Neowin Login Not Secure?

By +BudMan
in Site & Forum Issues

 Share

Recommended Posts

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

So reading a thread and came across this statement

"Even the neowin login page is not encrypted"

Now I thought to myself - that can not be true.. I know the page itself is not fully encrypted, but that is not an issue the sending of the username and password could be using a https post, etc.

So figured I would take a look see.... Oddly enough, the post for the login looks to be in the clear from the page source

    <form action="https://www.neowin.net/forum/index.php?app=core&module=global&section=login&do=process" method="post" id='login'>

Now I said -- hmmm, I know a little bit about html, but maybe I am missing something and I am looking at it wrong or something. So I did what I know better and that is looking at network sniffs... So I took one while logging in..

And what you know - my password right there in the clear?? That is not a very safe practice... I know its only a forum and such, and I agree you sure don't have to encrypt the whole site - but not the sending of the username and password?? That needs to be corrected!!

Now my password is complex random - but I assure you it was in the clear.

post-14624-0-50929000-1361862547.png

Not sure what that auth part is there I highlighted, but hid it as well.

So am I correct in that everyone that is logging into neowin is sending username and password in clear??

Link to comment
https://www.neowin.net/forum/topic/1138606-neowin-login-not-secure/
Share on other sites
Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

Yep. May be an IPB issue

I don't think so - I looked on their website, and their form shows it being posted via HTTPS

<form action="[url="view-source:https://www.invisionpower.com/clients/index.php?app=core&module=global&section=login&do=process"]https://www.invisionpower.com/clients/index.php?app=core&module=global&section=login&do=process[/url]" method="[url=""]post[/url]" id='[url=""]login[/url]'>

I am hoping someone just forgot the S there -- but that seems unlikely because you can not access neowin.net via https at all. So maybe they don't have a cert to use?

Experienced

Kelxin

Posted
Posted

Most systems that "care" if their accounts could get hacked or not use an SSL connection for at least the login page. Honestly, what damage can really be done on this forum if someone hacks your account? HOPEFULLY people here are smart enough not to use the password on this site on any of their other more important web logins.

Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

I hear yah - it is just a forum.. But personal info about the account could be gleaned form the users control panel. And yeah again great info the password you use here should not be the same as your other logins, etc. But it is still very bad practice, I can not believe it was done on purpose - it must be some oversite somewhere??

Experienced

Kelxin

Posted
Posted

I completely agree, hell, every login page that I've coded the password gets hashed and salted before ever even being submitted to the server, and that ALL gets sent across a SSL encrypted connection. Maybe the server admin doesn't want to pay for a cert? lol

Guest

Posted
Posted

I would imagine the option to use https on the login page is an option in the admin area of IPB. I can't can't find a manual though for IPB.

I can see what your saying but I use lots of sites and I would imagine well over half are not secure. Still, if IPB has a flick switch to enable it maybe it should be enabled. Certs are cheap enough these days. Free is cheap right? :)

I use a different random password for every site I use, still there is information about me (email) that a normal user can't see without my password.

Will be interesting to see what the dev's say.

Experienced

Kelxin

Posted
Posted

Did some research, by default IPB wants to use an SSL connection, and all of the passwords are hashed in MD5 in the database, but are sent in plain text in the hopes that the sysadmin used an SSL connection for the login page.

Experienced

Kelxin

Posted
Posted

Hrm, I think I have about 20ish passwords for my own uses, then a unique password for each of my 200+ clients servers ... Somedays I feel like bashing my head against a wall trying to remember one... but hey, its definitely more secure than some of the other options in the world.

Mentor

nekkidtruth

Posted
Posted

I suppose I'm more surprised it's taken 13 years to discover this (massive?) flaw, but I've alerted Redmak and DaveLegg to have a look.

Thanks BudMan.

I LOL'd at 13 years. What does that say about this "technically savvy" community? Haha :shifty:

  • f0rk_b0mb and Charisma
  • Like 2
Grand Master

Steven P. Administrators

Posted
  • Administrators
Posted

Touche. However, doesn't make it any less humorous. ;)

It's humorous that you don't understand that this isn't actually a huge problem, and can only be resolved by purchasing an expensive SSL certificate for 3 servers, or have a free one cry about it being self signed (creating an unnecessary browser alert for my site).

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • AltSendme 0.4.2

      By Copernic · Posted

      AltSendme 0.4.2 is out.
    • Secure Boot

      By cork1958 · Posted

      Simple answer is yes, you will still get the Windows updates and as long as browser is up to date, you will be good. Only thing secure boot does is protect you against boot level threats and make it harder to install other OS's. I've been looking into this pretty thoroughly lately myself as wifes computer has secure boot disabled plus my other, older computers that run Linux, don't have secure boot enabled. Have seen all kinds of questions about this on the Linux Mint and MX Linux forums. Just don't suddenly enable secure boot now.
    • Ford execs say they made a mistake when they replaced human engineers with AI

      By TsarNikky · Posted

      How many other companies will follow Ford's lead? Or, have they already gotten lazy and become enslaved to AI--and now can't figure out how to get out of that mess.
    • The Trump administration doesn't want you to use OpenAI's GPT-5.6 without its approval

      By TsarNikky · Posted

      Why would any self-respecting intelligent person follow any recommendation by Donald's GOP administration? With almost two years of fabrications, deceit, and blatantly illegal behavior, why believe them now? They had best be gone after the November 2026 election, so we'll wait and see.
    • AltSendme 0.4.2

      By Copernic · Posted

      AltSendme 0.4.2 by Razvan Serea AltSendme is a minimal, cross-platform application designed for fast, secure, and private peer-to-peer file transfers. It allows users to send files or entire directories directly between devices without relying on cloud servers, accounts, or any personal information. Everything is encrypted end-to-end using modern protocols like QUIC and TLS 1.3, ensuring both strong security and low-latency performance. Transfers are verified with BLAKE3 for data integrity, and interrupted downloads automatically resume, making the experience reliable even on unstable connections. You can transfer anything—images, videos, documents, and more. Integrity checks are performed on both ends, so your files are automatically verified for correctness during both sending and receiving. AltSendme works seamlessly across local networks or long-distance links, capable of saturating multi-gigabit connections for extremely fast delivery. With built-in NAT traversal and encrypted relay fallback, it connects devices almost anywhere. The app integrates with the Sendme CLI and will soon support mobile and web platforms. Fully free and open-source, AltSendme offers a lightweight, privacy-first alternative to traditional cloud-based services, removing size limits, upload costs, and unnecessary data exposure. AltSendme 0.4.1 changelog: Release Highlights Self-hosted relays: Run your own iroh relay so transfers don't rely on public infrastructure. Includes a full deployment template in deploy/relay/ with Docker Compose for a VPS and configuration examples for production use. Fly.io support: One-click deploy template for Fly.io, including a quick-start config (fly.dev.toml) for testing without a custom domain, plus production setup with Let's Encrypt and your own hostname. Relay settings UI: New Settings → Network panel to choose how AltSendme connects: automatic public relays, custom self-hosted URLs (with optional auth token), or disabled. Test connections, verify latency, and see live relay status in the footer. Disable relays: Turn off relay servers entirely when you only need same-network transfers (e.g. LAN). Direct connections only. No relay hop required when devices can reach each other. Android graduates from beta: Android is now part of the regular release cycle alongside desktop. APKs ship with each version (universal, arm64, and armv7). Other improvements Private relay access control via shared auth token Relay fallback notifications when a custom relay is unreachable Broadcast mode toggle in sharing settings Android release build fixes (split-per-ABI APKs, universal APK preservation) UI polish: mobile safe-area insets, dropzone layout, transfer progress animation Bug fixes for minification-related serialization issues and system tray icon loading What's Changed feat(relay): add relay status functionality and settings UI (a120cdf) feat(relay): implement custom relay server configuration and verification (51276c7) feat(relay): add configuration for private relay access and enhance observability features (48fbabf) feat(relay): enhance relay URL validation, display connection status (d4fffa0) feat(relay): add RelayChangeGuard component and enhance relay-related translations (16ba514) feat(broadcast): add toggle setting for broadcast mode in sharing UI (ca6d977) fix(relay): correct QUIC discovery port, pin image, templatize fly.dev (52a2ba5) fix: More broken serialization due to minification (67491a9) fix(android): preserve true universal APK across per-ABI builds (e9f256f) fix(ui): conditional safe-area insets padding on mobile (1182f0e) refactor(transfer): CircularRing component animation fix (944572b) chore(android): drop x86 and x86_64 release APKs, keep universal+arm64+armv7 (34ada0b) AltSendme 0.4.2 release highlight: Modern Debian & Ubuntu support. The .deb package now declares compatible dependency alternatives (libayatana-appindicator3-1, libgtk-3-0t64) alongside the older Ubuntu 22.04 names, so it installs cleanly on Debian and Ubuntu 24.04+. Fixed settings sidebar header being covered by the custom title bar on Linux. What's Changed #172 Fixed #168 Addressed feat(tauri): support for modern debian (80f548d) fix(setting-sidebar): linux-only custom title bar covering nav header (fb55c9d) Download: AltSendme 0.4.2 | ARM64 | ~9.0 MB (Open Source) Download: AltSendme for MacOS | Android Links: AltSendme Home Page | GitHub | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware

  • Recent Achievements

    • Week One Done
      flexorcist earned a badge
      Week One Done
    • One Month Later
      Woland13 earned a badge
      One Month Later
    • Week One Done
      Woland13 earned a badge
      Week One Done
    • One Year In
      bernmeister earned a badge
      One Year In
    • Week One Done
      Scoobystu earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      494
    2. 2
      +Edouard
      225
    3. 3
      PsYcHoKiLLa
      149
    4. 4
      Steven P.
      75
    5. 5
      FloatingFatMan
      71
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!