Neowin needs HTTPS login from main, not just forums


Recommended Posts

Doesn't PHP Ioncube already give a bit of protection? I use Invision, and it seems that the board is built well enough to not need SSL.

 

Not serving the form over HTTPS exposes it to manipulation even if subsequent logging in action is done over a secure connection.

 

I think Subs get https..

 

Not in the list of advertised benefits, so I didn't want to assume.

Link to comment
Share on other sites

Not serving the form over HTTPS exposes it to manipulation even if subsequent logging in action is done over a secure connection.

 

 

Not in the list of advertised benefits, so I didn't want to assume.

I'm not even 100% sure.. A mod will have to verify.. 

Link to comment
Share on other sites

Not serving the form over HTTPS exposes it to manipulation even if subsequent logging in action is done over a secure connection.

 

 

Not in the list of advertised benefits, so I didn't want to assume.

Yep that is true - not sending the login form over HTTPS allows a Man-In-The-Middle attack, where the attacker can modify the form before the browser gets it, and redirect the login requests through his own server to capture passwords.

Link to comment
Share on other sites

If you use different passwords for every site and change your password on a regular basis, then this shouldn't be a concern. :)

 

Also, HTTPS login is available for subscribers: https://www.neowin.net/forum/topic/1169735-https-sessions-active-for-tier-2-subscribers/

 

A potential for Man in the Middle attacks should always be a concern, irrespective of your password management policy. HTTPS login is available for mere mortals too, there is no need for a sub, it's just the form that is presented for you to enter your uber secure credentials is sent over HTTP rather than HTTPS, hence the MITM attack vector.

Link to comment
Share on other sites

A potential for Man in the Middle attacks should always be a concern, irrespective of your password management policy. HTTPS login is available for mere mortals too, there is no need for a sub, it's just the form that is presented for you to enter your uber secure credentials is sent over HTTP rather than HTTPS, hence the MITM attack vector.

Well, most other forums don't have encryption by default either, so my type of password management is recommended. Sure it's not perfect, but it does mean that if some person does decide to attack then they only get the password for that one site (which can be reset after the person is done attacking) Another thing, the reason it's not encrypted for everyone is because the ad providers don't support it as mentioned in the topic I linked to in my previous post.

Link to comment
Share on other sites

Well, most forums don't have encryption by default either, so my type of password management is recommended. Sure it's not perfect, but it does mean that if some person does decide to attack then they only get the password for that one site (which can be reset after the person is done attacking) Another thing, the reason it's not encrypted for everyone, is because the ad providers don't support it as mentioned in the topic I linked to in the previous post.

 

Sorry, but your point about ad providers not supporting encryption is moot in relation to displaying the log-in form over HTTPS when using Chrome or Firefox, because for neither browser any ads are displayed on the log-in page. It is applicable to IE, but if ads cannot be excluded on that one page for the sake of better security, it's pretty sad.

 

As for most forums not having encryption, encryption of what are we talking about? You can do authentication via HTTPS, you can serve the log-in form over HTTPS and you can generate random session IDs. Good password management by users does not absolve site operators from following security best practices.

Link to comment
Share on other sites

Sorry, but your point about ad providers not supporting encryption is moot in relation to displaying the log-in form over HTTPS when using Chrome or Firefox, because for neither browser any ads are displayed on the log-in page. It is applicable to IE, but if ads cannot be excluded on that one page for the sake of better security, it's pretty sad.

 

As for most forums not having encryption, encryption of what are we talking about? You can do authentication via HTTPS, you can serve the log-in form over HTTPS and you can generate random session IDs. Good password management by users does not absolve site operators from following security best practices.

OK, but at the last of the day it's the admin's/dev's decision whether they implement for all, not ours.

 

It costs quite a bit of money so most have no SSL whatsoever. You can't really expect every forum to provide encryption.

Link to comment
Share on other sites

Do self-signed certificates get along well with browser security? If the browser doesn't trust a certificate's issuer, then it inherintly does not trust the certificate. Self-signed certificates are their own issuer, which causes issues for situations like this.

Self-signed certificates are fine, you just get prompted when accessing it through HTTPS.  Not hard to implement at all and it wouldn't hurt anything.  They don't have to be expensive, either.

Link to comment
Share on other sites

Self-signed certificates are fine, you just get prompted when accessing it through HTTPS.  Not hard to implement at all and it wouldn't hurt anything.  They don't have to be expensive, either.

that's fine for an intranet but that's really bad practice for a live website. would YOU trust a random website that used a unsigned certificate?

Link to comment
Share on other sites

OK, but at the last of the day it's the admin's/dev's decision whether they implement for all, not ours.

 

It costs quite a bit of money so most have no SSL whatsoever. You can't really expect every forum to provide encryption.

 

I understand that it's a decision for the developers/admins. What I am asking for is not full blown SSL everywhere, so you may have things confused. Since the submit form is already securely processed, it should not be too much effort to present the form itself over HTTPS. It is already possible to have it loaded with SSL by manually editing the URL and changing HTTP to HTTPS, so I cannot understand why it is not the default behaviour.

 

Self-signed certificates are fine, you just get prompted when accessing it through HTTPS.  Not hard to implement at all and it wouldn't hurt anything.  They don't have to be expensive, either.

 

If you think self-signed certificates are just as good as those issued by a trusted CA, I have a bridge to sell.

 

that's fine for an intranet but that's really bad practice for a live website. would YOU trust a random website that used a unsigned certificate?

 

I wouldn't even go as far as saying that it's OK for an Intranet site, because accepting self-signed certs over and over desensitises users and lulls them into a false sense of security when they come across that on de Interwebz.

Link to comment
Share on other sites

 I understand that it's a decision for the developers/admins. What I am asking for is not full blown SSL everywhere, so you may have things confused. Since the submit form is already securely processed, it should not be too much effort to present the form itself over HTTPS. It is already possible to have it loaded with SSL by manually editing the URL and changing HTTP to HTTPS, so I cannot understand why it is not the default behaviour.

I know that's what you are asking for and while it's possible on this forum. I don't think the devs want to mess with the ad code on the login page just for HTTPs since they weren't even keen on adding the encryption for subscribers either at first. Then again, I don't know and am just making guesses based on the information found on the FAQ in that topic posted earlier. 

 

Anyways, I fully understand why you would want it, but I'm not sure that it'll get implemented. However, if it does then that's great.  :)

Link to comment
Share on other sites

We are aware of the insecure login form on the front page (the forum has a dedicated secure login page). I haven't decided on how to fix this yet. I think the only way is to redirect to a dedicated secure login page or at least mention that this main page login isn't as secure as it should be and add a link to the forum login page.

 

Subscribers do have full site encryption

 

We are not providing full site encryption for everyone because of the ads. We need them....

Link to comment
Share on other sites

The cheapest I know are around $16 / year, so I wouldn't really call it expensive, if you buy from the right place. But yeah, it is up to the admins^.

I've had them as low as $4/year. Less if it's multiple years.

 

A redirect to a secure login form would be a good idea, Redmak.

Link to comment
Share on other sites

We're one of the few IPB boards that bother to log you in over SSL already :P Although without it isn't as secure as with, our setup is pretty solid and nothing is sent in plain text.

Link to comment
Share on other sites

We are not providing full site encryption for everyone because of the ads. We need them....

 

Lame-ass Netshelter ads :P

 

I don't get why those big ad providers don't fix their HTTPS. Personally I'm a big fan of just using HTTPS everywhere. It'll be a requirement in the net HTTP protocol (probably SPDY) anyway. And it provides easy protection against sniffing.

Link to comment
Share on other sites

Self-signed certificates are fine, you just get prompted when accessing it through HTTPS.  Not hard to implement at all and it wouldn't hurt anything.  They don't have to be expensive, either.

They work, but they don't provide any trust, which is honestly the most important aspect of TLS.

Link to comment
Share on other sites

We are aware of the insecure login form on the front page (the forum has a dedicated secure login page). I haven't decided on how to fix this yet. I think the only way is to redirect to a dedicated secure login page or at least mention that this main page login isn't as secure as it should be and add a link to the forum login page.

 

Subscribers do have full site encryption

 

We are not providing full site encryption for everyone because of the ads. We need them....

I think redirecting to a dedicated secure login page is a better approach to take. Not suggesting full-blown encryption everywhere for everyone for a minute, I appreciate that you guys need the ad revenue.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.