aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
 ·Verizon Online DSL
|  [complaint] SSL page, please
In reference to »Warning: The browser model is really broken
I looked at the secure log-in page at this site, but the URL does not have HTTPS.
Please fix this.
Sample screen shot.
Thank you
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| The secure login form is transmitted using https, so the login is secure.
Could a clever man-in-the-middle attack subver this: yes, unless you have set your browser to notify you of such things. However, it is unlikely. There isn't enough to gain from this for a hacker to borrow, since dslreports is not a bank - it's only a forum. Moreover, if a hacker wanted to break into your account, he could do that by stealing your site cookies - and that would be easier to do.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.14 |
|
drew
Reformation
Premium
join:2002-07-10
Port Orchard, WA
clubs:
 ·wavebroadband
| reply to aefstoggaflm
It's sent over HTTPS
--
Come play Mafia! | My Picture Blog |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
| reply to nwrickert
Really? Please me more.
I am on Firefox 3.5.3
#1
said by nwrickert  :Could a clever man-in-the-middle attack subver this: yes, unless you have set your browser to notify you of such things. #2 And also, about..
said by nwrickert :Moreover, if a hacker wanted to break into your account, he could do that by stealing your site cookies - and that would be easier to do.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| said by aefstoggaflm :I am on Firefox 3.5.3 I don't think the firefox version affects this.
#1 said by nwrickert :Could a clever man-in-the-middle attack subver this: yes, unless you have set your browser to notify you of such things.
#2 And also, about.. said by nwrickert :Moreover, if a hacker wanted to break into your account, he could do that by stealing your site cookies - and that would be easier to do.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.14 |
|
usa2k
Please PRAY for Rebekah
Premium,MVM
join:2003-01-26
Canton, MI
clubs: | I think this site references cookie to IP? |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
| reply to nwrickert
said by nwrickert : There isn't enough to gain from this for a hacker to borrow, since dslreports is not a bank - it's only a forum. Yes, but..
#1 DSLR points cost money.
#2 and Users can donate DSLR points to other users.
-
See as need be Tool Points FAQ » all
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| said by aefstoggaflm :Yes, but.. #1 DSLR points cost money. #2 and Users can donate DSLR points to other users. That's true. Yet it still seems unlikely that somebody would to the trouble of wiretapping my line just to steal my tool points.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.14 |
|
drew
Reformation
Premium
join:2002-07-10
Port Orchard, WA
clubs:
·wavebroadband
| reply to aefstoggaflm
And I can imagine that cabana would be more than happy to refund tool points and make it all work out if your account was to be compromised.
Mountain out of a mole hill.
The secure page sends your information via HTTPS.
--
Come play Mafia! | My Picture Blog |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
| said by drew :And I can imagine that cabana would be more than happy to refund tool points and make it all work out if your account was to be compromised. That is nice but the page that tells me how points I have does not tell me where my "money" went to.
Sample screen shot.
Tool Points page
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
drew
Reformation
Premium
join:2002-07-10
Port Orchard, WA
clubs:
·wavebroadband
| 1. Worried about tool points you haven't spent 40 of since December 2007. Heh.
2. If you were to log in one day and find all your tool points missing, you could IM cabana and ask her where they went. Upon finding out that you didn't authorize that, she can take appropriate action.
What's the problem here?
--
Come play Mafia! | My Picture Blog |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
| reply to nwrickert
said by nwrickert :since dslreports is not a bank Ok, smart one:
If this site is not a bank, why does this site have SSL in the first place? Huh 
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
drew
Reformation
Premium
join:2002-07-10
Port Orchard, WA
clubs: | Because sending any kind of credentials plaintext is a bad idea, regardless of destination. |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
1 edit | reply to nwrickert
said by nwrickert : since dslreports is not a bank - it's only a forum. Well, in that case...
Gmail is not a bank, and they offer an SSL log-in page.
Please explain that.
Quick quote from Security Now! with Steve Gibson, Episode 65 for November 9, 2006: Why Is Security So Difficult?
quote:
Steve: Well, yes. And in fact the way Google works is, if you go to Google with a non-https URL, that is, you just say »mail.google.com, you will briefly go secure while you're logging in. Then you'll notice in your address bar your subsequent use of Google is just over a regular connection. But you can go there deliberately with a secure »https://mail.google.com, and it recognizes you've done that, and it will leave you with a permanently secure connection for all your transactions.
Thanks.
^^
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Gmail is not a bank, and they offer an SSL log-in page. Their choice. They are targeted by spammers wanting to steal email credentials.
If theft of dslreports credentials becomes a problem, I would expect the site to increase their use of SSL. But at present it still isn't a big concern for me.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.14 |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
| said by nwrickert :Gmail is not a bank, and they offer an SSL log-in page. Their choice. They are targeted by spammers wanting to steal email credentials. I see.
DSLR has e-mail too.
Source(s)
Your Mail Control Panel
DSLR Mail FAQ
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| said by aefstoggaflm :DSLR has e-mail too. That's right. But, as far as I can tell, it is not being targeted by spammers trying to steal email credentials.
DSLR does get some forum spam, but SSL would not help with that. And the mods are usually pretty quick to remove spam.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.14 |
|
drew
Reformation
Premium
join:2002-07-10
Port Orchard, WA
clubs: | reply to aefstoggaflm
I don't understand you. |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
1 edit | reply to drew
said by drew :It's sent over HTTPS In the meantime while waiting for a SSL page, this is an example what user(s) could do...
#1 Go to »https://secure.dslreports.com
#2 Ignore the 403 error.
#3 In Firefox, go to Tools -> Page Info -> Security -> View Certificate. Also, as need be, go to Details and or View PEM.
#4 Go to the page where the log-in is at.
#5 In Firefox, go to View -> Source Code
#6 Be sure that the URL that going to sent is
--
Not using Firefox?
#1 Find out how to check the Certificate in there web browser to be sure that it is correctly signed.
#2 Find out how to view the source code in there web browser to be sure that the form is going to sent by SSL.
^^
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
drew
Reformation
Premium
join:2002-07-10
Port Orchard, WA
clubs: | You're not endearing anyone to your 'cause.' |
|
