some current security practices without too much effort on the developers part and min extra work for the servers and cost, etc. It would be good thing for neowin to lead by example in the field and quite possible to show how neowin is ahead of the curve when it comes to security compared to other such sites.

It's something we'll look into, we'll have to measure the extra load that it puts on the servers and judge if that is something we're able to cope with.

In terms of back-end security, the way we prevent malicious scripts from being uploaded and executed, I think we're pretty strong, we used to have issues with flaws in IPB that would allow scripts to be uploaded as attachments, and then accessed by the malicious user to run commands on the servers, and do all kinds of things. Now even if IPB still has those flaws, the scripts won't work. We also have code in place that ensures that none of our files have been modified by anyone other than our devs.

[+BudMan]

I think a sophisticated mitm attack such as what your talking about is way beyond the scope of the original point of this topic.

Not saying such an attack is not possible, but just because sophisticated attacks are possible does not remove the responsibility of due diligence in providing protection against less complex attacks, etc.

Lets take some baby steps, and methods that would be required for neowin to mitigate such attacks would have no justification in cost in time/effort and support by the users in using methods and practices that prevent or identify such an attack. Now if neowin was where I did my banking, it might be a different story

edit: I am very happy with the staff response to the query, and satisfied that after the upgrade this practice will change. If not, I will be sure to remind them of this thread hehehe

[JonnyLH]

BudMan, on 26 February 2013 - 16:28, said:

I think a sophisticated mitm attack such as what your talking about is way beyond the scope of the original point of this topic.

Not saying such an attack is not possible, but just because sophisticated attacks are possible does not remove the responsibility of due diligence in providing protection against less complex attacks, etc.

Lets take some baby steps, and methods that would be required for neowin to mitigate such attacks would have no justification in cost in time/effort and support by the users in using methods and practices that prevent or identify such an attack. Now if neowin was where I did my banking, it might be a different story

If Neowin was hackable easily, it would of been done by now.

Less complex attacks like sniffing on a public wifi spot use the same flaws I mentioned for the attacks above, just looked at in a different manner. The bad thing is about security is that the best security engineers are the ones who used to be hackers.

I'd like to point out just for the sake of Neowin. The discussion topic is not a FLAW. Its simply a understanding of how these processes work.

[Tyler R.]

Well. Kudos to Budman for finding this flaw.


I for one, will be changeing all of my passwords for kicks and giggles when I get home.

[+BudMan]

"If Neowin was hackable easily, it would of been done by now."

I am not saying that neowin is hackable because they don't secure the transmission of the uses login info. What I wanted to point out, that in this day an age there is little reason to send such info in the clear.

I was surprised that it was to be honest. Now I just checked on another forum site I frequent, and they are doing the same sort of thing posting such info via http vs https. But their code is hashing the password before transmission, not a great solution for many reasons already mentioned. But they too have a thread where someone (not me) brought up the oversite. They have responded that after the upgrade to new version of their forum software they would be making the change to https in the posting of such info as well.

I am not trying to say that neowin dropped the ball in anyway shape or form, many many sites do the same thing. Not saying that neowin is not a secure site, just wanted some clarification to what was pointed out to me, and I verified was happening.

Again I have been very happy with the response from the staff, and in general it's not really that big of an issue taking into account the nature of the site, etc. But it sure couldn't hurt to encrypt such info, and then maybe tackle the session cookies in the clear issue

[JonnyLH]

BudMan, on 26 February 2013 - 16:53, said:

"If Neowin was hackable easily, it would of been done by now."

I am not saying that neowin is hackable because they don't secure the transmission of the uses login info. What I wanted to point out, that in this day an age there is little reason to send such info in the clear.

I was surprised that it was to be honest. Now I just checked on another forum site I frequent, and they are doing the same sort of thing posting such info via http vs https. But their code is hashing the password before transmission, not a great solution for many reasons already mentioned. But they too have a thread where someone (not me) brought up the oversite. They have responded that after the upgrade to new version of their forum software they would be making the change to https in the posting of such info as well.

I am not trying to say that neowin dropped the ball in anyway shape or form, many many sites do the same thing. Not saying that neowin is not a secure site, just wanted some clarification to what was pointed out to me, and I verified was happening.

Again I have been very happy with the response from the staff, and in general it's not really that big of an issue taking into account the nature of the site, etc. But it sure couldn't hurt to encrypt such info, and then maybe tackle the session cookies in the clear issue

Oh yeah, I definitely agree with you. Sorry, we've been bouncing back and forward ha.

SSL should definitely be implemented. Its just in good nature that one of the largest tech forums/news sites incorporates it. My point was, if you did this it still wouldn't make the password secure.

Regarding local encryption with vBulletin, all it is, is a md5 function. Once retrieved you can just pop it in one of many md5 decrypts on the internet. Hopefully it then re-hash's that password. If it just takes the md5 from the client, then uses a salt to encrypt then thats less secure because you can retrieve the md5 hash before its salted.

Just goes on and on...

[#Michael]

BudMan, on 26 February 2013 - 15:45, said:

Also - I did not mean to open a can of worms here, as mentioned multiple times -- this is just a forum and really nothing should be here that is of a critical nature to ones privacy or security. But even in this day and age, some users continue to use bad passwords, same password on multiple sites. I would not be surprised if some users here use the same password they use for their registered email account with neowin as their email password, and shutter to think even their banking websites, etc.

That really isn't true. How many users here link their facebook/skype/im/personal websites to their user profiles. I am guessing quite a bit. If the site were to be compromised then there is a chance that this information could be gotten also.

[+BudMan]

"if you did this it still wouldn't make the password secure."

It would be much more secure than the current clear text method of sending it

But yeah I agree with you method of transmission does not always mean its "secure" For all we know 87% of users passwords here on neowin are "P@55w0rd1" And if someone wanted they could just pick a user at random and try a couple of common passwords and get in to those accounts.

I wonder what neobonds password is? You going to be at starbucks or something sometime soon?

[SuperKid]

I don't see a major issue here? your password you send to the server is always unencrypted and that's the way it is, HTTPS does make things more secure though because it stops people sniffing around to get that password but I think you'd have to be pretty unlucky to have that happen to you anyway.

Comodo is the cheapest way to get an SSL Certificate and does work on most browsers, but obviously the real good ones like Verisign cost a lot of money. The cost of a Verisign Certificate could actually be used for an extra server at neowin to improve speed loads its that expensive..

[vcfan]

this. isn't. a. banking. website. get a grip people.