boogerjones Posted September 27, 2006 Share Posted September 27, 2006 (edited) Some prick sniffed my password at a school computer lab. Is there any way for Neowin to get a secure logon? I know these things cost money, but it's such an easy target for any jackass with a computer. Hell, even a self-generated certificate (not from Thawte, Verisign, etc) would at least give some of us the option of using it. Edited September 27, 2006 by boogerjones Co-ords 1 Share Link to comment Share on other sites More sharing options...
tiddlie Posted September 27, 2006 Share Posted September 27, 2006 A public PC is always going to be an issue. If this 'prick' had used a USB keylogger / PS2 keylogger, would you want that Neowin implemented a voice recognition login? I don't see the need for HTTPS login on Neowin. It's a forum - not a financial institution. If its that much of an issue, use a seperate password on things like forums than important things. Link to comment Share on other sites More sharing options...
Japlabot Posted September 27, 2006 Share Posted September 27, 2006 Consider using an online Proxy server that uses HTTPS, or as above, seperate passwords Link to comment Share on other sites More sharing options...
boogerjones Posted September 27, 2006 Author Share Posted September 27, 2006 If this 'prick' had used a USB keylogger / PS2 keylogger, would you want that Neowin implemented a voice recognition login? Gimme a break. Why should cars have locks if keys can be duplicated? Yes, somebody could potentially use a TEMPEST attack and get my password, but these kinds of thieves will use the easiest possible method. And right now it's pretty easy to get my password for Neowin. SSL is a pretty standard implementation for logging in to just about any site.And I do use a separate password. But the content of the site is not the issue. I really don't care if somebody can login to my profile. But I think it's just a bad security practice on Neowin's end. Aergan 1 Share Link to comment Share on other sites More sharing options...
tiddlie Posted September 27, 2006 Share Posted September 27, 2006 Damn...thats a good point! Cars have locks yet keys can be duplicated....maybe they need some sort of SSL to make them secure. A keypad in each car maybe? If someone on a public PC wants to get hold of your password, they'll do it. Packet sniffing a network for unsecured passwords is far more difficult than a keylogger, so you'll never be safe. Talk to someone in your college's ICT department if this is going on there, or only login from home. Its unlikely that any website putting SSL onto their site will have any major benefit to stopping people on public computers being targetted. I mean can you even be 100% sure that they didn't just have a keylogger installed or something to that effect? Can you be sure that the public machines are 100% trojan secure? It may not even have happened the way you think it did. There are far far bigger sites out there that don't use SSL connections to login to their servers. Myspace anyone? Link to comment Share on other sites More sharing options...
riahc3 Posted September 27, 2006 Share Posted September 27, 2006 Having a secure login for Neowin is stupid and costs money; Neowin doesnt store any personal information. Link to comment Share on other sites More sharing options...
Colin-uk Veteran Posted September 27, 2006 Veteran Share Posted September 27, 2006 I dont know of any tech forum that uses SSL to log its members in. If you really want to be secure on a public network, setup / use something like hamachi or SSLexplorer. Link to comment Share on other sites More sharing options...
Miuku. Posted September 27, 2006 Share Posted September 27, 2006 Having a secure login for Neowin is stupid and costs money; Neowin doesnt store any personal information. With a self signed certificate, it doesn't cost anything and it's easy to setup. Link to comment Share on other sites More sharing options...
samg Posted September 27, 2006 Share Posted September 27, 2006 Its not like your credit card details are stored anyway. Whats the worst someone can do? Post some topics for you? If you get banned, email a mod, they can check what ip's it came from etc.. Link to comment Share on other sites More sharing options...
Simon Veteran Posted September 27, 2006 Veteran Share Posted September 27, 2006 It's not really necessary, Neowin is a LOT more secure than a lot of other sites. And I don't know much about SSL, but would that put any more strain on our already failing servers? Link to comment Share on other sites More sharing options...
Joel Posted September 27, 2006 Share Posted September 27, 2006 SSL is a pretty standard implementation for logging in to just about any site. Name a forum or community board that has SSL. Link to comment Share on other sites More sharing options...
boogerjones Posted September 28, 2006 Author Share Posted September 28, 2006 Wow, I can't believe all the strong opposition to what is a simple, effective, and potentially free security measure. It has nothing to do with what is stored on Neowin or what the policy of other forums is. Link to comment Share on other sites More sharing options...
Joel Posted September 28, 2006 Share Posted September 28, 2006 Wow, I can't believe all the strong opposition to what is a simple, effective, and potentially free security measure. It has nothing to do with what is stored on Neowin or what the policy of other forums is. I'm not opposing it so much as I'm asking what use it would be to implement. Link to comment Share on other sites More sharing options...
John Veteran Posted September 28, 2006 Veteran Share Posted September 28, 2006 Do self-signed certificates get along well with browser security? If the browser doesn't trust a certificate's issuer, then it inherintly does not trust the certificate. Self-signed certificates are their own issuer, which causes issues for situations like this. xendrome 1 Share Link to comment Share on other sites More sharing options...
whitebread Posted September 28, 2006 Share Posted September 28, 2006 Would it hurt to have an SSL certificate? Aergan 1 Share Link to comment Share on other sites More sharing options...
nautiqueskier Posted September 28, 2006 Share Posted September 28, 2006 Honestly I think SSL is overkill in this case. A self-signed certificate will give everyone an error everytime they try and login and a trusted signed SSL, while not terribly expensive ($60 for a basic, not wildcard one with virtually no financial backup) would not be money well spent in my opinion. Then theres the implementation of it into Invision (the forum software Neowin runs) Link to comment Share on other sites More sharing options...
Mr. Jingles Posted September 29, 2006 Share Posted September 29, 2006 vBulletin implemented a Javascript hashing mechanism so that user passwords are hashed before they're sent to the server. That could probably be modded into IPB for much less effort. Link to comment Share on other sites More sharing options...
kjordan2001 Posted September 29, 2006 Share Posted September 29, 2006 Do self-signed certificates get along well with browser security? If the browser doesn't trust a certificate's issuer, then it inherintly does not trust the certificate. Self-signed certificates are their own issuer, which causes issues for situations like this. The browser will prompt you if you trust the self-signed certificate. There's always free signing 3rd parties too like cacert.org. Just import their root certificate and any site signed with that will be trusted. Link to comment Share on other sites More sharing options...
Steven P. Administrators Posted September 29, 2006 Administrators Share Posted September 29, 2006 Denied! Top Qat 1 Share Link to comment Share on other sites More sharing options...
Tim Dorr Veteran Posted September 29, 2006 Veteran Share Posted September 29, 2006 Would it hurt to have an SSL certificate? Yes, it would. Every time I install an SSL certificate, a server cries just a little bit. Think of the servers, people! Link to comment Share on other sites More sharing options...
John Veteran Posted September 30, 2006 Veteran Share Posted September 30, 2006 vBulletin implemented a Javascript hashing mechanism so that user passwords are hashed before they're sent to the server. That could probably be modded into IPB for much less effort. So instead of someone sniffing your password, they sniff the password hash, which is just as good as a password... Great solution (Y) Whatever is sent to the server needs to be encrypted so it can't be sniffed. That's the whole point. Sending the server "asdf" instead of "password" does nothing if an anonymous listener can see it on the network. The browser will prompt you if you trust the self-signed certificate. There's always free signing 3rd parties too like cacert.org. Just import their root certificate and any site signed with that will be trusted. Yeah, every user would have to import SOME certificate, whether it's Neowin's or cacert.org, or whoever's... That's not a solution. Why do you think people pay so much for Verisign certificates? Because they're trusted. I've never heard of cacert.org and certantly don't trust them to vouch for another website... Link to comment Share on other sites More sharing options...
dragon2611 Posted September 30, 2006 Share Posted September 30, 2006 So instead of someone sniffing your password, they sniff the password hash, which is just as good as a password... Great solution (Y) Whatever is sent to the server needs to be encrypted so it can't be sniffed. That's the whole point. Sending the server "asdf" instead of "password" does nothing if an anonymous listener can see it on the network. Yeah, every user would have to import SOME certificate, whether it's Neowin's or cacert.org, or whoever's... That's not a solution. Why do you think people pay so much for Verisign certificates? Because they're trusted. I've never heard of cacert.org and certantly don't trust them to vouch for another website... actually i have a starter SSL certificate from namecheap.com setup for cpanel on a server and it cost me a $16 :yes: its reconised by most browsers, shows up as being signed by Eqifax and works fine with firefox and Ie6+ (maybe older versions of ie also, dont know cus i only run 6 and 7) also works with opera and safari as far as i can remember (dont use them much tend to use firefox all the time) so no they don't need to cost the earth! ;) Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted February 26, 2013 MVC Share Posted February 26, 2013 As far as certificates I heard Digicert has some good prices. It's also the same one facebook uses. www.digicert.com Link to comment Share on other sites More sharing options...
vanx Posted July 3, 2014 Share Posted July 3, 2014 Since the other topic was locked, I would post a couple of my observations here: -- The login form for the credentials is served over unsecured HTTP -- The logout action consists of this URL https://www.neowin.net/forum/index.php?app=core&module=global§ion=login&do=logout&k= And the "k" -- I guess that means "key" -- value is a constant 32 char hash that does not vary between sessions. Now I am not a security whiz, but I think that both of those are not good things and should be corrected. Link to comment Share on other sites More sharing options...
Mr.XXIV Posted July 3, 2014 Share Posted July 3, 2014 Doesn't PHP Ioncube already give a bit of protection? I use Invision, and it seems that the board is built well enough to not need SSL. Link to comment Share on other sites More sharing options...
Recommended Posts