Login page not secure


#1

gCaptain, whenever I log into the web site, Firefox warns me that the login process is not encrypted. Can we look into fixing that? :astonished:


#2

+1 vote for SSL. SSL everything. All the cool kids are doing it. I suggest Let’s Encrypt.


#3

Oh, man, fix that right away. Please.

Earl


#4

This is correct, the login is not encrypted. Does that mean you are at risk? Yes but only if your password is the same across multiple sites… if, for exaple, your gmail password is the same as your email and bank account password then you have bigger problems that yoo need to deal with.

The reasons we have not activates ssl are:

  1. We log all security events and, while attempts have been made to hack our servers, we have not seen attempts targeted at individual users.
  2. nobody’s requested it before (now that you have We will look into installing it)
  3. SSL gives a false sense of security to certain users. If you visit gCaptain from military or a large corporate network then chances are that network will serve a fake SSL so they can log your activity (this is known as a man-in-the-middle attack). The best prevention is unique passwords across multiple sites and use of a secure VPN tunnel through the corprate network (warning: most networks that log ssl activety also ban VPN use)
  4. we have have redundant encrypted backups of all forum activety… along with firewall and DNS security measures at the server level.
  5. Encrypting just the login screen only protects your password but can leave you vulnerable to other attacks (like cookie theft)… so we really need to encrypt everything (like facebook now does) but this creates many problems for our limited IT staff.

That said, if you guys want this then, I will certainly look into implementing it. Untill then please use a good encrypted password generator/vault app that creates and stores individual passwords. I reccomend 1password for Apple users and Last Pass for everyone else.

John

P.S. Your biggest vulnerability is your email account. If a hacker gets access to this then it doesn’t matter what security steps you have taken elsewhere. So make sure you use a really good email password, change it weekly and activate two-step authentication. Doing these three steps alone will protect you from 99% of hackers.

P.S.2. If you have locked down your email and are still paranoid then look into secure VPN options which will provide a hardened tunnel to our front door.

P.S.3 here’s a link my favorite security podcast for those of you who (link me) enjoy nerding out on this kind of stuff: https://twit.tv/shows/security-now


#5

All that is true but:

There are a percentage of your users for whom password management is a riddle inside the mystery that is the internet inside the enigma that is their computer. For those, even protection against script-kiddie level attacks is worth doing provided you can afford it.

Cheers,

Earl


#6

Personal password management is only part of the problem. https (SSL/TLS) is practically the default now for all content not just the login forms. It protects your forum users from having their web traffic or its content used against them by advertisers [1], hostile governments [2], and hostile employers [3]. Even better if you can add PFS which protects content against being stored for future attacks as well. In addition to improving security for forum users in a meaningful way I think better security here may have the potential to help your news-gathering interests here, through giving users more confidence in their confidentiality. Currently, it would take minimal effort for a company IT person to learn the identity of any forum member who posted from the company network, or even simply had the app open on their phone while on company wifi.

  1. Such as an ISP which might consider clear text an invitation to parse that data and sell it to marketers and spammers.
  2. As in where forum members might be forced to use compromised networks in foreign (or domestic) ports.
  3. As in where, a forum member might seek advice from their peers about something which their employer prefers they don’t discuss with anyone.

If you decide to pursue any of this be sure to avoid Symantec who have had ongoing problems for years with their certs, and are now untrusted by some browsers.

PS I’ll add a recommendation to Keepass.info for password managers.


#7

+1 on the recommendation for 1password. Makes it real easy to keep up with your passwords securely.


#8

What is the best password manager for working offshore with limited internet and no cell service?

From what I’ve read it seems like Last Pass would be the best option but I’d be open to others’ thoughts.


#9

LastPass is a great option. Basically both LastPass and 1password allow you to store and create passwords on your device then sync them with the cloud when you get back in cell range. And neither takes up much bandwidth when you are in a poor reception zone.


#10

What about ability to log on from new computers (the bridge computer) over slow satellite internet?


#11

Theoretically, yes, that will work too but It really depends on your level of computer skills and your company’s IT policy. But the easiest solution is to just look them up on your phine and copy the passwords manually… I know it’s kinda a pain but if you have your own dedicaded log in (i.e. your not sharing the same log in with everyone else on the brisge) then your fairly safe if you save the cookies (click “trust this computer” or “remember this login)


#12

I was hacked by the Russians so I changed my password to 12345.


#13

That’s amazing. I’ve got the same combination on my luggage.


#14

:joy:


#15

I use KeepassX because it works on all platforms. Haven’t had any trouble with it. I do not store my passwords online or in the “cloud” (“the cloud” just means someone else’s computer). If you’re serious about security tokens have a look at using a Yubikey or something similar.