No HTTPS on TBN?

[LMychajluk]

...and, as ericm979 pointed out, the hash that is used isn't that hard to brute force to get the original password. Encrypting all traffic with a stronger algorithm is much more secure than just hashing a password.

 

[aczlan]

Hard to include 3rd party ads on your site when you use SSL...

Aaron Z

 

[vvanders]

Glad to see this kicked off a lively conversation, hopefully I can help clear up a couple things.

First off, 3rd party ads are possible with TLS. If you visit the TBN store you'll see that it's a mixed security site with that exact setup. It's not totally ideal since it does allow another party to inject an arbitrary payload if they wanted. That said even in a mixed page, your session id and password would be secure over TLS.

As for md5 hashes, those haven't been secure since '99 or so. There's a lovely little thing called Rainbow Tables which make them trivial to reverse. They also aren't encrypted, they're hashed which is something that has different goals than encryption(they're meant to speed up comparison operations and be *fast* rather than secure). Heck even SHA1 is getting deprecated these days in favor of other algorithms. Something like BCrypt or elliptical curve encryption is a better solution here. The problem is that you'll need to share an initial key(which gets sent in the clear) and then you're back to square one. Really the only secure solution here is a public key based cryptography which is basically what TLS/HTTPS gives you.

Another problem is that the session key is sent in the clear(usually via a cookie) which means that as soon as someone knows that number/id they can log in as you on TBN and do anything you could do.

Even if you're not worried about leaking the PW you use with TBN or session id sending everything in the clear means that your ISP/peering provider is free to scrape and data you send or read, associate it with your IP and then sell that information to anyone who wants to buy it.

Anyway, happy to cover anything in more depth above that isn't clear. I think TBN is an awesome community and would like to see it thrive in the modern web rather than drive away more security conscious people who would bounce off of a HTTP base registration/login.

 

[/pine]

A point that I didn't make in the last post- since the traffic between your computer and TBN is not encrypted, an attacker who can view the traffic can see the MD5 of your password. They don't even need to brute force the password to use it- they can just send the hash and they're logged into your TBN account. The same is true with the session Id and auth cookie. They can be replayed to gain access to the account.

This is what inspired my reply...it is incorrect...

The entire scenario that is the gist of a secure interface i.e., the OP is a very long stretch at best...

...Unless a site's entire database of user creds are compromised...there is little or no value in individual cred sets and either a manual or scripted application to run string breaking software on individual password hashes for a forum site like TBN is ludicrous...

For the above scenario to occur it would mean that an individual user is being "hacked"...and I really don't think their TBN creds would be a score...!...Now if the entire database of TBN user creds were compromised it might be of a little more concern and the user base should be notified of a breach...

IMO, if someone wanted to serve their fellow TBN user in regard to the topic...they would recommend using unique ID and passwords ("credentials/creds") for all registrations...

 

[Oldpath05]

Most likely all forums are the same way, what can be gained by hacking into TBN, there's no Russian collusion, no CC numbers, no SS numbers, I suppose someone could hack in and offer a brand new tractor, all's you have to do is send a $1000.00 for processing fee and you'll receive a spanking brand new tractor with a 50 year warranty...........

 

[vvanders]

This is what inspired my reply...it is incorrect...

Nope, very much a real thing called a Replay Attack(Replay attack - Wikipedia) which is why you usually use a pseudo-random sequence id to salt anything that's sent to the server. Like I mentioned earlier though, Rainbow Tables make any MD5 trivial to reverse.

The entire scenario that is the gist of a secure interface i.e., the OP is a very long stretch at best...

...Unless a site's entire database of user creds are compromised...there is little or no value in individual cred sets and either a manual or scripted application to run string breaking software on individual password hashes for a forum site like TBN is ludicrous...

For the above scenario to occur it would mean that an individual user is being "hacked"...and I really don't think their TBN creds would be a score...!...Now if the entire database of TBN user creds were compromised it might be of a little more concern and the user base should be notified of a breach...

IMO, if someone wanted to serve their fellow TBN user in regard to the topic...they would recommend using unique ID and passwords ("credentials/creds") for all registrations...

If anyone uses the same password on another site(or heaven forbid their google account) that would be a score.

Another common thing is to serve malware ads, which if you don't have a certificate chain from TLS is a very real and possible thing, see Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency | Ars Technica for a more sophisticated version of this that happened earlier this week.

 

[vvanders]

Most likely all forums are the same way, what can be gained by hacking into TBN, there's no Russian collusion, no CC numbers, no SS numbers, I suppose someone could hack in and offer a brand new tractor, all's you have to do is send a $1000.00 for processing fee and you'll receive a spanking brand new tractor with a 50 year warranty...........

Worst case? Zero-day exploit gets delivered via man-in-the-middle attack that installs a keylogger on your machine that gets them into anything else you interact with online.

TLS uses a certificate chain to make sure that anything sent to you is actually sent by TBN and not another actor.

Is it likely? Probably not, most likely thing is your ISP/peering selling your browsing history so that when you hit the Kubota forums they can mail you a flyer next week about how you should buy a Kubota.

The nice thing about TLS/HTTPS is it stops all of this. With let's encrypt certs are basically free and if you don't want to go with them there's a bunch of other CAs that offer reasonably priced certs.

 

[/pine]

Nope, very much a real thing called a Replay Attack(Replay attack - Wikipedia) ...

Nope...ask the admin to privately send you the actual hash for your PW from the database...then try to log on using it in place of your actual PW...it simply won't work..

Like I said, the average script kiddie is about the only type that is going to be running that type of script

It's one thing to read about possibilities but it's an entirely different story actually executing them

Again...if a sites database is compromised...the user base would be notified...DATABASES ARE NOT PROTECTED BY USER INTERFACE PROTOCOLS...so about the only way a TBN user is going to be hacked is they are already being targeted by someone that can access their network...

 

[/pine]

...Worst case? Zero-day exploit gets delivered via man-in-the-middle attack that installs a keylogger on your machine that gets them into anything else you interact with online....

A simple firewall can prevent ANY data from being uploaded from a PC, node etc...

A leak proof firewall is the absolute best preventative measures a user can take...using AV software is for amateur users...

 

[Wagtail]

Most likely all forums are the same way, what can be gained by hacking into TBN, there's no Russian collusion, no CC numbers, no SS numbers, I suppose someone could hack in and offer a brand new tractor, all's you have to do is send a $1000.00 for processing fee and you'll receive a spanking brand new tractor with a 50 year warranty...........

Ooooh! Ooooh!!! Tell me more and can I pay with 10x US$100 iTune gift cards???

(I suppose the tractor is one of those "Kabuto" or "Jon Deare" models)