Neowin needs HTTPS login from main, not just forums

By boogerjones
in Site & Forum Issues

 Share

Recommended Posts

Veteran

vanx

Posted
Posted

Doesn't PHP Ioncube already give a bit of protection? I use Invision, and it seems that the board is built well enough to not need SSL.

 

Not serving the form over HTTPS exposes it to manipulation even if subsequent logging in action is done over a secure connection.

 

I think Subs get https..

 

Not in the list of advertised benefits, so I didn't want to assume.

Grand Master

fusi0n

Posted
Posted

Not serving the form over HTTPS exposes it to manipulation even if subsequent logging in action is done over a secure connection.

 

 

Not in the list of advertised benefits, so I didn't want to assume.

I'm not even 100% sure.. A mod will have to verify.. 

Proficient

Unksi

Posted
Posted

Not serving the form over HTTPS exposes it to manipulation even if subsequent logging in action is done over a secure connection.

 

 

Not in the list of advertised benefits, so I didn't want to assume.

Yep that is true - not sending the login form over HTTPS allows a Man-In-The-Middle attack, where the attacker can modify the form before the browser gets it, and redirect the login requests through his own server to capture passwords.

Grand Master

LimeMaster

Posted
Posted

If you use different passwords for every site and change your password on a regular basis, then this shouldn't be a concern. :)

 

Also, HTTPS login is available for subscribers: https://www.neowin.net/forum/topic/1169735-https-sessions-active-for-tier-2-subscribers/

Veteran

vanx

Posted
Posted

If you use different passwords for every site and change your password on a regular basis, then this shouldn't be a concern. :)

 

Also, HTTPS login is available for subscribers: https://www.neowin.net/forum/topic/1169735-https-sessions-active-for-tier-2-subscribers/

 

A potential for Man in the Middle attacks should always be a concern, irrespective of your password management policy. HTTPS login is available for mere mortals too, there is no need for a sub, it's just the form that is presented for you to enter your uber secure credentials is sent over HTTP rather than HTTPS, hence the MITM attack vector.

Grand Master

LimeMaster

Posted
Posted

A potential for Man in the Middle attacks should always be a concern, irrespective of your password management policy. HTTPS login is available for mere mortals too, there is no need for a sub, it's just the form that is presented for you to enter your uber secure credentials is sent over HTTP rather than HTTPS, hence the MITM attack vector.

Well, most other forums don't have encryption by default either, so my type of password management is recommended. Sure it's not perfect, but it does mean that if some person does decide to attack then they only get the password for that one site (which can be reset after the person is done attacking) Another thing, the reason it's not encrypted for everyone is because the ad providers don't support it as mentioned in the topic I linked to in my previous post.

Veteran

vanx

Posted
Posted

Well, most forums don't have encryption by default either, so my type of password management is recommended. Sure it's not perfect, but it does mean that if some person does decide to attack then they only get the password for that one site (which can be reset after the person is done attacking) Another thing, the reason it's not encrypted for everyone, is because the ad providers don't support it as mentioned in the topic I linked to in the previous post.

 

Sorry, but your point about ad providers not supporting encryption is moot in relation to displaying the log-in form over HTTPS when using Chrome or Firefox, because for neither browser any ads are displayed on the log-in page. It is applicable to IE, but if ads cannot be excluded on that one page for the sake of better security, it's pretty sad.

 

As for most forums not having encryption, encryption of what are we talking about? You can do authentication via HTTPS, you can serve the log-in form over HTTPS and you can generate random session IDs. Good password management by users does not absolve site operators from following security best practices.

Grand Master

LimeMaster

Posted
Posted

Sorry, but your point about ad providers not supporting encryption is moot in relation to displaying the log-in form over HTTPS when using Chrome or Firefox, because for neither browser any ads are displayed on the log-in page. It is applicable to IE, but if ads cannot be excluded on that one page for the sake of better security, it's pretty sad.

 

As for most forums not having encryption, encryption of what are we talking about? You can do authentication via HTTPS, you can serve the log-in form over HTTPS and you can generate random session IDs. Good password management by users does not absolve site operators from following security best practices.

OK, but at the last of the day it's the admin's/dev's decision whether they implement for all, not ours.

 

It costs quite a bit of money so most have no SSL whatsoever. You can't really expect every forum to provide encryption.

Grand Master

farmeunit

Posted
Posted

Do self-signed certificates get along well with browser security? If the browser doesn't trust a certificate's issuer, then it inherintly does not trust the certificate. Self-signed certificates are their own issuer, which causes issues for situations like this.

Self-signed certificates are fine, you just get prompted when accessing it through HTTPS.  Not hard to implement at all and it wouldn't hurt anything.  They don't have to be expensive, either.

Grand Master

Brandon H Supervisor

Posted
  • Supervisor
Posted

Self-signed certificates are fine, you just get prompted when accessing it through HTTPS.  Not hard to implement at all and it wouldn't hurt anything.  They don't have to be expensive, either.

that's fine for an intranet but that's really bad practice for a live website. would YOU trust a random website that used a unsigned certificate?

Veteran

vanx

Posted
Posted

OK, but at the last of the day it's the admin's/dev's decision whether they implement for all, not ours.

 

It costs quite a bit of money so most have no SSL whatsoever. You can't really expect every forum to provide encryption.

 

I understand that it's a decision for the developers/admins. What I am asking for is not full blown SSL everywhere, so you may have things confused. Since the submit form is already securely processed, it should not be too much effort to present the form itself over HTTPS. It is already possible to have it loaded with SSL by manually editing the URL and changing HTTP to HTTPS, so I cannot understand why it is not the default behaviour.

 

Self-signed certificates are fine, you just get prompted when accessing it through HTTPS.  Not hard to implement at all and it wouldn't hurt anything.  They don't have to be expensive, either.

 

If you think self-signed certificates are just as good as those issued by a trusted CA, I have a bridge to sell.

 

that's fine for an intranet but that's really bad practice for a live website. would YOU trust a random website that used a unsigned certificate?

 

I wouldn't even go as far as saying that it's OK for an Intranet site, because accepting self-signed certs over and over desensitises users and lulls them into a false sense of security when they come across that on de Interwebz.

Grand Master

LimeMaster

Posted
Posted

 I understand that it's a decision for the developers/admins. What I am asking for is not full blown SSL everywhere, so you may have things confused. Since the submit form is already securely processed, it should not be too much effort to present the form itself over HTTPS. It is already possible to have it loaded with SSL by manually editing the URL and changing HTTP to HTTPS, so I cannot understand why it is not the default behaviour.

I know that's what you are asking for and while it's possible on this forum. I don't think the devs want to mess with the ad code on the login page just for HTTPs since they weren't even keen on adding the encryption for subscribers either at first. Then again, I don't know and am just making guesses based on the information found on the FAQ in that topic posted earlier. 

 

Anyways, I fully understand why you would want it, but I'm not sure that it'll get implemented. However, if it does then that's great.  :)

Grand Master

Redmak Administrators

Posted
  • Administrators
Posted

We are aware of the insecure login form on the front page (the forum has a dedicated secure login page). I haven't decided on how to fix this yet. I think the only way is to redirect to a dedicated secure login page or at least mention that this main page login isn't as secure as it should be and add a link to the forum login page.

 

Subscribers do have full site encryption

 

We are not providing full site encryption for everyone because of the ads. We need them....

Grand Master

Raa

Posted
Posted

The cheapest I know are around $16 / year, so I wouldn't really call it expensive, if you buy from the right place. But yeah, it is up to the admins^.

I've had them as low as $4/year. Less if it's multiple years.

 

A redirect to a secure login form would be a good idea, Redmak.

Grand Master

Ambroos

Posted
Posted

We are not providing full site encryption for everyone because of the ads. We need them....

 

Lame-ass Netshelter ads :P

 

I don't get why those big ad providers don't fix their HTTPS. Personally I'm a big fan of just using HTTPS everywhere. It'll be a requirement in the net HTTP protocol (probably SPDY) anyway. And it provides easy protection against sniffing.

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted

Self-signed certificates are fine, you just get prompted when accessing it through HTTPS.  Not hard to implement at all and it wouldn't hurt anything.  They don't have to be expensive, either.

They work, but they don't provide any trust, which is honestly the most important aspect of TLS.

Veteran

vanx

Posted
Posted

We are aware of the insecure login form on the front page (the forum has a dedicated secure login page). I haven't decided on how to fix this yet. I think the only way is to redirect to a dedicated secure login page or at least mention that this main page login isn't as secure as it should be and add a link to the forum login page.

 

Subscribers do have full site encryption

 

We are not providing full site encryption for everyone because of the ads. We need them....

I think redirecting to a dedicated secure login page is a better approach to take. Not suggesting full-blown encryption everywhere for everyone for a minute, I appreciate that you guys need the ad revenue.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Windows 11 KB5094126 June 2026 Patch Tuesday update now available to download

      By WindowsPhone · Posted

      3 restarts done till installation complete.
    • Bulk Crap Uninstaller 6.2

      By Copernic · Posted

      Bulk Crap Uninstaller 6.2 by Razvan Serea Bulk Crap Uninstaller is a free (as in speech) program uninstaller. It excels at removing large amounts of applications with minimal user input. It can clean up leftovers, detect orphaned applications, run uninstallers according to premade lists, and much more. Even though BCU was made with IT pros in mind, by default it is so straight-forward that anyone can use it effortlessly! Bulk Crap Uninstaller features: Detect and uninstall Windows Store apps Uninstall multiple items at once to speed up the process (with collision prevention) Uninstall any number of applications in a single batch Minimal user input is required during uninstallation Can find and remove leftovers after uninstallation Can uninstall some apps even if they don't have any uninstallers Detects applications with damaged or missing uninstallers Adds quiet uninstall options to some uninstallers, even if they do not support them by default Uninstall lists for automation Startup manager Verification of uninstaller certificates Fully portable, settings are saved to a single file Bulk Crap Uninstaller 6.2 changelog: Features Add invalid-uninstaller view preset by @breshinotestachegira in #903 Add certificate and integrity columns to app list by @breshinotestachegira in #894 Improve Scoop custom path detection by @breshinotestachegira in #892 Fixes Improve uninstall list load error handling by @breshinotestachegira in #895 Fix tweak visibility filtering by @breshinotestachegira in #898 Fix orphaned-only view preset by @breshinotestachegira in #899 Stabilize icon handle ownership by @breshinotestachegira in #902 Fix: Use Directory.GetLastWriteTime for install date fallback by @AniketDeshmane in #908 Do not offer to send "no way to uninstall" error messages by @Klocman in #922 Ignore ERROR_BAD_CONFIGURATION when listing MSI components by @Klocman in #924 Eat InvalidOperationException coming from ListViewGroupAccessibleObject by @Klocman in #925 Harden BCU console export and size detection - Fix BCU-console export failures by @breshinotestachegira in #897 Harden registry factory parsing by @breshinotestachegira in #893 Guard startup uninstall list loading by @breshinotestachegira in #927 Clean generated files on uninstall by @One-Simon in #928 Translations Updated Hungarian translation by @titanicbobo in #875 Updated Vietnamese translations by @wanwanvxt in #918 Fix : Swedish translation causes UI overflow in some windows by @Leise-Shadow in #865 Other Fix publish script after v6.1 by @tsiakoulias in #868 Updated the localization pack Repository Moved the repository under a new BCUninstaller organization (old links still work) Added two maintainers: @hazeliscoding and @One-Simon Added PR merge rules (require up-to-date approval and CI to pass) Updated CI script to also build the launcher (only for testing, not included in artifacts) Download: Bulk Crap Uninstaller 6.2 | 8.8 MB (Open Source) Download: Bulk Crap Uninstaller Portable | 11.6 MB View: Bulk Crap Uninstaller Home Page | GitHub | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • EU Commission explains why Siri AI isn't launching in the EU, and Apple is to blame

      By +LightEco · Posted

      If built properly, swapping out the backend should be an easy task, but as the article points out, it's just Apple not wanting to do this.
    • Microsoft's new Xbox Shutdown change promises massive power efficiency gains

      By LoneWolfSL · Posted

      Microsoft's new Xbox Shutdown change promises massive power efficiency gains by Pulasthi Ariyasinghe Microsoft has been delivering a lot of changes for Xbox Insiders to test in recent weeks, and today, another wave of changes aimed at consoles was announced. The latest drop is testing features that let users find mutual friends easier, customize their UI, and streamline wishlisting. When looking at an Xbox friend's profile, an option will appear to see mutual friends, perhaps to get a refresher on how you know that person. This will depend on the privacy settings. The same applies to when checking the profile of a person who is not in the friends list, offering a quick way to find out if this is a known connection. Next, Microsoft is giving the option to change how the 'Home' and 'Games & Apps' sections show off available games. There is a new poster style that users can enable for an "immersive library experience." "We’ve also made personalization settings easier to navigate and customize by separating Home and My Games & apps into separate sections," adds the company. "And to make personalization even more accessible, we’ve added new shortcuts throughout menus, so you can quickly jump in and tailor your XBOX experience the way you want." Moreover, heading to the store page of an unreleased game will now offer players the option to wishlist directly from the game card. Lastly, Microsoft is making a change to Xbox One and Xbox Series X|S consoles that are in Sleep mode, making them use the more energy-saving 'Shutdown' mode instead automatically. The company says this can increase power savings by up to 20 times without impacting "performance, gameplay, or your ability to receive system, games or apps updates overnight." The only down side seems to be a longer startup time that can take up to 45 seconds. The setting was originally introduced in 2023, and this is only the latest update to it. The power option can be changed from the console settings at any time. This Xbox Insider update is rolling out today to select members of the program. As usual, Microsoft aims to bring it to more Insiders over time before they reach all Xbox owners. Head here to find out how to join the Xbox Insider Program to get a chance to test these features and upcoming ones on both consoles and PC.
    • Dragon's Dogma 2: Dark Arisen expansion to bring snowy region, new updates also coming

      By froggyliver · Posted

      2 was a fun game but felt a bit shallow, like not enough there. I hope this expansion fixes that.

  • Recent Achievements

    • Rookie
      lamborghiniv10 went up a rank
      Rookie
    • One Month Later
      pinnclepd earned a badge
      One Month Later
    • First Post
      X-No-file earned a badge
      First Post
    • One Month Later
      johnjacobb40 earned a badge
      One Month Later
    • One Year In
      Primer1st earned a badge
      One Year In

  • Popular Contributors

    1. 1
      +primortal
      507
    2. 2
      PsYcHoKiLLa
      211
    3. 3
      +Edouard
      145
    4. 4
      Steven P.
      88
    5. 5
      ATLien_0
      80
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!