• Sign up or login, and you'll have full access to opportunities of forum.

Insecure Login

Go to CruxDreams.com
The issue has been brought up several times in the past and I completely agree that it's something we better have sooner than later. That being said, I believe the only person who can decide such a matter is @ImageMaker and he's probably busy solving the capacity problem at the moment.

Quite right, fallenmystic. That is the correct answer, ImageMaker as site owner decides, and he has evidently decided against.
I'll merge this thread with an earlier one on the same topic.
 
That is... disappointing.

Also, from a technical point of view, the suggestions of VPN, Antivirus and the like as a "fix" for this are flat out wrong. It's almost like saying "Take an ibuprofen" when someone asks "why doesn't this car have seatbelts?" The "solutions" fix a completely different problem and do not help with the actual issue.
 
The lack of a secure login means that your login (username/password) is in the clear and theoretically (if someone is listening on the network or monitoring your WI-FI) your credentials can be read and someone else can log in as you. So, suppose someone does log in as you.
(1) They can post in your name.
(2) They can read and modify your profile.
(3) They can IM other people and the recipient will think the messages are from you. They can read your correspondence.
So what can that do? It can give you a bad name on the site, and tick off others, even your friends.
Your profile can be altered to make you look bad.
What else? No credit cards. If your profile is a little dishonest anyway (mine is--my birthday is wrong, my location is general), and I believe most people's are--some don't even give their location or gender, there is little harm done. Are they going to locate every military firing range in the UK to track down Racing Rodent?
It takes some effort and skill to read a login over a network--pluck it out of the formatted "packets" you intercept. If there is malware on your machine that does it, or malware on one of the other machines on your trusted local network, you have a lot more worries than your crux forums credentials being stolen. If the crux forums site itself has malware, things can be stolen anyway, https or no.
If you are donating to the site, someone could up our contribution. That may hurt you but doesn't really help them.
Is there anything else anyone can think of? I assume most people don't have credit card numbers, home addresses, or telephone numbers on this site.
(Of course if anyone pisses off Tree when posing as you, he may come looking for you. But, can he find you through the Seagram's fog using the vague information in your profile? It is, as Holmes would say, probably not "elementary".)

I actually know of a program that one could install on a Unix router that would MITM all https connections, and steal passwords (these days, it'll require a few modifications, but still the concept could be made to work relatively straightforwardly).
 
What the site owner SHOULD do is to publish their SSL certificate. This way, I would know if the virtual place on which I had created an account is the same one as I'm accessing. This is not a fool-proof scheme, but it would certainly prevent password theft when you e.g. create a profile on a clean home Internet connection, and then access the site from e.g. a public WiFi location.
 
I think the advice given on this thread about VPN and Antivirus are a misnomer. The fact that you are seeing such a warning might be an indication that someone is attempting a MITM on you. This has nothing to do with an individual workstation security.

Now, the use of VPN can actually help to diagnose the MITM issue. Namely, if you have the warning appear only when you are connecting NOT from VPN, and get it when you are connecting from VPN, then something is fishy happening with your local connection (which may even be your provider doing MITM on you ... not that it would be legal for them in the USA, AFAIK).
 
The fact that you are seeing such a warning might be an indication that someone is attempting a MITM on you... Namely, if you have the warning appear only when you are connecting NOT from VPN, and get it when you are connecting from VPN, then something is fishy happening with your local connection (which may even be your provider doing MITM on you ... not that it would be legal for them in the USA, AFAIK).
While I have absolutely no objection to the importance of having HTTPS in any website that requires user login, I doubt that the warning can be anything more than just a simple indicator that the website doesn't support HTTPS since it's from Firefox.
 
While I have absolutely no objection to the importance of having HTTPS in any website that requires user login, I doubt that the warning can be anything more than just a simple indicator that the website doesn't support HTTPS since it's from Firefox.
That's correct, that is the only reason why 'Not Secure' appears by the url on this site and I think any non-https site, though it may depend on your browser.
 
Back
Top Bottom