Jump to content



Photo

Neowin needs HTTPS login


  • Please log in to reply
22 replies to this topic

#1 boogerjones

boogerjones

    T.I.P.I

  • Joined: 30-March 04
  • Location: Chicago

Posted 27 September 2006 - 08:27

Some prick sniffed my password at a school computer lab. Is there any way for Neowin to get a secure logon? I know these things cost money, but it's such an easy target for any jackass with a computer. Hell, even a self-generated certificate (not from Thawte, Verisign, etc) would at least give some of us the option of using it.

Edited by boogerjones, 27 September 2006 - 08:34.



#2 tiddlie

tiddlie

    Neowinian

  • Joined: 22-May 03
  • Location: Leeds, Uk

Posted 27 September 2006 - 08:33

A public PC is always going to be an issue. If this 'prick' had used a USB keylogger / PS2 keylogger, would you want that Neowin implemented a voice recognition login?

I don't see the need for HTTPS login on Neowin. It's a forum - not a financial institution. If its that much of an issue, use a seperate password on things like forums than important things.

#3 Simon-

Simon-

    Neowinian Senior

  • Joined: 04-November 02

Posted 27 September 2006 - 08:39

Consider using an online Proxy server that uses HTTPS, or as above, seperate passwords

#4 OP boogerjones

boogerjones

    T.I.P.I

  • Joined: 30-March 04
  • Location: Chicago

Posted 27 September 2006 - 08:40

If this 'prick' had used a USB keylogger / PS2 keylogger, would you want that Neowin implemented a voice recognition login?

Gimme a break. Why should cars have locks if keys can be duplicated? Yes, somebody could potentially use a TEMPEST attack and get my password, but these kinds of thieves will use the easiest possible method. And right now it's pretty easy to get my password for Neowin. SSL is a pretty standard implementation for logging in to just about any site.

And I do use a separate password. But the content of the site is not the issue. I really don't care if somebody can login to my profile. But I think it's just a bad security practice on Neowin's end.

#5 tiddlie

tiddlie

    Neowinian

  • Joined: 22-May 03
  • Location: Leeds, Uk

Posted 27 September 2006 - 10:24

Damn...thats a good point! Cars have locks yet keys can be duplicated....maybe they need some sort of SSL to make them secure. A keypad in each car maybe?

If someone on a public PC wants to get hold of your password, they'll do it. Packet sniffing a network for unsecured passwords is far more difficult than a keylogger, so you'll never be safe.

Talk to someone in your college's ICT department if this is going on there, or only login from home. Its unlikely that any website putting SSL onto their site will have any major benefit to stopping people on public computers being targetted.

I mean can you even be 100% sure that they didn't just have a keylogger installed or something to that effect? Can you be sure that the public machines are 100% trojan secure? It may not even have happened the way you think it did.

There are far far bigger sites out there that don't use SSL connections to login to their servers. Myspace anyone?

#6 +riahc3

riahc3

    Neowin's most indecisive member

  • Tech Issues Solved: 11
  • Joined: 09-April 03
  • Location: Spain
  • OS: Windows 7
  • Phone: HTC Desire Z

Posted 27 September 2006 - 10:36

Having a secure login for Neowin is stupid and costs money; Neowin doesnt store any personal information.

#7 vetColin-uk

Colin-uk

    Neowinian Senior

  • Joined: 25-February 04
  • Location: Wirral, UK

Posted 27 September 2006 - 10:54

I dont know of any tech forum that uses SSL to log its members in.

If you really want to be secure on a public network, setup / use something like hamachi or SSLexplorer.

#8 Miuku.

Miuku.

    A damned noob

  • Joined: 10-August 03
  • Location: Finland, EU
  • OS: :: OS X :: SLES ::

Posted 27 September 2006 - 14:34

Having a secure login for Neowin is stupid and costs money; Neowin doesnt store any personal information.

With a self signed certificate, it doesn't cost anything and it's easy to setup.

#9 samg

samg

    Bite My Shiny Metal Ass

  • Joined: 01-August 02

Posted 27 September 2006 - 14:36

Its not like your credit card details are stored anyway.

Whats the worst someone can do? Post some topics for you?

If you get banned, email a mod, they can check what ip's it came from etc..

#10 vetSimon

Simon

    Neowinian Senior

  • Joined: 05-July 05
  • Location: Calgary, AB, Canada
  • OS: OS X

Posted 27 September 2006 - 20:22

It's not really necessary, Neowin is a LOT more secure than a lot of other sites. And I don't know much about SSL, but would that put any more strain on our already failing servers?

#11 Joel

Joel

    Neowinian Senior

  • Joined: 07-August 01

Posted 27 September 2006 - 20:49

SSL is a pretty standard implementation for logging in to just about any site.

Name a forum or community board that has SSL.

#12 OP boogerjones

boogerjones

    T.I.P.I

  • Joined: 30-March 04
  • Location: Chicago

Posted 28 September 2006 - 02:04

Wow, I can't believe all the strong opposition to what is a simple, effective, and potentially free security measure. It has nothing to do with what is stored on Neowin or what the policy of other forums is.

#13 Joel

Joel

    Neowinian Senior

  • Joined: 07-August 01

Posted 28 September 2006 - 02:19

Wow, I can't believe all the strong opposition to what is a simple, effective, and potentially free security measure. It has nothing to do with what is stored on Neowin or what the policy of other forums is.

I'm not opposing it so much as I'm asking what use it would be to implement.

#14 vetJohn

John

    Neowinian Senior

  • Joined: 28-January 02
  • Location: Des Moines, IA

Posted 28 September 2006 - 02:20

Do self-signed certificates get along well with browser security? If the browser doesn't trust a certificate's issuer, then it inherintly does not trust the certificate. Self-signed certificates are their own issuer, which causes issues for situations like this.

#15 whitebread

whitebread

    Neowinian Senior

  • Joined: 09-April 06
  • Location: Waterloo Region, ON
  • OS: OS X Lion 10.7.4
  • Phone: iPhone 4S

Posted 28 September 2006 - 17:18

Would it hurt to have an SSL certificate?



Click here to login or here to register to remove this ad, it's free!