Forum Login Security

This is the place for any magazine-related discussions that don't fit in any of the column discussion boards below.
Post Reply
User avatar
jaem
Posts: 148
Joined: Thu Feb 15, 2007 3:36 pm
Location: BC, Canada
Contact:

Forum Login Security

Post by jaem »

This is directed mainly to the administrative staff of this forum, but if anyone has any comments, feel free to add them to the discussion.

I have become slightly concerned over the fact that the Servomagazine Forums have no encryption on the login page. While I value the resource that this forum provides, I do not feel very comfortable using it, when it is so insecure. I do not know how easy it would be to implement SSL on the login page, but I would urge whoever runs the forums to look into it. I myself am in the unfortunate position of being on a fairly insecure network, and it is not terribly hard to hijack someone's traffic. There are several commonly available tools to do such things that come to mind immediately; I don't feel it appropriate to list any specific programs here, but rest assured that they're not that hard to find. Given the fact that many people likely reuse passwords, this is especially bad.
I hope the Administration will seriously consider this.

Thanks,

Jeff
Bigglez
Posts: 1282
Joined: Mon Oct 15, 2007 7:39 pm
Contact:

Re: Forum Login Security

Post by Bigglez »

Greetings Jeff,
jaem wrote:This is directed mainly to the administrative staff of this forum, but if anyone has any comments, feel free to add them to the discussion.
The folks at T&L Publications, who run this forum, are currently installing phpBB3.0.
I have no further details, but if you are still concerned you could check that version's
security features for yourself.

Comments Welcome!
SETEC_Astronomy
Posts: 582
Joined: Tue May 09, 2006 12:44 am
Contact:

Post by SETEC_Astronomy »

I completely agree, being in computer security it's amazing the ways you can be targeted, hacked, sniffed, spoofed, tricked, phished, etc... I occasionally try https for the forums hoping one day it will be there and I've been disappointed so far. Back when I subscribed to the magazine I seem to remember that logging into your subscription/account status page was over a secure connection. If the price of a new cert is the issue godaddy.com now offers 256-bit enc SSL certs for $29/yr, not a bad price for some assurance in my book. So many sites refuse to implement SSL even for just the login. Some of the largest sites are the most shocking, Myspace uses nothing to encrypt login info and yet seem surprised by the number of spam accounts and phished logins. Yahoo.com only encrypts your login and refuses to encrypt your actual mail pages, this really bothers me since your mail could contain bank account info, forgotten password emails, etc...

It's gotten to the point with me that I create new Yahoo, Hotmail, Gmail and AOL accounts for just about everything I signup for. I use a tiered approach to setup accounts based on the perceived threat and target value. BB sites like this one get one email address issued by yahoo with simple easy to remember passwords and sites like my online banking site get a gmail account which allows SSL for everything and includes free POP and IMAP access, not to mention a password of any type and nearly any length.

Just a quick not for those using AOL and Yahoo, I would recommend a switch to gmail or live mail from Microsoft as they are much more secure than AOL and Yahoo. It's frightening how easy it is to take control of an AOL or Yahoo account.

Sorry for going off on a whole thing here but it bothers me how uneducated some people are with regards to online security and their is no reason for it. With todays technology and the powerful encryption available sites should take the extra step to protect their users. So what if SSL takes some CPU horsepower, I bet if your identity was stolen and your credit ruined you'd be glad to pay the price.
SETEC_Astronomy
Posts: 582
Joined: Tue May 09, 2006 12:44 am
Contact:

Re: Forum Login Security

Post by SETEC_Astronomy »

Bigglez wrote:Greetings Jeff,
jaem wrote:This is directed mainly to the administrative staff of this forum, but if anyone has any comments, feel free to add them to the discussion.
The folks at T&L Publications, who run this forum, are currently installing phpBB3.0.
I have no further details, but if you are still concerned you could check that version's
security features for yourself.

Comments Welcome!
I took jaem's post to mean he was concerned with network traffic sniffing and not so much vulnerabilities in phpbb code. But it is good to know that they're keeping the forums up to date. Thanks guys.
User avatar
jaem
Posts: 148
Joined: Thu Feb 15, 2007 3:36 pm
Location: BC, Canada
Contact:

Post by jaem »

Yes, that was what I was meaning, although code upgrades are always good too. To be honest, the reason I thought about this now was that my computer has issues, so I'm booting it from a CD - a CD which happens to be made for penetration testing, and contains all of the tools I mentioned! Made me think a bit more about the issues at hand :P

As for Gmail accounts, if you're using Firefox, you can download the Greasemonkey extension, and then go to http://userscripts.org and search for the Gmail SSL script, that forces all Gmail pages (not just the login page) to use encryption. Definitely a good idea.
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot] and 37 guests