Jump to content



Photo

Neowin needs HTTPS login from main, not just forums


  • Please log in to reply
63 replies to this topic

#16 Ames

Ames

    Neowinian

  • Joined: 21-March 04
  • Location: Vancouver, Canada
  • OS: Windows 8.1
  • Phone: Nokia Lumia 920

Posted 28 September 2006 - 17:27

Honestly I think SSL is overkill in this case. A self-signed certificate will give everyone an error everytime they try and login and a trusted signed SSL, while not terribly expensive ($60 for a basic, not wildcard one with virtually no financial backup) would not be money well spent in my opinion.

Then theres the implementation of it into Invision (the forum software Neowin runs)


#17 Mr. Jingles

Mr. Jingles

    This space intentionally left blank.

  • Joined: 20-January 05
  • Location: Glued to the computer chair.

Posted 29 September 2006 - 03:39

vBulletin implemented a Javascript hashing mechanism so that user passwords are hashed before they're sent to the server. That could probably be modded into IPB for much less effort.

#18 kjordan2001

kjordan2001

    Mystery Solver

  • Tech Issues Solved: 1
  • Joined: 27-May 02

Posted 29 September 2006 - 05:25

Do self-signed certificates get along well with browser security? If the browser doesn't trust a certificate's issuer, then it inherintly does not trust the certificate. Self-signed certificates are their own issuer, which causes issues for situations like this.

The browser will prompt you if you trust the self-signed certificate. There's always free signing 3rd parties too like cacert.org. Just import their root certificate and any site signed with that will be trusted.

#19 Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 88
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 29 September 2006 - 19:59

Denied!

#20 vetTim Dorr

Tim Dorr

    -1^0.5 of 53

  • Joined: 03-December 01
  • Location: Atlanta, GA

Posted 29 September 2006 - 20:08

Would it hurt to have an SSL certificate?


Yes, it would. Every time I install an SSL certificate, a server cries just a little bit. Think of the servers, people!

#21 vetJohn

John

    Neowinian Senior

  • Joined: 28-January 02
  • Location: Des Moines, IA

Posted 30 September 2006 - 18:57

vBulletin implemented a Javascript hashing mechanism so that user passwords are hashed before they're sent to the server. That could probably be modded into IPB for much less effort.

So instead of someone sniffing your password, they sniff the password hash, which is just as good as a password... Great solution (Y) Whatever is sent to the server needs to be encrypted so it can't be sniffed. That's the whole point. Sending the server "asdf" instead of "password" does nothing if an anonymous listener can see it on the network.

The browser will prompt you if you trust the self-signed certificate. There's always free signing 3rd parties too like cacert.org. Just import their root certificate and any site signed with that will be trusted.

Yeah, every user would have to import SOME certificate, whether it's Neowin's or cacert.org, or whoever's... That's not a solution. Why do you think people pay so much for Verisign certificates? Because they're trusted. I've never heard of cacert.org and certantly don't trust them to vouch for another website...

#22 dragon2611

dragon2611

    Neowinian Senior

  • Joined: 30-July 04
  • Location: Somewhere in the UK

Posted 30 September 2006 - 19:05

So instead of someone sniffing your password, they sniff the password hash, which is just as good as a password... Great solution (Y) Whatever is sent to the server needs to be encrypted so it can't be sniffed. That's the whole point. Sending the server "asdf" instead of "password" does nothing if an anonymous listener can see it on the network.
Yeah, every user would have to import SOME certificate, whether it's Neowin's or cacert.org, or whoever's... That's not a solution. Why do you think people pay so much for Verisign certificates? Because they're trusted. I've never heard of cacert.org and certantly don't trust them to vouch for another website...


actually i have a starter SSL certificate from namecheap.com setup for cpanel on a server and it cost me a $16 :yes:

its reconised by most browsers, shows up as being signed by Eqifax and works fine with firefox and Ie6+ (maybe older versions of ie also, dont know cus i only run 6 and 7) also works with opera and safari as far as i can remember (dont use them much tend to use firefox all the time)

so no they don't need to cost the earth! ;)

#23 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 26 February 2013 - 15:14

As far as certificates I heard Digicert has some good prices. It's also the same one facebook uses.

www.digicert.com

#24 vanx

vanx

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 23-April 09

Posted 03 July 2014 - 15:55

Since the other topic was locked, I would post a couple of my observations here:

 

-- The login form for the credentials is served over unsecured HTTP

-- The logout action consists of this URL 

http://www.neowin.net/forum/index.php?app=core&module=global&section=login&do=logout&k=

And the "k" -- I guess that means "key" -- value is a constant 32 char hash that does not vary between sessions. Now I am not a security whiz, but I think that both of those are not good things and should be corrected.



#25 Mr.XXIV

Mr.XXIV

    Shine bright like Iron Man.

  • Tech Issues Solved: 1
  • Joined: 30-April 11
  • Location: Durham, North Carolina
  • OS: OS X Yosemite
  • Phone: iPhone 5s

Posted 03 July 2014 - 16:09

Doesn't PHP Ioncube already give a bit of protection? I use Invision, and it seems that the board is built well enough to not need SSL.



#26 fusi0n

fusi0n

    Don't call it a come back

  • Tech Issues Solved: 3
  • Joined: 08-July 04
  • OS: OSX 10.9\Windows 10\Ubuntu
  • Phone: LG G3

Posted 03 July 2014 - 16:14

I think Subs get https..



#27 vanx

vanx

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 23-April 09

Posted 03 July 2014 - 16:21

Doesn't PHP Ioncube already give a bit of protection? I use Invision, and it seems that the board is built well enough to not need SSL.

 

Not serving the form over HTTPS exposes it to manipulation even if subsequent logging in action is done over a secure connection.

 

I think Subs get https..

 

Not in the list of advertised benefits, so I didn't want to assume.



#28 fusi0n

fusi0n

    Don't call it a come back

  • Tech Issues Solved: 3
  • Joined: 08-July 04
  • OS: OSX 10.9\Windows 10\Ubuntu
  • Phone: LG G3

Posted 03 July 2014 - 16:28

Not serving the form over HTTPS exposes it to manipulation even if subsequent logging in action is done over a secure connection.

 

 

Not in the list of advertised benefits, so I didn't want to assume.

I'm not even 100% sure.. A mod will have to verify.. 



#29 brink668

brink668

    Neowinian

  • Joined: 12-September 07

Posted 03 July 2014 - 16:40

Definitely not a bad idea and I support it.



#30 Unksi

Unksi

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 06-October 04
  • Location: Finland

Posted 03 July 2014 - 16:46

Not serving the form over HTTPS exposes it to manipulation even if subsequent logging in action is done over a secure connection.

 

 

Not in the list of advertised benefits, so I didn't want to assume.

Yep that is true - not sending the login form over HTTPS allows a Man-In-The-Middle attack, where the attacker can modify the form before the browser gets it, and redirect the login requests through his own server to capture passwords.