flat assembler
Message board for the users of flat assembler.

Index > Feedback > SSL/Password hashing

Author
Thread Post new topic Reply to topic
gunblade



Joined: 19 Feb 2004
Posts: 209
gunblade
Thought it was worth asking.. would it be possible to implement either a nicer SSL (rather than the current which seems to use a certificate from bluehost and also redirects you to https://board.flatassembler.net/~flatasse/subdomains/board), or at the very least, implement password hashing when logging in.. so that passwords are not send in plain text?

I checked today out of interest, and the logins are deffinetly sent in plaintext (along with your username, but thats expected), meaning anyone sniffing could easily get the details.. Not that they could do a massive amount with it - but my worry is if people use the same logins here than they do for their other sites (which again, you shouldnt do - but people do..), this could cause people to have their other accounts hijacked.

Does phpbb not have the option of using hashed passwords? so that passwords are hashed before they are sent - wouldnt be perfect, but would at least stop anyone watching traffic from getting the password without having to crack it first.

I know you have to pay for a proper ssl certificate, so might be annoying to get one - but isnt password hashing an option?
Post 13 Mar 2012, 12:52
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17492
Location: In your JS exploiting you and your system
revolution
Any manipulation with the password into another form would require JS. Am I right? If so, then let's not go there please.

I use SSL to access the board. I really don't care about the URL "mangling", and IMO this is a better option than anything that requires JS to be running.
Post 13 Mar 2012, 13:09
View user's profile Send private message Visit poster's website Reply with quote
gunblade



Joined: 19 Feb 2004
Posts: 209
gunblade
You have a point there.. and I agree, using JS is not an option.. I thought the browser may have had a built in option for "secure" logins.. but maybe im mistaken (probably.. since it would require browser-side scripting).

And yeah, I do use the SSL at the moment - one of the annoyances is that I cant add the certificate to the browser and tell it to just accept it - because the hostname does not match the one on the certificate.

But I guess its not worth buying a certificate just for that Smile

I'll find a way to get the browser to just accept the certificate - just at least to get rid of the nagscreen that it shows when certificates arent "official".

Its still a bit worrying that others may use non-SSL, and have their passwords exposed in this way - but if they cared enough, i guess they'd use the SSL version of the board Smile

And that was a quick reply rev..
Post 13 Mar 2012, 14:48
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17492
Location: In your JS exploiting you and your system
revolution
gunblade wrote:
And yeah, I do use the SSL at the moment - one of the annoyances is that I cant add the certificate to the browser and tell it to just accept it - because the hostname does not match the one on the certificate.
With FF I am able to add an exception. What browser are you using?

BTW: You can also go here:

https://secure.bluehost.com/~flatasse/subdomains/board/topic.php?p=141937#141937
Post 13 Mar 2012, 22:07
View user's profile Send private message Visit poster's website Reply with quote
gunblade



Joined: 19 Feb 2004
Posts: 209
gunblade
Yeah, I'm also using FF, I can also add exceptions, but not permanent ones (I disable history/etc, so doesnt let you store permanent exceptions).

I had a similar issue with a site ive made with self-signed certificates, however in that case i was able to add the certificate to FF manually and tell FF to trust it. In this case I cant because the certificate and host dont match (certificate is only good for *bluehost.com).

I did find that url you pointed to, and yeah, that works. BUT-- not all links are perfect, and every so often it redirects me to flatassembler.com due to an absolute link (I believe one is when it asks you to login, if you hit reply but you're not logged in, it will go to board.flatassembler.net to log you in).

Its cool, I'll deal with it on my end. It was more a suggestion that (at least) the login should be properly SSL'ed so that people are not submitting their username/passwords unencrypted over the internet. I mean, as you do, you CAN use SSL meaninfully, but the default is not to, (and the whole warning about self-signed can put some users off).

No matter, its always just bugged me that the site doesnt https by default Smile (or had the option in the profile to enforce SSL (i believe newer phpbb versions have this feature)).
Post 14 Mar 2012, 12:27
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17492
Location: In your JS exploiting you and your system
revolution
Well I have no history with FF either, but I was able to store a cert exception. What did I do different?

I also use NoScript to force https for any connection to flatassembler.net and thus can never get here with an unsecure connection. I've heard that HTTPS Everywhere can also do such a thing but I've not tried it.
Post 14 Mar 2012, 12:48
View user's profile Send private message Visit poster's website Reply with quote
shutdownall



Joined: 02 Apr 2010
Posts: 518
Location: Munich
shutdownall
gunblade wrote:
I mean, as you do, you CAN use SSL meaninfully, but the default is not to, (and the whole warning about self-signed can put some users off).

Thanks for your feedback. I don't have a problem with sending THIS accounts password without encryption. What should happen ? Somebody could take my account but for what reason ? Write some nonsense here with my name ? I can do that myself. Very Happy

And I do not think that developers (which this forum is for) are afraid of such certificate warnings (if they ever try to use). Sometimes I wonder what a company like google or organization like Mozilla want to warn me. I always know what I do (mostly) and I think many other developers as well.

By the way I never use important passwords on any forum. I even use different email adresses for such uncommercial things and think many other people do same. That's why it doesn't matter if somebody reads it or not. Even the board manager could do what he want. Who knows if he store the password as hash value or simply as plain text ? I can not proove and for that reason it doesn't matter. I take forums like they are and calculate always the worst data security concept ever. Razz

Sorry Tomasz, don't mean that personally. I think the security issues for this forum are well done.
Post 14 Mar 2012, 14:01
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17492
Location: In your JS exploiting you and your system
revolution
For me it is important to use SSL. I usually use a VPN from another company in another country, and although I don't expect them to record or monitor my traffic one never knows what a new staff member there might decide to do. Also, when the VPN is down I use just whatever connection I have available (usually from a hotel room or client's site). If someone is doing an ARP attack then getting my password for here could potentially cause some nasty damage. But with NoScript forcing HTTPS, and the stored cert exception with Certificate Patrol monitoring for changes, I have no trouble keeping this connection secure.

BTW gunblade: The cert is not self signed, it is signed by Comodo.
Post 14 Mar 2012, 14:49
View user's profile Send private message Visit poster's website Reply with quote
gunblade



Joined: 19 Feb 2004
Posts: 209
gunblade
Not sure what you do different, i may have set it not to save site preferences either.. which you may have left on, pretty sure thats the one that stops you setting permanent per-site exclusions/etc.

I also use noscript, both to block javascript, and also for forcing https on *flatassembler.net

You're right about the certificate, sorry, firefox only nags because its for the wrong hostname. If i use the bluehost url directly firefox accepts the certificate happily.

Maybe its an idea to redirect to *bluehost when doing the login (that way the certificate is legit, and browsers wont complain), then it can go back to *flatassembler. Only issue with that would be cross-site cookies, which if i recall correctly, browsers block (it wont allow a page on bluehost to set a cooking for flatassembler).

Anyway, it was never really a complaint (I can get around it on my end easily enough), was more of a suggestion if it would be possible to implement.. but the cost (of a certificate which specifies *flatassembler) would probably outweight the benefits (since either people use SSL if they care about their passwords (and just tell the browser to ignore the mis-matched host), or use non-important passwords).

I just like to have SSL if possible, and most other forums ive seen either enforce it, or at least allow the user to Force SSL - but i just let noscript do that task, so I guess its a non-issue Smile

EDIT: Yup, it was "Site Preferences". I was set to constant private browsing mode, which disabled saving of certificates. Disabled it, did a permanent exception, then re-enabled it (and it didnt revoke the exception - which imo is a bug, but handy in this situation Smile)

So yeah, its fine (for me), I'm happy to keep using it like this (although some links dont work sometimes, if someone links to a topic directly, like:

http://board.flatassembler.net/topic.php?t=6367

(does that work for you?))

Still not a big deal - can just manually rewrite the URL to get to that topic.
Post 14 Mar 2012, 15:56
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17492
Location: In your JS exploiting you and your system
revolution
gunblade wrote:
... (although some links dont work sometimes, if someone links to a topic directly, like:

http://board.flatassembler.net/topic.php?t=6367

(does that work for you?))
Yes. Forces SSL automatically for me.
Post 14 Mar 2012, 19:23
View user's profile Send private message Visit poster's website Reply with quote
gunblade



Joined: 19 Feb 2004
Posts: 209
gunblade
Thats odd.. I mean, yeah, for me it does enable SSL, but it redirects wrongly. It tries to go to:

https://board.flatassembler.net/~flatasse/topic.php?t=6367

Which obviously doesnt exist, its missing the "/subdomain/board/" bit before topic.

so I get a 404 from the bluehost page.
Post 15 Mar 2012, 10:04
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17492
Location: In your JS exploiting you and your system
revolution
I'm not sure how to capture the transferred data with FF to see what is happening. I can't monitor the wire since it is all encrypted and I have no idea what is going on.

Right now, all I know is that NoScript only adds a single 's' and then FF takes over and displays the page without issue.
Post 15 Mar 2012, 10:27
View user's profile Send private message Visit poster's website Reply with quote
gunblade



Joined: 19 Feb 2004
Posts: 209
gunblade
FYI, you can use Firefox -> Web Developer -> Web Console. That'll show you basic info about what GET/etc firefox does, and what the replies are.

(Doing it for that link doesnt work, because it opens in a new tab, which doesnt have a web console, if you want it to work with that, you'd have to go to about:config in the address bar, and change browser.link.open_newwindow to 1 (you can always change it back later, the default is 3, you can also right click and do reset to default). you can even leave about:config open in a second tab, the effect is instant. That changes ff's behaviour so it will ALWAYS open links in the current tab (unless you hold down ctrl, of course, or middle click)).

So whats weird is.. it behaves different if i go to it directly, or if i click the link..

So.. if i click the link, then I get:

[11:38:48.869] GET https://board.flatassembler.net/topic.php?t=6367 [HTTP/1.1 301 Bounce 197ms]
[11:38:49.071] GET https://board.flatassembler.net/~flatasse/topic.php?t=6367 [HTTP/1.1 404 Not Found 539ms]

However, if i right click, copy link, then paste it into a new tab manually and go to it, it instead does:

--
[11:40:12.902] GET https://board.flatassembler.net/topic.php?t=6367 [HTTP/1.1 301 Bounce 749ms]
[11:40:13.652] GET https://board.flatassembler.net/~flatasse/subdomains/board/topic.php?t=6367 [HTTP/1.1 200 OK 785ms]

And succeeds, the page/topic loads fine..

Very weird behaviour, the only possible thing I can think of is that im using a proxy - but I dont see why it would care whether theres a referer or not. It could be the server checking referer and basing its decision on that - but again, cant see why. Might try at home without the proxy and see if that makes a difference..

EDIT - actually, the proxy doesnt touch https traffic - so it shouldnt affect this since the initial GET is https. Must be the server bouncing differently based on referer? - EDIT

Anyway, I'm willing to work around it. Smile

Thanks for your replies rev - I was interested in whether people did use the SSL version of the board - so good to know im not the only one.
Post 15 Mar 2012, 11:45
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17492
Location: In your JS exploiting you and your system
revolution
Hmm, the referer thing might be it. I use a fake referer and always forge to the base page. So my referer is https://board.flatassembler.net/ for every page, whether a new tab or not, and whether an external link or internal.
Post 15 Mar 2012, 11:49
View user's profile Send private message Visit poster's website Reply with quote
gunblade



Joined: 19 Feb 2004
Posts: 209
gunblade
Ah well, not enough of an issue to bother debugging the server for Wink

But look on the bright side, you increased your post count without just spamming in the Test forum Very Happy

Thanks again Wink
Post 15 Mar 2012, 12:05
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.