Latest Thread Images

secure login facilities?
Status
Not open for further replies.
May 24, 2011 at 9:40 PM Thread Starter Post #1 of 10
svyr

svyr

Headphoneus Supremus
Joined
Jun 8, 2009
Posts
3,430
Likes
485
Currently, head-fi/huddler submit your password in plaintext over an unsecured connection.

This generally means you shouldn't login in public wi-fi places (or might bee good to have a random password for head-fi that you change after using it in public wi-fi places, but still risky).

It would be nice if the login was done over SSL (HTTPS). Just the login...I don't really care about session hijacking...

 
Jul 5, 2011 at 8:24 PM Post #3 of 10
Came in to report the same thing.
 
Seriously guys, this is blatant violation of basic security.
 
If I'm browsing head-fi at Starbucks, or my "secured" university network, or even at work, anyone can see my head-fi username and password.
 
 
To make matters worse, the POST parameter which carries the password is convinently called "password".
Code: 
 Login Login action join oldurl /join password thisisbad rememberme on username strannik
 
Any kid with a packet sniffer just has to search the word "password" and it shows up. Here is how it looks: 
 

 
If SSL is too much trouble, MD5sum the password clientside with a little javascript and send that over. So it looks more like:
 
 
Code: 
 password 64f4957b1c7cf6bfeb25c8c403ead960 rememberme on username strannik
 
Whoever your vendor is for the board, and whatever they were thinking, please let them know.
 
 
Jul 5, 2011 at 8:53 PM Post #4 of 10
yeaaa, somehow I don't think huddler cares.

MD5ing the password won't help (well salting and hashing it before transmission without a seed at least means it's not in cleartext, but it's replayable. Salting and hashing with a seed (e.g time based sent by the board) will also prevent replay logins)...

SSL is not that expensive :wink: huddler are just cheap, dodgy and don't respect their customers one bit.


>If I'm browsing head-fi at Starbucks, or my "secured" university network, or even at work, anyone can see my head-fi username and password.

Better HTTP aware tools will also format the forms submitted as lists for you so there's no need to use a TCP level capture :D


I really wouldn't login into head-fi from unsecured wi-fi networks...Even secured shared ones.
 
Jul 5, 2011 at 9:27 PM Post #5 of 10
Use a secure proxy program if you're going to use public wifi would be my suggestion. I don't know of any forums that offer a secure log-in.  
 
Jul 5, 2011 at 9:34 PM Post #6 of 10
Yes, salt the hash with something unique each time. Do you think Huddler stores all our passwords in plain text too? 
confused_face.gif

 
It appears Huddler had SSL, just for one domain, something like https://head-fi.org would redirect you to mothering.com (their other customer), but the cert is expired.
 
This board is rather fancy and sophisticated, you can tell a lot of effort was put into it's development, just boggles the mind why they would overlook something so basic.
 
Jul 5, 2011 at 9:38 PM Post #7 of 10
You might ask the same to VBulletin, IPB, PHPBB and other forum software developers too.
 
Jul 5, 2011 at 10:25 PM Post #8 of 10
currawong said:
You might ask the same to VBulletin, IPB, PHPBB and other forum software developers too.
Click to expand...


not really, VB board, invision and phpbb had support for ssl login for years (either as core or as mods). (ivb demos and current installs let you tweak ( Use https for logins in settings)) Huddler is just slack and meh. (some also have mods for 100% ssl admin and mod areas) Alternatively they use hashed passwords like in the scheme above (e.g. VBul's site forum) or both


>. Do you think Huddler stores all our passwords in plain text too?

generally you can tell by using the pw retrieval process, if it sends you the pw back, you know something is wrong :D... I'd really use a unique and random pw for sites like this just in case. Huddler doesn't seem to be very trustworthy or secure :wink:


>Use a secure proxy program if you're going to use public wifi would be my suggestion.

costs money :D ... So does a VPN - that's why http://www.head-fi.org/forum/thread/555454/secure-login-facilities#post_7504585... But yea, it's certainly a good option since you can stop worrying about session hijacking or plaintext credential exposure (if all your apps don't break from using it)
 
Jul 5, 2011 at 11:07 PM Post #9 of 10

Quote:
svyr said:
generally you can tell by using the pw retrieval process, if it sends you the pw back, you know something is wrong
biggrin.gif
... I'd really use a unique and random pw for sites like this just in case. Huddler doesn't seem to be very trustworthy or secure
wink.gif
Click to expand...

 
 
True, but nothing is stopping the generation of a new random pass even if they have the old one in plain text.
 
I give up... one of these days I finally need to get a shell account for SSH tunnels, will be safer this way for everything, not just head-fi.
 
 
Jul 5, 2011 at 11:18 PM Post #10 of 10
strannik said:
 
 
True, but nothing is stopping the generation of a new random pass even if they have the old one in plain text.
 

 
Click to expand...


heh, there's pretty much no way of telling, unless it's a commercial or open source board that you can install and try. It's clearly not :D

>I give up... one of these days I finally need to get a shell account for SSH tunnels, will be safer this way for everything, not just head-fi.

yep. SSH tunnel to home PC lol... Not to say there won't be places blocking the ports/etc. (ssh on 80 :D )
 
Status
Not open for further replies.

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)
Back
Top