Secure Login from Main Page

[Pluto is a Planet]

You guys have secure login available through the forums, but not set up on the main site (unlike what's been previously said). When I use the login popup box (outside the forums), the form posts to http instead of https. Can you guys fix this?

What I've been doing is putting in no password with my username (which of course wouldn't let me log in) and that takes me to the forums' login page. Then I log in through that next page, which does submit to https. This is kinda annoying though and clearly a workaround...

Thanks!

[Pluto is a Planet]

No one's replied and it's been a week now... Should I email Neowin directly?

 

Btw for those who are confused by my explanation, here's an image to show what I'm talking about (in the source code at least):

 

[vanx]

If I am not mistaken, the issue is that, in order to post the form securely, the page itself has to be served over HTTPS as well, since the form overlaps it (sorry if this is wrong). Current ad providers don't support adds over HTTPS, but I believe that Neobond is in talks with them about that.

[Pluto is a Planet]

The form wouldn't be encrypted, but it could still submit to a secure page. All they'd have to do is change action="/forum..." to action="https://www.neowin.net/forum...". Starting a URL with a single slash is a short way to say, use the current domain and protocol (http vs. https).

[vanx]

Hmm, I remember WireSharking it a few months ago and my pass was not in the clear, so I believe that it is encrypted at the point of logging in. However, I will leave it to the site team to confirm and share more info.

[Pluto is a Planet]

Sorry for the late reply, but it's definitely not encrypted. I specifically made this thread because my firewall blocked the HTTP request since it had my password unencrypted inside. I made a video to show that it's easily visible with Fiddler:

 

[vanx]

Dave/Steve, care to comment?

[TAZMINATOR]

On the forums:

 

https is for subscribers.

 

None for members.

 

On main page:

 

They said no https for main page due to the advertisers.

[Brandon H Supervisor]

On the forums:

 

https is for subscribers.

 

None for members.

 

On main page:

 

They said no https for main page due to the advertisers.

you are partially incorrect

 

https is for everyone on login (which this thread is about)

 

site-wide https is what is subscriber only

[TAZMINATOR]

you are partially incorrect

 

https is for everyone on login (which this thread is about)

 

site-wide https is what is subscriber only

 

I know that but it will not be https after logged in for members. This is a problem.

 

   

 

Subscribers will stay on https after logged in.  This is no problem.

 

Think about that. 

[Kai Y]

The form wouldn't be encrypted, but it could still submit to a secure page. All they'd have to do is change action="/forum..." to action="https://www.neowin.net/forum...". Starting a URL with a single slash is a short way to say, use the current domain and protocol (http vs. https).

 

Just wanted to point out that submitting from a non-secure page to a secure page is now considered a poor security practice. Sure it can prevent passive "sniffing" but any attacker that is able to manipulate the traffic will simply change the action to point to somewhere else of their choice, hence none of the big sites (Microsoft, Google, Yahoo, Amazon, Facebook, Twitter, etc.) let you log in from a non-HTTPS page. If you ask me, the best solution is to change all the login links on neowin (on the main page and the forum) to point to a specific HTTPS login page (instead of having the in-page login boxes). Not sure how difficult that is though.

 

This is mentioned as point #1 on this IEBlog post: http://blogs.msdn.com/b/ie/archive/2005/04/20/410240.aspx

[Pluto is a Planet]

Just wanted to point out that submitting from a non-secure page to a secure page is now considered a poor security practice. Sure it can prevent passive "sniffing" but any attacker that is able to manipulate the traffic will simply change the action to point to somewhere else of their choice, hence none of the big sites (Microsoft, Google, Yahoo, Amazon, Facebook, Twitter, etc.) let you log in from a non-HTTPS page. If you ask me, the best solution is to change all the login links on neowin (on the main page and the forum) to point to a specific HTTPS login page (instead of having the in-page login boxes). Not sure how difficult that is though.

 

This is mentioned as point #1 on this IEBlog post: http://blogs.msdn.com/b/ie/archive/2005/04/20/410240.aspx

I'm definitely aware of that, but at least that takes more work to do than just storing network transmissions and looking at them later.

 

Anyways for a workaround that's easy to use, I made a UserScript that changes the login links to go to the secure login page: gist.github.com/Dani21/6865bf0ee2ab7765e172. It's very simple; it just replaces/adds certain info to redirect you to Neowin's secure login. To use it, you need Greasemonkey (for Firefox) or Tampermonkey (for Chrome). Then click the "Raw" button on that page and afterwards click to install. I haven't tested it on Chrome, but I don't see why it wouldn't work.