flight_mode

Since I updated Chrome I'm getting a warning about PPRuNe being "not secure". Does that mean when I login anyone can capture my credentials? Googling around this article seems to hint that Google are trying to push webmasters into getting their security sorted. Sooner the better I say!

Saab Dastard

It's my understanding that the login credentials are not sent as plain text, even though the connection itself is unencrypted - the userid is a numeric reference and the password is hashed. However, if someone was able to capture the packets sent from your device to the pprune server, they could capture those elements and possibly use them to forge an authentication response. But they probably have better things to do.

SD

jtt

A quick look at the sources of the PPRUNE web pages show that the password doesn't seem to get sent out in clear text. Instead a "hash" value is created from it and that's what is send to the PPRUNE server. A "hash" function is kind of a scrambler for data, with the property that the same data get scrambled into the exact same value each time.

What gets sent out by your computer can be sniffed by any other computer on your local network as well as any machine your message passes through on the way from your computer to the PPRUNE server. So, in principle, a lot of people could get at the data you're sending as long as plain HTTP is used (that's why it's marked as "not secure").

Consequences: everyone that can get at your traffic to PPRUNE can take over your account and e.g. post embarrassing messages that seem to be coming from you. Moreover, if you work for a company and post messages critical of that company from a computer on the network of that company (and make that any device they have issued to you) they may have an easy time of finding out who you are. Thus never ever use any company equipment when slagging them off on PPRUNE if you want to keep your job!

Figuring out the original password from the hash value is (a lot) harder. Unfortunately, the hash function used by PPRUNE, called MD5, isn't considered to be safe anymore. That means that it's not impossible that someone with enough motivation may succeed in getting at your password. And if you use a simple password you may give an attacker an even higher chance. I would strongly recommend not to use your password for PPRUNE for anything else, especially not for any security-sensitive things like online-banking!

And yes, of course, using HTTPS for PPRUNE would be a lot safer since that would ensure that all the traffic between your computer and the PPRUNE server would be encrypted and thus of no value for anyone listening (unless, maybe, it's something like the NSA which may have managed to break the encryption used - but we'll know about that only much later;-)

Best regards, Jens

Jhieminga

To me this campaign seems a bit excessive. I run a small website with a forum but I too have been getting 'not secure' warnings when I log in to my own forum. Google is pushing for everyone to switch to https but for me this is just not a real option. Why would I want to encrypt everything when all we're doing is talking about old aeroplanes? Security is very much in the hands of the user, if you don't use the same password for several sites then the chances of something going wrong are very small. I would prefer it if Google would stay away from pushing this on everyone as it may end up driving users away from smaller, enthusiasts sites and forums. Just my two cents of course.

Alsacienne

Yesterday my computer updated my Firefox settings ... and now every time when I log into my webmail account I get warnings about lack of security and 'ease of access' for other parties. Hope that some folk have better things to do with their time ....

jtt

But that's the fundamental problem! Many (most?) people do use the same password (or with only minor and easy to guess modifications) for a lot of sites. You can preach to them until you're blue in the face, they'll still do it. And you can't really blame them - for the less technically inclined the topic is way beyond what they (want to) understand - many probably won't even be able to tell you if they're using a web browser or a locally installed application, it's just something they memorized where to click on. Thus they assume that, as long as it works, it must be ok and safe, otherwise (s)he wouldn't be allowed to do it - it's the job of those that do the magic to get that right.

If your web page is at least not sending the password out in clear but only a hash of it (as PPRuNe seems to do it) the risks are somewhat reduced (though all web sites using the same hash function will be accessible if the same password is used). But that's something Google and others can't know. It's a bit like with safety belts - most people only really started using them when they were forced to, not due to rational weighting of risks versus inconveniences;-)

Of course, the rest of the traffic to your web site is probably not really secret - it's the process of passing the credentials to it that is the clincher. To make that safe you need encryption - and when you already have that in place there's hardly a good reason not to use it also for the rest - that then comes at (nearly) zero costs and no additional work at all.

Is it really that much of a bother to encrypt the traffic from your web site? The biggest hurdle, for sure, is getting a certificate, but it's not that hard. And, at least with a run-of-the-mill web-server set-up, the rest is adding a few lines to the configuration file (in my case with Apache it were 6 lines for switching SSL on and pointing it to the certificate files and 3 lines for redirecting all traffic from the HTTP to the HTTPS version of the site).

Best regards, Jens

Allan Lupton

I found this in another place and it seems to work.


An explanation from a poster at MozillaZine:
Quote

Starting with Ver 52, FFox pops up a warning when attempting to log into sites not accessed via a secure connection (i.e. those using non-secured http protocol instead of secured https protocol). The warning correctly points out that your login name and password are being transmitted in the clear where they can be captured by any server along the way.

This does not mean that the site you are trying to log in to has suddenly become insecure. This situation has always been there, but the folks at Mozilla just decided they'd warn you about it.

To avoid the warning:

Alsacienne

Thanks Allan! Learned a lot.

crablab

For those talking about how people should have "better things to do with their time" et al. That is absolutely the worst attitude you can take with regard to web security. I work in the industry and we spend huge amounts of time and money building and testing websites to withstand all sorts of attack. As has been mentioned, it only needs one website to be "hacked" and all their user's credentials are on the internet. If they haven't used a secure hash (ie. Not MD5 or Sha1) or salted it (a way to make it much harder to "brute force" passwords) it is likely their password will appear against the hash (in a rainbow table) on the internet, alongside their email etc. This is where users not adopting good security practices actually create huge flaws in online services. If no-one repeated passwords across websites and everyone used strong passwords the attack vector would be greatly limited. But people don't, which is why we have to assume all users are stupid.

Things like SSL massively increase the security of a website - they also, to an extent help prevent phishing and human engineering. Therefore, saying that it isn't "necessary" or "useful" for "my small website" is absolute rubbish.

I'm a security researcher, penetration tester and software engineer.

Heathrow Harry

never ask a barber if you need a haircut??

but this is a real problem - how do you increase security without making the day-to-day operation such a painful experience? Too many security features are irritating and get in the way of doing the job - which is why we're sitting in front of the screen to begin with

Alsacienne

I was referring to the scammers .....

crablab

I would have thought it was a more "painful experience" to have your identify stolen and all your credit card data?

Heathrow Harry

true - but it doesn't happen every day or evenevery hour whereas things like th HTPPS warning do - eventually people just switch off from security as it 's in their face all the time

It's like having really complex passwords - no one can remember them so they write them down - often near or even on the machine they are using - secure? NO! But very understandable.................

jtt

Using HTTPS does just that - it's completely transparent to the user of the web site. If done correctly most users won't even notice when a site switches from HTTP to HTTPS. But since they don't notice they also don't know when they're using a site that is not secure, and the only way to make them aware is to put in a notice. Moreover, having that notice pop up and bother their users may convince the operators of unsecured web sites to finally mend their ways and switch over to HTTPS.

To be honest, I really don't understand all that moaning about a message appearing that warns people that what they are doing may incur considerable risks. I'd consider it more as kind of a public service.

crablab

Doesn't happen to YOU every day or every hour.
Do you switch off security when parking your car? Do you leave it unlocked with the keys in the ignition? Is having to press the lock button on the fob too in your face?

You use a password manager and randomly generated strings.
I admit - passwords are a huge weakness - but that is because it is a human interaction, and humans are always the weakest link.
Things like 2FA really help improve security and things like Google Authenticator are much better than pure SMS.
In the future I think we'll move to a centralised public/private key system (oh wait, like PGP......) and you won't have to remember your password - just have your private key loaded into your web browser.

Heathrow Harry

In day -to-day living you are always makign judgements on risk - crossing the road in London is a dangerous business and i might be able to walk a mile and use a set of traffic lights.... or I look round and make a judgement and leg it across.

I suspect a lot of computer users do the same thing - I don't click on links I'm unsure about, I don't even download a lot of emails from people I've never heard of or strange ones form friends and family (tho' that is a hard judgement call occasionaly - they're not all on the same planet as the rest of us), I keep my virus checker up to date etc etc. and I back up often.

I wish I could beleive that every organisation out there took even that amount of care of my data but the evidence is a lot of them couldn't give a toss TBH

The Guru

Thanks for the discussion guys, and for pointing out the benefits of the HTTPS addition to the URL. It would seem to make sense that HTTPS would potentially benefit all users.

So does anyone in Pprune Moderating Land know whether the site will migrate to HTTPS in the near future, or will we continue to do business the same old way?

Cheers
The G.

Saab Dastard

IB own and run the site. Moderators have nothing to do with and no input into technical matters concerning the site. In short, I haven't a clue about what IB may or may not do about HTTPS.

PPRuNe is still running on a very, very old version of vBulletin software, which may not reliably support HTTPS (I haven't checked).

If there was a smiley for "not holding one's breath" I would insert it here.

SD

PPRuNe Towers

I've spoken to IB California.

Is it coming? At some point yes.

Do we get first dibs? No, as the travel portfolio of sites are viewed as a more likely risk compared to our vast proliferation of nonsensical names and even more specious email addresses.

Genteel pressure is being brought to bear though.

Rob