Neowin Login Not Secure?

By +BudMan
in Site & Forum Issues

 Share

Recommended Posts

Mentor

Riggers

Posted
Posted

You wouldn`t need anything like EV-SSL, simple DV would easily suffice for what is required. For me a site like Neowin should be actively encouraging this type of practise, it writes about it enough on the front pages. I`m not saying that our passwords for this forum are something that a MITM attacker would necessarily wan`t just that if it helps spread the usage of such methods and brings awareness to the issues then surely that`s a good thing.

Grand Master

DaveLegg Developer

Posted
  • Developer
Posted

No it's not. I've listed to all 392 episodes of Security now, and the answer of

"I login to Neowin at home, then when I'm on the road with my laptop, I'm already logged in, so no real issue of transmitting my credentials over wifi in clear text."

would make them shake their heads. No hard feelings!

It's not an excuse, merely a commentary on a (probably) normal usage pattern of the website.

BudMan, you are correct, cookies for the session info etc are still sent in plain text, but this is something that happens with many websites. For example, the default on Facebook is to login via https, and then use unencrypted http for the rest of the session, but they have an option to force https for the whole session if you wish.

Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

"but they have an option to force https for the whole session if you wish."

Is this something that might be an option once the SSL cert is obtained? I really don't think such a site as neowin requires such action, and could be unwarranted strain on the servers in general. But might be a nice option for those more security minded users.

I do believe it would be possible to implement some current security practices without too much effort on the developers part and min extra work for the servers and cost, etc. It would be good thing for neowin to lead by example in the field and quite possible to show how neowin is ahead of the curve when it comes to security compared to other such sites.

edit: Maybe the whole site https option could be an option for subscribers only, etc. This might get a few more to join that rank and help neowin offset any added cost in such an implementation?

Mentor

JonnyLH

Posted
Posted

More worried about local wifi sniffers, that quite often could be kids just out for some lulz, etc. Now those can be mitigated with a secure connection across the open wifi like vpn or ssh tunnel for browser traffic, etc. But if best practices where followed, the login info would be secure anyway - which would reduce the risk of some kids out for some fun using a browser addon and simple wifi sniff. Again I am not too worried about someone sniffing my traffic while at home or work, etc. Or place of business that has a secure wifi connection.

Your worries are right but I'm afraid it isn't just as easy as securing the connection, adding server certificates. There are network flaws which simply can't be fixed, this is because of the RFC's related to the OSI Stack.

A hacker could join onto a public hotspot and essentially hijack all the popular websites he'll see results on. This could be Facebook, Amazon, Best Buy whatever. These websites will all have SSL certs, security measures in place. When he hijacks a website, the SSL certificate is in-tact (if done properly) and everything should appear fine, again if done properly. The hacker will still take logins, credit-card details. There's just nothing you can do. Even a security minded individual would have trouble spotting it. I wouldn't know.

So in terms of Neowin being secure, I know IPB is very good in that area. Regarding SSL, it wouldn't even be necessary. For the guys, it would more so be there just to make the people visiting feel happy.

Also, to reflect on the hacking technique I mentioned above, this would have to be planned and developed with quite a bit of time and effort. I wouldn't worry about joining your local Starbucks wifi anytime soon.

Mentor

Guth

Posted
Posted

Just wanted to say that for those saying "its just a forum" what about the fact some people link their twitter

if you posted a status update on the forum and said "post to twitter also" (which is an option" then you could post tweets to someone elses twitter!

Grand Master

DaveLegg Developer

Posted
  • Developer
Posted

"but they have an option to force https for the whole session if you wish."

Is this something that might be an option once the SSL cert is obtained? I really don't think such a site as neowin requires such action, and could be unwarranted strain on the servers in general. But might be a nice option for those more security minded users.

I do believe it would be possible to implement some current security practices without too much effort on the developers part and min extra work for the servers and cost, etc. It would be good thing for neowin to lead by example in the field and quite possible to show how neowin is ahead of the curve when it comes to security compared to other such sites.

It's something we'll look into, we'll have to measure the extra load that it puts on the servers and judge if that is something we're able to cope with.

In terms of back-end security, the way we prevent malicious scripts from being uploaded and executed, I think we're pretty strong, we used to have issues with flaws in IPB that would allow scripts to be uploaded as attachments, and then accessed by the malicious user to run commands on the servers, and do all kinds of things. Now even if IPB still has those flaws, the scripts won't work. We also have code in place that ensures that none of our files have been modified by anyone other than our devs.

Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

I think a sophisticated mitm attack such as what your talking about is way beyond the scope of the original point of this topic.

Not saying such an attack is not possible, but just because sophisticated attacks are possible does not remove the responsibility of due diligence in providing protection against less complex attacks, etc.

Lets take some baby steps, and methods that would be required for neowin to mitigate such attacks would have no justification in cost in time/effort and support by the users in using methods and practices that prevent or identify such an attack. Now if neowin was where I did my banking, it might be a different story ;)

edit: I am very happy with the staff response to the query, and satisfied that after the upgrade this practice will change. If not, I will be sure to remind them of this thread ;) hehehe

Mentor

JonnyLH

Posted
Posted

I think a sophisticated mitm attack such as what your talking about is way beyond the scope of the original point of this topic.

Not saying such an attack is not possible, but just because sophisticated attacks are possible does not remove the responsibility of due diligence in providing protection against less complex attacks, etc.

Lets take some baby steps, and methods that would be required for neowin to mitigate such attacks would have no justification in cost in time/effort and support by the users in using methods and practices that prevent or identify such an attack. Now if neowin was where I did my banking, it might be a different story ;)

If Neowin was hackable easily, it would of been done by now.

Less complex attacks like sniffing on a public wifi spot use the same flaws I mentioned for the attacks above, just looked at in a different manner. The bad thing is about security is that the best security engineers are the ones who used to be hackers.

I'd like to point out just for the sake of Neowin. The discussion topic is not a FLAW. Its simply a understanding of how these processes work.

Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

"If Neowin was hackable easily, it would of been done by now."

I am not saying that neowin is hackable because they don't secure the transmission of the uses login info. What I wanted to point out, that in this day an age there is little reason to send such info in the clear.

I was surprised that it was to be honest. Now I just checked on another forum site I frequent, and they are doing the same sort of thing posting such info via http vs https. But their code is hashing the password before transmission, not a great solution for many reasons already mentioned. But they too have a thread where someone (not me) brought up the oversite. They have responded that after the upgrade to new version of their forum software they would be making the change to https in the posting of such info as well.

I am not trying to say that neowin dropped the ball in anyway shape or form, many many sites do the same thing. Not saying that neowin is not a secure site, just wanted some clarification to what was pointed out to me, and I verified was happening.

Again I have been very happy with the response from the staff, and in general it's not really that big of an issue taking into account the nature of the site, etc. But it sure couldn't hurt to encrypt such info, and then maybe tackle the session cookies in the clear issue ;)

Mentor

JonnyLH

Posted
Posted

"If Neowin was hackable easily, it would of been done by now."

I am not saying that neowin is hackable because they don't secure the transmission of the uses login info. What I wanted to point out, that in this day an age there is little reason to send such info in the clear.

I was surprised that it was to be honest. Now I just checked on another forum site I frequent, and they are doing the same sort of thing posting such info via http vs https. But their code is hashing the password before transmission, not a great solution for many reasons already mentioned. But they too have a thread where someone (not me) brought up the oversite. They have responded that after the upgrade to new version of their forum software they would be making the change to https in the posting of such info as well.

I am not trying to say that neowin dropped the ball in anyway shape or form, many many sites do the same thing. Not saying that neowin is not a secure site, just wanted some clarification to what was pointed out to me, and I verified was happening.

Again I have been very happy with the response from the staff, and in general it's not really that big of an issue taking into account the nature of the site, etc. But it sure couldn't hurt to encrypt such info, and then maybe tackle the session cookies in the clear issue ;)

Oh yeah, I definitely agree with you. Sorry, we've been bouncing back and forward ha.

SSL should definitely be implemented. Its just in good nature that one of the largest tech forums/news sites incorporates it. My point was, if you did this it still wouldn't make the password secure.

Regarding local encryption with vBulletin, all it is, is a md5 function. Once retrieved you can just pop it in one of many md5 decrypts on the internet. Hopefully it then re-hash's that password. If it just takes the md5 from the client, then uses a salt to encrypt then thats less secure because you can retrieve the md5 hash before its salted.

Just goes on and on...

Grand Master

#Michael

Posted
Posted

Also - I did not mean to open a can of worms here, as mentioned multiple times -- this is just a forum and really nothing should be here that is of a critical nature to ones privacy or security. But even in this day and age, some users continue to use bad passwords, same password on multiple sites. I would not be surprised if some users here use the same password they use for their registered email account with neowin as their email password, and shutter to think even their banking websites, etc.

That really isn't true. How many users here link their facebook/skype/im/personal websites to their user profiles. I am guessing quite a bit. If the site were to be compromised then there is a chance that this information could be gotten also.

Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

"if you did this it still wouldn't make the password secure."

It would be much more secure than the current clear text method of sending it :rofl:

But yeah I agree with you method of transmission does not always mean its "secure" For all we know 87% of users passwords here on neowin are "P@55w0rd1" And if someone wanted they could just pick a user at random and try a couple of common passwords and get in to those accounts.

I wonder what neobonds password is? You going to be at starbucks or something sometime soon? ;)

Grand Master

SuperKid

Posted
Posted

I don't see a major issue here? your password you send to the server is always unencrypted and that's the way it is, HTTPS does make things more secure though because it stops people sniffing around to get that password but I think you'd have to be pretty unlucky to have that happen to you anyway.

Comodo is the cheapest way to get an SSL Certificate and does work on most browsers, but obviously the real good ones like Verisign cost a lot of money. The cost of a Verisign Certificate could actually be used for an extra server at neowin to improve speed loads its that expensive..

Grand Master

TAZMINATOR

Posted
Posted

this. isn't. a. banking. website. get a grip people.

What if someone got your password and logged in and went to your neowin profile editor to steal your email address then log out... so he/she can send spams using your email address?

Think about it... I agree and understand what Budman have said about the concerns over logins.

clear text based login is a NO NO. I am surprised that Neowin didn't do a thing about it until Budman brought it up.

Veteran

nub

Posted
Posted

So why did this turn into a SSL discussion, when the cheaper and easier solution that also doesn't nag about the site being mixed https and http so to simply encrypt/hash/salt the password before sending. and not store the clear text password in the database.

Because its useless. All it does is transform you password into another form. The attacker can just send your pw hash as your password. Bam you're into the account. The only useful thing it does is prevent the attacker using the hash on another website that uses a different hash algorithm or no hashes.

Grand Master

threetonesun

Posted
Posted

just because for some reason web hosts have fanboys, and because GoDaddy is so huge they have a lot of haters for some reason.

Well, that and their customer support blows *** and their administration site looks like it was designed by a 12 year old, but otherwise I guess they're fine.

Grand Master

FiB3R

Posted
Posted

just because for some reason web hosts have fanboys, and because GoDaddy is so huge they have a lot of haters for some reason.

In the last few years, GoDaddy has come under fire plenty of times ? and for plenty of reasons.

Not only has the company used sexual advertising several times to promote its services, which has led to backlash several times, but in early 2011 then-CEO Bob Parsons killed a wild elephant in Zimbabwe, which many believed was just another sign that the company was willing to engage in unethical practices. (This includes buying domain names users search for and then inflating the value of these domains when users return to purchase them so GoDaddy makes a larger profit on the transaction.)

In late 2011, GoDaddy also initially supported SOPA, which also indicated the company was not willing to support its customers freedom of speech and activity on the internet. (GoDaddy reversed their opinion shortly after a call to boycott the company because of this.)

Seems like enough reasons to me.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • The Light of Life? We actually do glow till our Death, study finds

      By Liberi_Fatali · Posted

      Interesting image choice... reminds me of the human centipede poster
    • Why you need to take back control of your synced passwords and how to go about doing that

      By +Warwagon · Posted

      I love syncback!
    • Politically funny images of the World

      By +primortal · Posted

    • Get $50 of aloSIM Mobile Data Traveler eSim credit for just $24.97

      By News Staff · Posted

      Get $50 of aloSIM Mobile Data Traveler eSim credit for just $24.97 by Steven Parker Today's highlighted deal comes via our Apps + Software section of the Neowin Deals store, where you can save 50% off aloSIM Mobile Data Traveler Lifetime eSim Credit: Pay $24.97 for $50. Stay connected affordably in 120+ countries/regions with your own lifetime eSIM! An eSIM is a digital SIM card. It's basically just mobile data. Once it's activated on your device, it can connect you to data networks in other countries – giving you an internet connection with NO roaming charges. With aloSIM, you can load prepaid eSIM data packages onto your phone, tablet, or computer. Your lifetime eSIM never expires, so it's yours forever and there are never any monthly charges. You'll get $50 in eSIM data credit, which is almost always enough to cover all your data roaming needs for a full year. But if you run out of data, you can always top up your lifetime eSIM and stay connected internationally. Pay $24.97 for a lifetime eSIM with $50 in travel data credit Use your eSIM to join data networks in 120+ countries Install your lifetime eSIM on a compatible device to roam on local data networks Your lifetime eSIM never expires, and can be topped up with more data anytime Many data packages cost as little as $4.50 and last 7 days. Depending on the package you choose, the length of time varies. Good to know Length of access: lifetime For NEW customers only Instant digital redemption Once you add your $50 credit to your aloSim account you have up to 12-months to use it — after that your credit will expire When you pay for a data plan you also get a free phone number (via Hushed) for the same duration of your plan that was purchased - IE 7 day eSim plan gives you a free 7-day phone number Purchased coupon must be redeemed and used within 12 months This deal is not stackable (one offer per aloSIM account) A $4.50 data package will last 7 days The data DOES expire, and you WILL NOT have any leftover data for your next trip unless it takes place within the validity period. While the eSIM never expires, the actual data package is only valid for the length of time stated at purchase (i.e. seven days after activation, 30 days after activation, etc.) So if you buy a seven-day package and only use a tiny bit, that package is still going to expire after seven days. Access options: mobile (check compatibility) Max number of device(s): 1 Updates included Here's the deal: This aloSIM Mobile Data Traveler eSim $50 Credit normally costs ... $50, but it can be yours for just $24.97 for a limited time, a saving of $25 (50% off). For specifications, and license info please click the link below. Get this aloSIM Mobile Data Traveler eSim for just $24.97 (was $50) Although priced in U.S. dollars, this deal is available for digital purchase worldwide. Support queries If you have queries or need support for any of the Neowin Deals, please use the contact form here. Neowin Deals are managed and sold by StackCommerce who represent Neowin on an affiliate basis. Why we post these deals We post these because we earn commission on each sale so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. So for those that keep moaning and complaining, be thankful we're still online for you to even do that. Other ways to support Neowin Whitelist Neowin by not blocking our ads Create a free member account to see fewer ads Make a donation to support our day to day running costs Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: Neowin benefits from revenue of each sale made through our branded deals site powered by StackCommerce.
    • The Microsoft Office feature that time forgot

      By Fraud OS 11 · Posted

      WordArt was cool. We now have color fonts as a substitute although Word only supports COLRv0 and COLRv1 (Fraud OS 11 only). The OpenType SVG color font format needs to be supported by Office. Adobe's apps support it

  • Recent Achievements

    • First Post
      DrWankel earned a badge
      First Post
    • Reacting Well
      DrWankel earned a badge
      Reacting Well
    • Week One Done
      Supreme Spray LV earned a badge
      Week One Done
    • One Month Later
      Genuinetonerink- Dubai earned a badge
      One Month Later
    • Week One Done
      Genuinetonerink- Dubai earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      497
    2. 2
      +Edouard
      158
    3. 3
      PsYcHoKiLLa
      90
    4. 4
      Steven P.
      74
    5. 5
      Michael Scrip
      72
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!