Neowin needs HTTPS login from main, not just forums

By boogerjones
in Site & Forum Issues

 Share

Recommended Posts

Grand Master

boogerjones

Posted
Posted (edited)

Some prick sniffed my password at a school computer lab. Is there any way for Neowin to get a secure logon? I know these things cost money, but it's such an easy target for any jackass with a computer. Hell, even a self-generated certificate (not from Thawte, Verisign, etc) would at least give some of us the option of using it.

Edited by boogerjones
Experienced

tiddlie

Posted
Posted

A public PC is always going to be an issue. If this 'prick' had used a USB keylogger / PS2 keylogger, would you want that Neowin implemented a voice recognition login?

I don't see the need for HTTPS login on Neowin. It's a forum - not a financial institution. If its that much of an issue, use a seperate password on things like forums than important things.

Grand Master

boogerjones

Posted
  • Author
Posted

If this 'prick' had used a USB keylogger / PS2 keylogger, would you want that Neowin implemented a voice recognition login?

Gimme a break. Why should cars have locks if keys can be duplicated? Yes, somebody could potentially use a TEMPEST attack and get my password, but these kinds of thieves will use the easiest possible method. And right now it's pretty easy to get my password for Neowin. SSL is a pretty standard implementation for logging in to just about any site.

And I do use a separate password. But the content of the site is not the issue. I really don't care if somebody can login to my profile. But I think it's just a bad security practice on Neowin's end.

Experienced

tiddlie

Posted
Posted

Damn...thats a good point! Cars have locks yet keys can be duplicated....maybe they need some sort of SSL to make them secure. A keypad in each car maybe?

If someone on a public PC wants to get hold of your password, they'll do it. Packet sniffing a network for unsecured passwords is far more difficult than a keylogger, so you'll never be safe.

Talk to someone in your college's ICT department if this is going on there, or only login from home. Its unlikely that any website putting SSL onto their site will have any major benefit to stopping people on public computers being targetted.

I mean can you even be 100% sure that they didn't just have a keylogger installed or something to that effect? Can you be sure that the public machines are 100% trojan secure? It may not even have happened the way you think it did.

There are far far bigger sites out there that don't use SSL connections to login to their servers. Myspace anyone?

Grand Master

Joel

Posted
Posted

Wow, I can't believe all the strong opposition to what is a simple, effective, and potentially free security measure. It has nothing to do with what is stored on Neowin or what the policy of other forums is.

I'm not opposing it so much as I'm asking what use it would be to implement.

Grand Master

John Veteran

Posted
  • Veteran
Posted

Do self-signed certificates get along well with browser security? If the browser doesn't trust a certificate's issuer, then it inherintly does not trust the certificate. Self-signed certificates are their own issuer, which causes issues for situations like this.

Rising Star

nautiqueskier

Posted
Posted

Honestly I think SSL is overkill in this case. A self-signed certificate will give everyone an error everytime they try and login and a trusted signed SSL, while not terribly expensive ($60 for a basic, not wildcard one with virtually no financial backup) would not be money well spent in my opinion.

Then theres the implementation of it into Invision (the forum software Neowin runs)

Grand Master

kjordan2001

Posted
Posted

Do self-signed certificates get along well with browser security? If the browser doesn't trust a certificate's issuer, then it inherintly does not trust the certificate. Self-signed certificates are their own issuer, which causes issues for situations like this.

The browser will prompt you if you trust the self-signed certificate. There's always free signing 3rd parties too like cacert.org. Just import their root certificate and any site signed with that will be trusted.

Grand Master

John Veteran

Posted
  • Veteran
Posted
vBulletin implemented a Javascript hashing mechanism so that user passwords are hashed before they're sent to the server. That could probably be modded into IPB for much less effort.

So instead of someone sniffing your password, they sniff the password hash, which is just as good as a password... Great solution (Y) Whatever is sent to the server needs to be encrypted so it can't be sniffed. That's the whole point. Sending the server "asdf" instead of "password" does nothing if an anonymous listener can see it on the network.

The browser will prompt you if you trust the self-signed certificate. There's always free signing 3rd parties too like cacert.org. Just import their root certificate and any site signed with that will be trusted.

Yeah, every user would have to import SOME certificate, whether it's Neowin's or cacert.org, or whoever's... That's not a solution. Why do you think people pay so much for Verisign certificates? Because they're trusted. I've never heard of cacert.org and certantly don't trust them to vouch for another website...

Grand Master

dragon2611

Posted
Posted

So instead of someone sniffing your password, they sniff the password hash, which is just as good as a password... Great solution (Y) Whatever is sent to the server needs to be encrypted so it can't be sniffed. That's the whole point. Sending the server "asdf" instead of "password" does nothing if an anonymous listener can see it on the network.

Yeah, every user would have to import SOME certificate, whether it's Neowin's or cacert.org, or whoever's... That's not a solution. Why do you think people pay so much for Verisign certificates? Because they're trusted. I've never heard of cacert.org and certantly don't trust them to vouch for another website...

actually i have a starter SSL certificate from namecheap.com setup for cpanel on a server and it cost me a $16 :yes:

its reconised by most browsers, shows up as being signed by Eqifax and works fine with firefox and Ie6+ (maybe older versions of ie also, dont know cus i only run 6 and 7) also works with opera and safari as far as i can remember (dont use them much tend to use firefox all the time)

so no they don't need to cost the earth! ;)

  • 6 years later...
  • 1 year later...
Veteran

vanx

Posted
Posted

Since the other topic was locked, I would post a couple of my observations here:

 

-- The login form for the credentials is served over unsecured HTTP

-- The logout action consists of this URL 

https://www.neowin.net/forum/index.php?app=core&module=global&section=login&do=logout&k=

And the "k" -- I guess that means "key" -- value is a constant 32 char hash that does not vary between sessions. Now I am not a security whiz, but I think that both of those are not good things and should be corrected.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Movavi Video Editor Plus 26.17.0

      By Copernic · Posted

      Movavi Video Editor Plus 26.17.0 by Razvan Serea With Movavi Video Editor Plus, you can either enhance your video files with two or three simple steps, or turn them into something completely new. Create your own movies using multiple filters, transitions, and special effects: show multiple videos on one screen with the Picture in picture effect or change the background with the Chroma Key effect, imitate the camera zoom or make your video look like an old-style movie. Adjust video parameters such as brightness, contrast and colors. Stabilize shaky footage, improve video quality and remove defects. Create video presentations, tutorials or educational videos: add titles and record your own narration to create a video with voiceover. Import video from any source: TV-tuner, webcam, camcorder, or VHS. Drop multiple media files onto a timeline and let your imagination do the rest! Features at a glance: Video and audio editing on a timeline Edit, enhance videos Add background music Apply titles and effects Image quality improvement Hollywood-worthy effects High-grade titles and fades Digitize VHS tapes, record video from TV tuners Stabilize any shaky sections Support for a wide range of formats Prepare your videos for uploading to YouTube, Facebook, Vimeo, or any other website New in Movavi Video Editor 2026: 30+ fresh subtitle styles. Upgrade your automatic captions with new designs. Customize your text in the Styles tab with a single click. Optional advanced settings are also available in the dedicated Design tab. Subtitles in English – instantly! Translate auto-subtitles into English with a click – no dictionaries or online services needed. Once translated, configure and fine-tune the subtitles using the standard editing tools. 40+ adjustable effects. Enhance your videos in a click with new realistic effects – from dust particles and light leaks to retro-style and VHS. Every effect is fully customizable – so it will fit any clip perfectly and bring an extra spark to your edits. Ultra-fast playback. Show more in less time with video speed control of up to 100x. Perfect for epic time-lapses, long process recaps, or whenever you want to add some extra energy to your content. Magnetic zones are marked with dots, and the 1x value is indicated by a vertical line. Silence removal – in a click. Cut out unwanted pauses automatically or fine-tune the pause length and volume threshold yourself. Skip the tedious cleanup and make your videos more dynamic. Fast effect copying. Effortlessly duplicate any effect from one video to another: click Clip effects in the dropdown menu and proceed to copy or paste. Movavi Video Editor Plus 26.17.0 changes: A new set of subtitle styles Check out the latest drop of ready-made subtitle styles with active word highlighting – fully designed and ready to use. Each one has its own vibe, so you can quickly find the perfect match for your video. Give them a spin and pick your favorite. Download: Movavi Video Editor Plus 26.17.0 | 2.7 MB (Shareware) View: Movavi Video Editor Plus Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Classic Outlook vs New Outlook — Which one do you prefer and why?

      By LittleNeutrino · Posted

      "New" Outlook has themes and colours and all sorts of visual customizations not just black and white.
    • Google Chrome is killing all uBlock Origin bypasses, Microsoft Edge, Opera to follow

      By +Edouard · Posted

      What a bizarre statement. Why are you against users having choices? Are you against all extensions or just ad blocking? What about extensions to alter the W11 start menu to suit user preferences. Are you against those?
    • Google Chrome is killing all uBlock Origin bypasses, Microsoft Edge, Opera to follow

      By SnyPer456 · Posted

      Honestly, I've been using the Lite version for a couple of months now, and it's been working well for me in my daily life. So much that I don't even miss the original version.
    • Classic Outlook vs New Outlook — Which one do you prefer and why?

      By margrave · Posted

      I use classic for reliability. Dark grey is vastly better than the all black or all white of new outlook.

  • Recent Achievements

    • Week One Done
      skylerssviv earned a badge
      Week One Done
    • One Month Later
      mobmobiles earned a badge
      One Month Later
    • Very Popular
      Captain_Eric earned a badge
      Very Popular
    • One Month Later
      amusc earned a badge
      One Month Later
    • One Month Later
      DJC50PLUS earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      501
    2. 2
      PsYcHoKiLLa
      230
    3. 3
      +Edouard
      98
    4. 4
      ATLien_0
      91
    5. 5
      Steven P.
      82
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!