dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2135
share rss forum feed


aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

3 edits

Why is the SSL log-in session only

Click for full size
Why session only?
Why is the SSL log-in session only? Please see screenshot.


justin
..needs sleep
Australian
join:1999-05-28
kudos:15

I forget! can't think of a good reason right now.



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

said by justin:

I forget! can't think of a good reason right now.
Ok.

I was going to ask who to pay to add SSL support, but I saw that it was already added. Also I agree with

said by badmagicnumber :
Since it already exists, can a link be made from the sign in page to that option then?

Public Wifi spots are ripe places for pasword theft and I wouldn't mind have some layer of protection, especially on those hotspots that block everything but port 80 and 443.

--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

the reason there was no link before is that our cert was self-signed (it was for talking to yahoo store not for public use) but i went to the hassle of getting a proper cert. So I guess i should add a padlock link to the secure login form some time and also allow persistant logins from it as well.



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

said by justin:

the reason there was no link before is that our cert was self-signed (it was for talking to yahoo store not for public use) but i went to the hassle of getting a proper cert. So I guess i should add a padlock link to the secure login form some time and also allow persistant logins from it as well.
Thanks, then status is working on it.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.


aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL
reply to aefstoggaflm

Thanks.

As seen in post »Re: Anyone Else Having Problems With "updated followed" Page?

(Re-uploading image for everyone to see)
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.


aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

3 edits
reply to aefstoggaflm

Please considering adding SSL support for sign-ups

downloaddslreports.zip 35,944 bytes
Was testing to see if this server supports SSL for sign-ups
(dslreports.sniff)
When a user signs-up their info is set right in the clear.

------
Steps to see the data

Download it >> Unzip the file >> Open it with Ethereal >> Go to edit >> Find packet >> Enter any one of the following strings:

testingssl

lssgnitse - (notes: was trying to spell testingssl backwords - opps..

justme@dsl.invalid

18020


justin
..needs sleep
Australian
join:1999-05-28
kudos:15

The SSL is just for logging in, not for joining.
That was my understanding of this topic anyway.



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

said by justin:

The SSL is just for logging in, not for joining.
That was my understanding of this topic anyway.
I went off topic. Can you split it?

PS. I could almost do it, do it my self.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

I don't think it is worth another topic. There is no huge need to support SSL for joining the site. Actually there isn't a lot of need for SSL anywhere. At the risk of angering some security professional or other, here is why: in an internet cafe or your mates badly maintained computer, you're going to be snooped by a keylogger, not someone sniffing ethernet packets. Can you even buy "hubs" anymore?
So I think that the number of people who lost anything due to plain text http conversations instead of 128 bit SSL are probably zero for 2006, compared to 50,000 who lost data to keyloggers and other nefarious-ware. I'd like to see statistics showing otherwise.



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

4 edits

said by justin:

Can you even buy "hubs" anymore?
I sort of see your point. You are talking about wired networks. What about wireless networks?

Quote from VPN Secure Tunneling Solutions

quote:
Steve: ..And of course the same is true if you're in an open WiFi hotspot, where you're taking advantage of somebody's kindness to use their open wireless. Again, as we know, that means there's no encryption.

Yes, they really meant truly open. But the same thing is true when it is protected by WEP. Think about it, since all of the users have the same key. What is to stop them from seeing third party, not coming from or going to their computer, traffic??

Also see Open Wireless Access Points and search by keywords for: same key

PS. I am not sure about WPA protection if it uses same key or not. I will get back to you on that..

--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

wireless? that is true. But I think the few concerned about giving away a password or email address while signing up at DSLR while they sit in battery park or some other free public spot, is going to wait till they get home, or sign up, then change their password 4 hours later.

There just isn't enough at risk to be worth it.

Plus my https server is on a box that I just don't want to run a full copy of the site on - handling a login is a few lines of code. Doing the whole join thing requires loading the site there. Then someone might reasonably ask, if that was done, why can't we be browse under SSL. The next thing I have to pay for an SSL accelerator



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

1 edit

said by justin:
Plus my https server is on a box that I just don't want to run a full copy of the site on - handling a login is a few lines of code. Doing the whole join thing requires loading the site there. Then someone might reasonably ask, if that was done, why can't we be browse under SSL. The next thing I have to pay for an SSL accelerator
I think I understand your point now . Where did you get the statistics from?
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

1 recommendation

what statistics?
my invented statistic that nobody ever loses important things over unencrypted http? Out of my ass of course! But if this was a real problem wouldn't there be noise from victims, there is plenty of victim noise over phishing and keyloggers and spyware. If I was going to go to the trouble of capturing packets from a wifi group full of users, I'd break into their computers and install keyloggers looking for citibank logins, rather than waste time watching pages from fark or rotten go by.



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

1 edit

said by justin:

what statistics?
my invented statistic that nobody ever loses important things over unencrypted http? Out of my ass of course!
Grr, how rude . What about security in layers?

Referencing: How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach: and a quote from Listener Feedback Q&A #10

quote:
The best you can do is – and again, the thing that’s frustrating for people is everyone wants security to be black and white. It’s just not. I mean, there’s just – there’s nothing about security that is absolute and black and white. It’s a matter of using layers of protection because it’s how, for example, we’ve recommended multiple spyware utilities. Rather than just one, using three is better because there will be some overlap, but there’ll be some programs that one will see that another won’t.

It is in layers for security, it will slow down the crackers (black hat hackers) and or malware from doing their damage.

Maybe at most - protect sign-up, log-in, change password/e-mail address, PM (since PM are to be private), and the direct forums. Everywhere else it would not matter (example »Verizon DSL) because whatever an user post is seen by everybody. SSL or not everybody sees what an user is posting, so it would be overkill.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.

Spensergig
Past my Prime
Premium,MVM
join:2000-03-26
Bradenton, FL

1 recommendation

I think you are obsessing.

Perhaps you should step away from the keyboard for a while.

The "security" you are looking for is simply not needed.

Although, if enough people agree with you, I'm going to buy stock in aluminum foil producers.



delenn13
De gustibus nil disputandum
Premium,MVM
join:2006-03-02
Ridgeway, ON

This a forum....not Fort Knox. I just don't see the need for SSL.



Sebastian
Premium
join:2000-12-22
New Haven, CT
reply to aefstoggaflm

Re: Why is the SSL log-in session only

last i checked this was a community site.. not an online banking site.

i think SSL on a login page isn't even required, let alone on other parts of the site.. but anyway, you can get by with running md5 on passwords/etc as soon as the information is posted with a little javascript.. and that's if you're paranoid.

you probably have a greater risk of getting your information stolen by hackers getting into the site rather than sniffing around..



rjackson
Premium,VIP,MVM,Ex-Mod 2005-13
join:2002-04-02
Ringgold, GA
kudos:1
reply to aefstoggaflm

Re: Please considering adding SSL support for sign-ups

Why not just tunnel your web traffic through an encrypted tunnel like SSH when you're using a public wifi network?



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

1 edit

said by rjackson:

Why not just tunnel your web traffic through an encrypted tunnel like SSH when you're using a public wifi network?
I would expect, Quote from Security Now! Episode 14 for November 16, 2005: VPNs

quote:
Steve: ...because your entire packet is encrypted. Even your headers are encrypted. So they see nothing. They will see the endpoint of the tunnel, wherever that is, but not know anything about what you're doing because what happens is, at the receiving end, the outer wrapper is removed from this packet. Then whatever it is inside that just looks like static, looks like noise, it's decrypted back into your original packet, and then it's dropped onto the network. So what this does is, for example, if you were using a VPN router as your normal home router, you could, from being remotely located somewhere, you could connect to it through any open environment, in the hotel environment that we were talking about before, or WiFi.

Leo: Right. The only issue sometimes with VPN is that those ports may not be open.

So, SSL support at DSLR for the following Maybe at most - protect sign-up, log-in, change password/e-mail address, PM (since PM are to be private), and the direct forums. All other areas of this site, forgot it because would be considered overkill.

And quote from Security Now! Episode 10 for October 20, 2005: Open Wireless Access Points.

quote:
Leo: I want to mention two other products that do the same thing. One is very inexpensive, it's called HotSpotVPN. And it uses SSL, which is kind of nice because most of the time SSL ports are wide open. You don't have to talk to the coffee shop to say, hey, please pass my VPN traffic. Because not all routers will do that automatically. That's the...

Steve: That's true.

Leo: So since it's SSL, you can pretty much guarantee you'll be able to do that. If you pay for a year, it's fairly inexpensive. And then there's another one called PublicVPN.com. And same idea, you subscribe, and then you log into their servers, and they protect you. So there are choices. Do you think that's the way to go, I mean, if you're going to be in a coffee shop?

PublicVPN.com’s rates are simple: $5.95 per month, or $59.95 per year.

--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.

whistlinduck

join:2004-09-28

1 edit

Given this response a long time ago:

said by justin:
Plus my https server is on a box that I just don't want to run a full copy of the site on - handling a login is a few lines of code. Doing the whole join thing requires loading the site there. Then someone might reasonably ask, if that was done, why can't we be browse under SSL. The next thing I have to pay for an SSL accelerator

what you are still obsessing over, when you ask for 'IMs and the direct forums', means putting a copy of the entire site on an SSL server that doesn't exist. And for a small percentage of people accessing the site over public wi-fi - which probably means occasional browsing...?

Perhaps you'd like to donate a server powerful enough to handle that load ?

**~OBJECT~**


rjackson
Premium,VIP,MVM,Ex-Mod 2005-13
join:2002-04-02
Ringgold, GA
kudos:1
reply to aefstoggaflm

I didn't say anything about VPN. I just said tunnel your HTTP traffic through an SSH session. You're either not understanding what you're reading, or you're taking it way too far.



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

2 edits

said by rjackson:

I didn't say anything about VPN. I just said tunnel your HTTP traffic through an SSH session. You're either not understanding what you're reading, or you're taking it way too far.
Ok, please go step-by-step on how I can tunnel by HTTP traffic through an SSH session. I never heard of such thing.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.


nil
Java Geek
join:2000-11-27
kudos:2

1 edit

Lookup ssh port tunnelling. Pretty old trick..

Here, I did it for you, first google hit: »www.ssh.com/support/documentatio···ing.html


said by nil:

Lookup ssh port tunnelling. Pretty old trick..

Here, I did it for you, first google hit: »www.ssh.com/support/documentatio···ing.html
Thank you for info.