Neowin Login Not Secure?

[+BudMan MVC]

^ I agree even if not over a secure connection, at the very min the username and passwords should be hashed, this would keep out the wannabbee addon users sniffing this stuff for fun.

But I really don't think the cost of the ssl cert should be an issue these days https://www.cheapssls.com/

I am fairly sure you can get a trusted cert for like $5 a year if need be. There are quite a few options that are under $20

[n_K]

There are some free certs you can get that last a year or whatnot.

Doesn't need SSL anyway, can do JS-MD5 if they're using the default IPB login.

Anyway you think this is bad? Go take a look at faceparty, not only does it transmit your password in plain text - they're STORED in plain text, you can have them emailed out to you AND the 'mods' of the site can view your password!

That I think is probably the most laughable system I've seen in years.

[DaveLegg Developer]

So it's the USERS fault that your login page doesn't pre-encrypted/hashed before being sent, or using SSL.

a keylogger is kind of invalid argument since at that point your computer is already fully compromised and it doesn't matter where it's encrypted unless you have a keyboard with a TPM chip that encrypts the password before the computer sees it, which is kind of unreasonable and besides the point :)

point is the password can be hashed client side before they're sent without "expensive" SSL certs.

As it is, even if they're not stored as clear text, someone could inject bad code to your site, and have all the cleartext passwords sent to you every day passed on .

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.

[xWhiplash]

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.

Agreed, this seems to be an IPB issue not just a Neowin issue. The only way to solve this while allowing people without Javascript to log in would be to use an SSL certificate it seems.

[Riggers]

Just thinking, maybe with site as big as this it might be worth approaching a cert authority to see if they can do you a deal. You know they then get free(ish) advertising with the login secured by XYZ logo perhaps on the mian page.

[+BudMan MVC]

Or how about add other options for login like generic openID vs FB and twitter. Not everyone uses those services, and if they do -- maybe they don't want to link their neowin account with those accounts, etc.

[Ambroos]

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.

Exactly, that would be overly complicated and still not the way it should be.

So please tell me why you won't just do it all the easy way and implement SSL for logins?

[xWhiplash]

Forum software is not very secure. Most of them still use MD5 hashing. Unless you have the money and power to write your own forum software. You can write hooks and light mods to change the hashing and other things, but when there is an IP.Board update, you have to do that all again. And it could potentially open up a security hole for other hacking methods.

There is really nothing you can do besides SSL. I do not see what the big deal is though, it is not the site owner/developers fault if people use the same passwords, and IP.Board is just a community. Anything critical like purchases are done though PayPal WHICH IS HTTPS.

Exactly, that would be overly complicated and still not the way it should be.

So please tell me why you won't just do it all the easy way and implement SSL for logins?

Last time I looked, GOOD SSL certificates were $400 or more per year (like verisign here - http://www.symantec....sl-certificates). I wouldn't trust ones for $50, those must have very light security and such.

[Guest]

If Microsoft, Google, Mozilla etc trusts an SSL provider in their browsers why shouldn't you trust them? That's all a certificate authority is, a trusted source.

[xWhiplash]

SK[' timestamp=1361886652' post='595544656]

If Microsoft, Google, Mozilla etc trusts an SSL provider in their browsers why shouldn't you trust them? That's all a certificate authority is, a trusted source.

I was talking about $50 certificates vs $300 /year certificates. If you look at the verisign page, they have more expensive certificates that give you more benefits. I wouldn't think a $40 certificate would be very good. It would make me pause about implementing that in my own site. I would rather go with the very popular and secure ones vs a cheapo one.

Microsoft, Google, Mozilla, and others use very expensive Verisign (and other top notch providers) certificates.

[Harrison H.]

I was talking about $50 certificates vs $300 /year certificates. If you look at the verisign page, they have more expensive certificates that give you more benefits. I wouldn't think a $40 certificate would be very good. It would make me pause about implementing that in my own site. I would rather go with the very popular and secure ones vs a cheapo one.

Microsoft, Google, Mozilla, and others use very expensive Verisign (and other top notch providers) certificates.

A cheap certificate is perfectly acceptable. It's real purpose is to encrypt the traffic, which is really all we're asking for here. Those expensive certs are basically the same thing. The difference is the amount of work you have to do to get them. See http://www.ehow.com/list_5746563_differences-ssl-certificates.html

[Steven P. Administrators]

IPB dropped OpenID support afaik.

[Guest]

A cheap certificate is perfectly acceptable. It's real purpose is to encrypt the traffic, which is really all we're asking for here. Those expensive certs are basically the same thing. The difference is the amount of work you have to do to get them. See http://www.ehow.com/...rtificates.html

Exactly. As long as the certificate is trusted then your end users will not get annoying certificate alerts. As said the main purpose is to secure the authentication process upon user logon. Any SSL is better than plain text!

I use an SSL Certificate from StartSSL to secure my home Remote Gateway Server. It's trusted in all browsers and costed exactly nothing.

[TAZMINATOR]

I was talking about $50 certificates vs $300 /year certificates. If you look at the verisign page, they have more expensive certificates that give you more benefits. I wouldn't think a $40 certificate would be very good. It would make me pause about implementing that in my own site. I would rather go with the very popular and secure ones vs a cheapo one.

Microsoft, Google, Mozilla, and others use very expensive Verisign (and other top notch providers) certificates.

It doesn't matter... expensive and cheap SSL certs are same which they both use up to 256 bit encryption systems.

If Neowin isn't a LLC or an Incorporation, then they can not afford to get SSL certs from Verisign or whoever. But they can get SSL from other SSL providers such as RapidSSL for less expensive. If they are a LLC or Inc., then do not forget that they pay for the servers to keep them up running and maintenance costs, etc. They might not have enough $ to get SSL from Verisign.

For example, you have SSL from Verisign, they will raise their rate to about $1000 a year, you will be surprised, then you will move your SSL to alternative provider for cheap rate to save money for your company. Simple.

You will do same way when you buy a car.... in your local town, car cost $25,000... in other state, car cost $15,000.. would you go out of state to get that car? Yeah? See people would get cheap one with same features as the local car has. It is about save money.

[+BudMan MVC]

If what neowin wanted was to VERIFY they are who they say they are and own the domain, etc. Then ok maybe the more costly certs might be in order, you have to jump through some hoops in the verification process for some of those certs.

But we are talking just the encryption of the username and password, for that matter just the password would work. As long as the transmission is secured does not matter if its a FREE cert (as long as trusted by many browsers) Even if not trusted, neowin could provide the means of trusting said cert for those users that wanted to not be nagged and didn't want to make exception in their browsers (for those that support that).

So any sort of cert would be better than no cert, yes even a FREE one. So can we get a clear answer - will neowin be changing to SSL for the login or not? I really don't see how a <$50 cert should be an issue. Do we really need to take up a collection? ;)

I agree its just a forum, and most of the info does not justify encryption of the traffic. But what I would like to see is the login sent in a secure manner - this is just common best practice. Now it might be true that many site run in this fashion where login info is not encrypted. I will be checking all of the ones I frequent. They are all tech related sites, you would have to assume a tech related forum would use best practices, especially something so simple to implement.

[JonnyLH]

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.

Took the words completely out of my mouth. I really do doubt anyone browses without JS on these days on the other hand, most modern websites as you know, just wouldn't work.

Even if you implemented a client-side encryption method, if it was md5 or salt based hashing, you'd still provide your encryption technique for the world to see. This thread has been blown way out of proportion. Any website which isn't https will do the same. What the OP displays is just a simple HTTP POST.

If you have an entity snooping your internet traffic. Then you have more of a serious problem and isn't probably just looking for simple forum passwords, its very sneaky business.

Just to worry you more, there is a very good middle man technique which actually keeps the integrity of a SSL cert. So, if you had someone with the intent of doing something, an SSL cert wouldn't completely stop them.

[DaveLegg Developer]

So can we get a clear answer - will neowin be changing to SSL for the login or not?

That's up to Neobond and Redmak to decide

[Redmak Administrators]

So can we get a clear answer - will neowin be changing to SSL for the login or not?

We will, but I'm not sure if it will happen before the IPB 3.4 upgrade

[+BudMan MVC]

"If you have an entity snooping your internet traffic. Then you have more of a serious problem and isn't probably just looking for simple forum passwords, its very sneaky business."

"So, if you had someone with the intent of doing something, an SSL cert wouldn't completely stop them."

I am not so worried about a man in the middle attack, which sure is possible. And I am not worried about some point along the path sniffing the traffic - but then a ssl would protect against that even.

What I am concerned about, came about in another thread where OP there was asking security options while on a open wifi network. During the process of discussion on what the exact concerns were. It is impossible to suggest a mitigation method unless you understand the risk your trying to mitigate it was posted that neowins logins where not even encrypted.

I personally did not believe it, so I double checked - and to my dismay it was in fact true. Which was the reason for my query to the matter here on the site and forum issue. Maybe it might of been a subject better discussed in the mvc/staff area? But it security topic that should be discussed with the community at large using the site.

My concern is not some one without inappropriate access along the the path collecting forum logins, yes your mitm comment is still valid with any sort of SSL, but again this was not the reason for the query.

More worried about local wifi sniffers, that quite often could be kids just out for some lulz, etc. Now those can be mitigated with a secure connection across the open wifi like vpn or ssh tunnel for browser traffic, etc. But if best practices where followed, the login info would be secure anyway - which would reduce the risk of some kids out for some fun using a browser addon and simple wifi sniff. Again I am not too worried about someone sniffing my traffic while at home or work, etc. Or place of business that has a secure wifi connection.

I doubt I would stop using neowin if they don't change this method. But it would be nice to get a answer from the staff to why they don't feel its a concern, and why they don't use SSL to post the login info. Sofar info has been given to why they don't hash the info before posting it, but I have not seen a reason for not using ssl to post this info?

edit: Thanks for the clear answer Redmak, looking forward to the upgrade ;) This is a clear answer to my question, and satisfies my concerns. It has been running like this since the get go it seems, so a few more weeks/months should not be too big of an issue.

[DaveLegg Developer]

As a side point BudMan, I login to Neowin at home, then when I'm on the road with my laptop, I'm already logged in, so no real issue of transmitting my credentials over wifi in clear text. I imagine this is the same for many people, unless they're using a 3rd party device, or have a practise of logging out from the site. But yes, as Redmak says, we'll be bringing SSL in sometime soon.

[Shadrack]

Another reason why NOT to use the same password everywhere on the Internet.

[+BudMan MVC]

^ well that brings up a whole new can of worms with session hijacking and non secure cookies used to store this logged in state - does it not? ;)

If the logins are not posted via SSL, I doubt the cookies are being sent that way??

That might be a good info to pin, since this is tech site and lots of security minded people here. Would it be possible to put together a info sheet on the security methods used by neowin to secure login and user info. It can wait til the upgrade I am sure and use of ssl to post login info.. But there have been many headline story of sites being compromised and user info stolen - some sort of writeup on the steps neowin takes to mitigate these issues, be it sniffing login creds, session hijacking, how info is stored in the database, etc. etc.

edit: Nothing to involved, pointless to give out info that could be used to exploit the measures.. But general terms that even the most nontech savy users could understand would be a great addition to let the community know that neowin is looking after their users info, etc.

Also - I did not mean to open a can of worms here, as mentioned multiple times -- this is just a forum and really nothing should be here that is of a critical nature to ones privacy or security. But even in this day and age, some users continue to use bad passwords, same password on multiple sites. I would not be surprised if some users here use the same password they use for their registered email account with neowin as their email password, and shutter to think even their banking websites, etc.

[+Warwagon MVC]

When in doubt just ask yourself "What would Steve Gibson think". Even I had a Gibsonian Response to this thread.

[+BudMan MVC]

^ So I take it that is suppose to be one of those "warwagon" jokes?? ;)

[+Warwagon MVC]

^ So I take it that is suppose to be one of those "warwagon" jokes?? ;)

No it's not. I've listed to all 392 episodes of Security now, and the answer of

"I login to Neowin at home, then when I'm on the road with my laptop, I'm already logged in, so no real issue of transmitting my credentials over wifi in clear text."

would make them shake their heads. No hard feelings!

To summarize." if you don't want your traffic sniffed, just log into Neowin before leaving the house"....really?