Neowin Login Not Secure?

By +BudMan
in Site & Forum Issues

 Share

Recommended Posts

Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

^ I agree even if not over a secure connection, at the very min the username and passwords should be hashed, this would keep out the wannabbee addon users sniffing this stuff for fun.

But I really don't think the cost of the ssl cert should be an issue these days https://www.cheapssls.com/

I am fairly sure you can get a trusted cert for like $5 a year if need be. There are quite a few options that are under $20

Grand Master

n_K

Posted
Posted

There are some free certs you can get that last a year or whatnot.

Doesn't need SSL anyway, can do JS-MD5 if they're using the default IPB login.

Anyway you think this is bad? Go take a look at faceparty, not only does it transmit your password in plain text - they're STORED in plain text, you can have them emailed out to you AND the 'mods' of the site can view your password!

That I think is probably the most laughable system I've seen in years.

Grand Master

DaveLegg Developer

Posted
  • Developer
Posted

So it's the USERS fault that your login page doesn't pre-encrypted/hashed before being sent, or using SSL.

a keylogger is kind of invalid argument since at that point your computer is already fully compromised and it doesn't matter where it's encrypted unless you have a keyboard with a TPM chip that encrypts the password before the computer sees it, which is kind of unreasonable and besides the point :)

point is the password can be hashed client side before they're sent without "expensive" SSL certs.

As it is, even if they're not stored as clear text, someone could inject bad code to your site, and have all the cleartext passwords sent to you every day passed on .

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.

Veteran

xWhiplash

Posted
Posted

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.

Agreed, this seems to be an IPB issue not just a Neowin issue. The only way to solve this while allowing people without Javascript to log in would be to use an SSL certificate it seems.

Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

Or how about add other options for login like generic openID vs FB and twitter. Not everyone uses those services, and if they do -- maybe they don't want to link their neowin account with those accounts, etc.

Grand Master

Ambroos

Posted
Posted

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.

Exactly, that would be overly complicated and still not the way it should be.

So please tell me why you won't just do it all the easy way and implement SSL for logins?

Veteran

xWhiplash

Posted
Posted

Forum software is not very secure. Most of them still use MD5 hashing. Unless you have the money and power to write your own forum software. You can write hooks and light mods to change the hashing and other things, but when there is an IP.Board update, you have to do that all again. And it could potentially open up a security hole for other hacking methods.

There is really nothing you can do besides SSL. I do not see what the big deal is though, it is not the site owner/developers fault if people use the same passwords, and IP.Board is just a community. Anything critical like purchases are done though PayPal WHICH IS HTTPS.

Exactly, that would be overly complicated and still not the way it should be.

So please tell me why you won't just do it all the easy way and implement SSL for logins?

Last time I looked, GOOD SSL certificates were $400 or more per year (like verisign here - http://www.symantec....sl-certificates). I wouldn't trust ones for $50, those must have very light security and such.

Veteran

xWhiplash

Posted
Posted
SK[' timestamp=1361886652' post='595544656]

If Microsoft, Google, Mozilla etc trusts an SSL provider in their browsers why shouldn't you trust them? That's all a certificate authority is, a trusted source.

I was talking about $50 certificates vs $300 /year certificates. If you look at the verisign page, they have more expensive certificates that give you more benefits. I wouldn't think a $40 certificate would be very good. It would make me pause about implementing that in my own site. I would rather go with the very popular and secure ones vs a cheapo one.

Microsoft, Google, Mozilla, and others use very expensive Verisign (and other top notch providers) certificates.

Proficient

Harrison H.

Posted
Posted

I was talking about $50 certificates vs $300 /year certificates. If you look at the verisign page, they have more expensive certificates that give you more benefits. I wouldn't think a $40 certificate would be very good. It would make me pause about implementing that in my own site. I would rather go with the very popular and secure ones vs a cheapo one.

Microsoft, Google, Mozilla, and others use very expensive Verisign (and other top notch providers) certificates.

A cheap certificate is perfectly acceptable. It's real purpose is to encrypt the traffic, which is really all we're asking for here. Those expensive certs are basically the same thing. The difference is the amount of work you have to do to get them. See http://www.ehow.com/list_5746563_differences-ssl-certificates.html

Guest

Posted
Posted

A cheap certificate is perfectly acceptable. It's real purpose is to encrypt the traffic, which is really all we're asking for here. Those expensive certs are basically the same thing. The difference is the amount of work you have to do to get them. See http://www.ehow.com/...rtificates.html

Exactly. As long as the certificate is trusted then your end users will not get annoying certificate alerts. As said the main purpose is to secure the authentication process upon user logon. Any SSL is better than plain text!

I use an SSL Certificate from StartSSL to secure my home Remote Gateway Server. It's trusted in all browsers and costed exactly nothing.

Grand Master

TAZMINATOR

Posted
Posted

I was talking about $50 certificates vs $300 /year certificates. If you look at the verisign page, they have more expensive certificates that give you more benefits. I wouldn't think a $40 certificate would be very good. It would make me pause about implementing that in my own site. I would rather go with the very popular and secure ones vs a cheapo one.

Microsoft, Google, Mozilla, and others use very expensive Verisign (and other top notch providers) certificates.

It doesn't matter... expensive and cheap SSL certs are same which they both use up to 256 bit encryption systems.

If Neowin isn't a LLC or an Incorporation, then they can not afford to get SSL certs from Verisign or whoever. But they can get SSL from other SSL providers such as RapidSSL for less expensive. If they are a LLC or Inc., then do not forget that they pay for the servers to keep them up running and maintenance costs, etc. They might not have enough $ to get SSL from Verisign.

For example, you have SSL from Verisign, they will raise their rate to about $1000 a year, you will be surprised, then you will move your SSL to alternative provider for cheap rate to save money for your company. Simple.

You will do same way when you buy a car.... in your local town, car cost $25,000... in other state, car cost $15,000.. would you go out of state to get that car? Yeah? See people would get cheap one with same features as the local car has. It is about save money.

Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

If what neowin wanted was to VERIFY they are who they say they are and own the domain, etc. Then ok maybe the more costly certs might be in order, you have to jump through some hoops in the verification process for some of those certs.

But we are talking just the encryption of the username and password, for that matter just the password would work. As long as the transmission is secured does not matter if its a FREE cert (as long as trusted by many browsers) Even if not trusted, neowin could provide the means of trusting said cert for those users that wanted to not be nagged and didn't want to make exception in their browsers (for those that support that).

So any sort of cert would be better than no cert, yes even a FREE one. So can we get a clear answer - will neowin be changing to SSL for the login or not? I really don't see how a <$50 cert should be an issue. Do we really need to take up a collection? ;)

I agree its just a forum, and most of the info does not justify encryption of the traffic. But what I would like to see is the login sent in a secure manner - this is just common best practice. Now it might be true that many site run in this fashion where login info is not encrypted. I will be checking all of the ones I frequent. They are all tech related sites, you would have to assume a tech related forum would use best practices, especially something so simple to implement.

  • articuno1au
  • Like 1
Mentor

JonnyLH

Posted
Posted

Hashing it on the client side would require IPB to completely change how the authentication system works, as there would need to be two levels of hashing then to maintain security, first the password be hashed on the client side (and what about people who browse with javascript disabled, how would this work for them?) and then be passed to the server to be salted and hashed again to check against the database.

Took the words completely out of my mouth. I really do doubt anyone browses without JS on these days on the other hand, most modern websites as you know, just wouldn't work.

Even if you implemented a client-side encryption method, if it was md5 or salt based hashing, you'd still provide your encryption technique for the world to see. This thread has been blown way out of proportion. Any website which isn't https will do the same. What the OP displays is just a simple HTTP POST.

If you have an entity snooping your internet traffic. Then you have more of a serious problem and isn't probably just looking for simple forum passwords, its very sneaky business.

Just to worry you more, there is a very good middle man technique which actually keeps the integrity of a SSL cert. So, if you had someone with the intent of doing something, an SSL cert wouldn't completely stop them.

Grand Master

Redmak Administrators

Posted
  • Administrators
Posted

So can we get a clear answer - will neowin be changing to SSL for the login or not?

We will, but I'm not sure if it will happen before the IPB 3.4 upgrade

  • Charisma, Ambroos and FiB3R
  • Like 3
Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

"If you have an entity snooping your internet traffic. Then you have more of a serious problem and isn't probably just looking for simple forum passwords, its very sneaky business."

"So, if you had someone with the intent of doing something, an SSL cert wouldn't completely stop them."

I am not so worried about a man in the middle attack, which sure is possible. And I am not worried about some point along the path sniffing the traffic - but then a ssl would protect against that even.

What I am concerned about, came about in another thread where OP there was asking security options while on a open wifi network. During the process of discussion on what the exact concerns were. It is impossible to suggest a mitigation method unless you understand the risk your trying to mitigate it was posted that neowins logins where not even encrypted.

I personally did not believe it, so I double checked - and to my dismay it was in fact true. Which was the reason for my query to the matter here on the site and forum issue. Maybe it might of been a subject better discussed in the mvc/staff area? But it security topic that should be discussed with the community at large using the site.

My concern is not some one without inappropriate access along the the path collecting forum logins, yes your mitm comment is still valid with any sort of SSL, but again this was not the reason for the query.

More worried about local wifi sniffers, that quite often could be kids just out for some lulz, etc. Now those can be mitigated with a secure connection across the open wifi like vpn or ssh tunnel for browser traffic, etc. But if best practices where followed, the login info would be secure anyway - which would reduce the risk of some kids out for some fun using a browser addon and simple wifi sniff. Again I am not too worried about someone sniffing my traffic while at home or work, etc. Or place of business that has a secure wifi connection.

I doubt I would stop using neowin if they don't change this method. But it would be nice to get a answer from the staff to why they don't feel its a concern, and why they don't use SSL to post the login info. Sofar info has been given to why they don't hash the info before posting it, but I have not seen a reason for not using ssl to post this info?

edit: Thanks for the clear answer Redmak, looking forward to the upgrade ;) This is a clear answer to my question, and satisfies my concerns. It has been running like this since the get go it seems, so a few more weeks/months should not be too big of an issue.

  • Charisma and Riggers
  • Like 2
Grand Master

DaveLegg Developer

Posted
  • Developer
Posted

As a side point BudMan, I login to Neowin at home, then when I'm on the road with my laptop, I'm already logged in, so no real issue of transmitting my credentials over wifi in clear text. I imagine this is the same for many people, unless they're using a 3rd party device, or have a practise of logging out from the site. But yes, as Redmak says, we'll be bringing SSL in sometime soon.

Grand Master

+BudMan MVC

Posted
  • Author
  • MVC
Posted

^ well that brings up a whole new can of worms with session hijacking and non secure cookies used to store this logged in state - does it not? ;)

If the logins are not posted via SSL, I doubt the cookies are being sent that way??

That might be a good info to pin, since this is tech site and lots of security minded people here. Would it be possible to put together a info sheet on the security methods used by neowin to secure login and user info. It can wait til the upgrade I am sure and use of ssl to post login info.. But there have been many headline story of sites being compromised and user info stolen - some sort of writeup on the steps neowin takes to mitigate these issues, be it sniffing login creds, session hijacking, how info is stored in the database, etc. etc.

edit: Nothing to involved, pointless to give out info that could be used to exploit the measures.. But general terms that even the most nontech savy users could understand would be a great addition to let the community know that neowin is looking after their users info, etc.

Also - I did not mean to open a can of worms here, as mentioned multiple times -- this is just a forum and really nothing should be here that is of a critical nature to ones privacy or security. But even in this day and age, some users continue to use bad passwords, same password on multiple sites. I would not be surprised if some users here use the same password they use for their registered email account with neowin as their email password, and shutter to think even their banking websites, etc.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

^ So I take it that is suppose to be one of those "warwagon" jokes?? ;)

No it's not. I've listed to all 392 episodes of Security now, and the answer of

"I login to Neowin at home, then when I'm on the road with my laptop, I'm already logged in, so no real issue of transmitting my credentials over wifi in clear text."

would make them shake their heads. No hard feelings!

To summarize." if you don't want your traffic sniffed, just log into Neowin before leaving the house"....really?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Microsoft confirms Windows 11 26H2 to finally get one of the most requested features

      By hellowalkman · Posted

      Microsoft confirms Windows 11 26H2 to finally get one of the most requested features by Sayan Sen This past week Microsoft officially confirmed Windows 11 version 26H2 with the latest build, 26300.8697, for testing in the experimental Insider channel. The company also published more details about it mainly directed towards IT admins and system admins. Essentially version 26H2 will be delivered via an enablement package (eKB) over Windows 11 25H2. If you are wondering about some of the upcoming features in the next Windows version, one of them is certainly very interesting as Microsoft has confirmed it is finally bringing one of the most overwhelmingly requested features ever. March Rogers, the Partner Director of Design at Microsoft, recently highlighted some of the Search improvements that the company is testing, and during the interaction with users on X where he posted it, Rogers also confirmed that the company is working on disabling web search results inside Search. This is something which many users find quite annoying as Windows would often serve them links to Bing which it feels could be more helpful rather than bringing up the actual object or app the user may be searching for on their PC. Finally though the company is prioritizing local file search over the web. However the feature could not be disabled for many users as not all new features are immediately rolled out to everyone. Image via phantomofearth (X) Windows enthusiast phantomofearth who likes to dig deep into new builds uncovered the IDs you will need to enable these features. Using the following feature IDs the new Search-related features landing in Windows 11 26H2 can be used. Follow the steps below to enable the new Search experience on Windows 11 build 26300.8697: Download ViveTool from GitHub and unpack the files in a convenient and easy-to-find folder. Press Win + X and select Terminal (Admin). Switch Windows Terminal to the Command Prompt profile with the Ctrl + Shift + 2 shortcut or by clicking the arrow-down button at the top of the window. Navigate to the folder containing the ViveTool files with the CD command. For example, if you have placed ViveTool in C:\Vive, type CD C:\Vive. Type vivetool /enable /id: and press Enter. Restart your computer. If you change your mind and want to restore, repeat the steps above and replace /enable with /disable in the commands on steps 5 and 6. Delightedly and perhaps also expectedly, once you disable web search and other such bloat, the Windows 11 Search is said to get snappier as remarked by another Windows enthusiast Xeno.
    • A 13 billion year old secret about our Universe's origin was revealed

      By Michael Scrip · Posted

      Makes me think of Family Guy - "Carl Sagan's Cosmos... edited for Rednecks" 🤣 https://www.youtube.com/watch?v=Ljt5iESYA7k&t=2s
    • Microsoft PC Manager 3.21.7.0 (Offline Installer)

      By Copernic · Posted

      Microsoft PC Manager 3.21.7.0 (Offline Installer) by Razvan Serea With Microsoft PC Manager, users can easily perform basic computer maintenance and enhance the speed of their devices with just one click. This app offers a range of features, including disk cleanup, startup app management, virus scanning, Windows Update checks, process monitoring, and storage management. Microsoft PC Manager key features: Storage Manager- easily uninstall infrequently used apps, manage large files, perform a cleanup, and set up Storage Sense to automatically clear temporary files. Health Checkup feature -scans for potential problems, viruses, and startup programs to turn off. It helps you identify unnecessary items to remove, optimizing your system's performance. Pop-up Management - block pop-up windows from appearing in apps. Windows Update - scans your system for any pending updates. Startup Apps - enable or disable startup apps on your PC, allowing you to optimize your system's startup performance. Browser Protection - rest assured that harmful programs cannot alter your default browser. Also enables you to change your default browser. Process Management - allows you to conveniently terminate any active process, ensuring optimal system performance and resource utilization. Anti-virus protection - Fully integrated with Windows Security. Safeguard your PC anytime. Quick Steps: Download Microsoft PC Manager Offline Installer (APPX/MSIX) with Adguard Adguard serves as a third-party online service, offering a user-friendly method for directly downloading appx, appxbundle, and msixbundle files from the Microsoft Store. Official download links will be generated for both the app's various versions and its dependency packages. How to download Microsoft PC Manager Offline Installer (APPX/MSIX) 1. Initially, you must find the app URL within the Microsoft Store. Access the Microsoft Store via your browser and search for "Microsoft PC Manager". Once located, copy the app URL, which includes the product ID, either from the address bar or from the provided link below. https://apps.microsoft.com/detail/9PM860492SZD 2. Now paste the app URL into the designated area, then click the check mark button to produce a direct download link. 3. To download, right-click the relevant link and select “Save link as…” from your browser's menu. Occasionally, Microsoft Edge may flag the download as insecure. In such cases, consider utilizing alternative browsers such as Google Chrome or Firefox to successfully complete the download. Microsoft PC Manager is a completely free tool optimized exclusively for use on Windows 10 (19042.0 and above) and Windows 11. Download: Microsoft PC Manager 3.21.7.0 | from Microsoft Store View: Microsoft PC Manager Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Microsoft Paint used to be my favorite Windows app as a kid, and it's still pretty good

      By [deXter] · Posted

      jspaint is a lot better, if you like the classic mspaint experience and hate the new bloated Paint.
    • Amazon takes hundreds of dollars off its Kindle readers ahead Prime Day

      By TarasBuria · Posted

      Amazon takes hundreds of dollars off its Kindle readers ahead Prime Day by Taras Buria Ahead of its Prime Day, Amazon brought its Kindle readers to all-time low prices, allowing you to save on various bundles across the entire lineup, from the most affordable Kindle to the flagship Scribe and its color-enabled variant. Kindle Essentials Bundle - $108.97 | 33% off This 6-inch Kindle is a portable reader with a front light, a brighter E-Ink display, and up to 6 weeks on a single charge. The bundle includes a protective case and a charger, so that you have everything you need for comfortable reading. Kindle Paperwhite Bundle - $154.98 | 45% off Kindle Colorsoft Bundle - $169.98 | 48% off The latest Paperwite is a 7-inch reader that features significantly faster page-turning, wireless charging, an ambient light sensor, 32GB of storage, and up to 12 weeks on a single charge. Right now, the bundle with a sling bag makes the Paperwhite 25% cheaper than the non-bundle variant. The same bundle is available for the Colorsoft version with a colorful E-Ink display. Kindle Scribe 32GB Bundle - $444.97 | 27% off Kindle Scribe Colorsoft 64GB Bundle - $574.97 | 27% off The Scribe is the biggest, flagship Kindle. It has an 11-inch texturized display with a stylus support, with a big emphasis on the note-taking experience. The built-in notebook has AI-assisted features for search, refinements, summarization, and more. The Scribe comes with 32GB of storage, and the bundle gets you a case, a stylus, and a protective case. Like with the Paperwhite, there is a Colorsoft version, which is also available with a massive discount. Note: These deals are available to Prime members only. If you do not have Prime, you can sign up using one of the links below. Good to know This Amazon deal is U.S. specific, and not available in other regions unless specified. We only use first-party seller links (at the time of article publishing); ensure that you purchase from a first-party seller link only. Check out Today's Deals on Amazon | or our recent tech deals. Become a Prime member (for Students or SNAP) via Neowin Get Prime Access - Prime for half price (for qualifying Medicaid, EBT, SNAP) Subscribe to Prime Video, Audible Plus, Music Unlimited or Kindle Unlimited via Neowin As an Amazon Associate, we earn from qualifying purchases.

  • Recent Achievements

    • Dedicated
      Almohandis earned a badge
      Dedicated
    • Dedicated
      JuvenileDelinquent earned a badge
      Dedicated
    • First Post
      DrWankel earned a badge
      First Post
    • Reacting Well
      DrWankel earned a badge
      Reacting Well
    • Week One Done
      Supreme Spray LV earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      505
    2. 2
      +Edouard
      174
    3. 3
      PsYcHoKiLLa
      84
    4. 4
      Steven P.
      76
    5. 5
      Michael Scrip
      76
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!