HTTPS sessions active for Tier 2 subscribers

[+BudMan MVC]

Ok other than changing the http to https for the post, they also need to looking to the chain issue I linked too before in the thread - or you going to have issues with firefox users even logging in via https

---

www.neowin.net uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)

---

They need to load up the intermediate CA bundle I linked too before on their web servers.

[+theblazingangel MVC]

There was a thread a long time ago about the login posting being in clear text.. If I recall back then it was mentioned that it would be fixed when ssl was setup.

Well it seems that have setup ssl.. There is no need to encrypt the whole site.. sorry but I don't need my viewing of news articles or forum post to be encrypted. Nor do I need the stuff I am sending in a post that will be public encrypted.

What I would like is my password not to be sent in clear text. They have the ssl in place, all they need to do is change the posting from http to https and we are all good.

They can still require that you be a sub if you want the whole site via https, ads or no ads. But changing http to https in the post string for your login seems like a no brainer if the ssl cert has already been paid for and active.

Currently even if viewing the site view https, when I go to login the post in the html command is vis http.. So going to be sent in clear - even if everything else your viewing is via https -- the actual post of the username and password is still only http..

edit: For those that do not understand the issue. No your pc does not have to be compromised for someone to sniff your username and password.. So example your on a wireless network, anyone on that wireless network could see your traffic so could see your neowin username and password.

Now could they just hijack your cookie and auth as you that way - possible have not looked into the issue that deep, nor do I care too.

At any point between your PC and the neowin server it would be possible to see this traffic in the clear and get your username and password. I doubt that it is of much concern, but come on the ssl is there -- just change the post to https and this can discussion is over.

Even if your viewing gmail over http, when you go to login the post is https

  <form novalidate id="gaia_loginform" action="https://accounts.google.com/ServiceLoginAuth" method="post">

<form action="https://www.neowin.net/forum/index.php?app=core&module=global&section=login&do=process" method="post" id='login'>

Simple change of a couple lines of code to https vs http and issue goes away now that they have ssl in place.

Yes you do! The only reason to only care about hiding the login credentials is if you're reusing those same credentials for other things, something you shouldn't do and I wouldn't think you yourself would do. If you care about keeping other people out of your account here then you should care about all connections being encrypted.

The "persistent login" mechanism is simple. The server creates a "session" for you (a data storage container, usually a file) and sends a copy of the session's identifier to your browser in a "session" cookie. Upon successful authentication an identifier of which user account you authenticated against is stored in the session (and the session ID changed for security reasons). A copy of this cookie is sent with every request you send to the server, allowing you to be identified. The session is only destroyed if you actually logout or otherwise if it expires due to lack of activity. Anyone accessing your network traffic can capture the session cookie and impersonate you on the site.

Resources such as JavaScript files should also be fetched over HTTPS, partly in order to protect the session cookie, sent with such requests, and partly to prevent an attacker from modifying such code (perhaps to execute actions on your account,

to monitor what you're doing / capture your login credentials, or to exploit a vulnerability in your browser and therefore attack your computer).

[+BudMan MVC]

"Yes you do!"

Yes I do care about other ways to hijack an authenticated session, but was outside the scope of the point I was trying to make, when I saw that ssl announcement. I recalled the past thread about sending password via http would be corrected when ssl came online.

So SSL is online, but password is still being sent over http was my point.

Once the username and passwords are sent over https, then be happy to join a thread that discusses other ways that might make it possible to hijack a users session on neowin. And ways to prevent that, etc.

So from this past thread, and these two posts.

https://www.neowin.net/forum/topic/1138606-neowin-login-not-secure/?view=findpost&p=595544858

https://www.neowin.net/forum/topic/1138606-neowin-login-not-secure/?view=findpost&p=595544882

It was pretty clear that login would be via ssl when it was available. I was not meaning discuss all the possible ways that a users session to a site might be compromised or gotten, etc.

I had even mentioned in that thread that maybe it could be for sub only ;)

 

edit: Maybe the whole site https option could be an option for subscribers only, etc. This might get a few more to join that rank and help neowin offset any added cost in such an implementation?

But lets take baby steps here.. Now that there is ssl, lets fix the firefox issue, and send the password over the ssl. Then if someone else wants to discuss overall security of the authentication process used on neowin, happy to join in ;)

A just want to make it clear, I am not saying neowin has to do anything.. Not like I stopped using neowin after I discovered passwords were not over https, and I don't recall of ever hearing any issues about neowin accounts being hijacked, etc.. And no this isn't bank site, etc. I really don't want to start up those sort of posts again.. Just simple question -- I should of prob made my comments in the mvc section vs in the announcement thread.. Oh well..

[tiagosilva29]

BudMan, BudMan, BudMan, can't you see...?

Sometimes your words just hypnotize me.

And I just love your flashy ways.

Guess that's why they broke, and you're so paid!

[theyarecomingforyou]

people going on about passwords. Really? Is your neowin password really that precious and worth donating $25 a year to protect?

Passwords should never be transmitted in plain text. I don't understand how you can't see the issue with it, especially when you know that most people won't use a unique password.

[Ambroos]

Even for subscribers passwords will be transmitted in plain-text since HTTPS can't be activated before logging in.

 

Seriously server guys, make the login target be HTTPS. Should only take a few minutes to change it. It already works if I do it manually in the Chrome dev tools.

[Haggis Veteran]

Even for subscribers passwords will be transmitted in plain-text since HTTPS can't be activated before logging in.

 

Seriously server guys, make the login target be HTTPS. Should only take a few minutes to change it. It already works if I do it manually in the Chrome dev tools.

 

 

No Answer to this? Its a Lgeitimate and great request

[Redmak Administrators]

https login enabled (forum only atm, I will change the main page login asap)

 

Installed intermediate CA's (thanks BudMan)

[+BudMan MVC]

Quick test, shows your chain problem gone with firefox. And sniff of a login shows no cleartext.

Sweet.. As always neowin follows through, thanks guys!

[funkydude]

https login enabled (forum only atm, I will change the main page login asap)

 

Installed intermediate CA's (thanks BudMan)

 

 

Could you also correct the order of your cipher suites? Your current setup means there is no forward secrecy for IE users, meanwhile other browsers are being forced inferior suites: https://www.ssllabs.com/ssltest/analyze.html?d=www.neowin.net&s=74.204.71.246

 

 

Brilliant explanation of how to go about this is here: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

[123456789A]

It's not a good idea to send passwords in plain text. At least send them in Word format.

[+BudMan MVC]

Why just FS, Let's get some PFS going (Perfect Forward Secrecy)

Its a bit confusing why www.neowin.net is a cname for neowin.net, but the certs common name is www.neowin.net with no alternative of just neowin.net ?

Doesn't really matter until you start playing with certs.. But now for example you hit just https://neowin.net you get error about the cert. They could add alternative name to the cert, but not sure which one they purchased.. if just a DV, I don't think thawte provides that as addon feature?

They could work on beast attack mitigation as well ;) And should really allow for session resumption..

But hey its much better than before..

[Ambroos]

https login enabled (forum only atm, I will change the main page login asap)

 

Installed intermediate CA's (thanks BudMan)

Thanks ^^

[Haggis Veteran]

https login enabled (forum only atm, I will change the main page login asap)

 

Installed intermediate CA's (thanks BudMan)

 

 

Awesome Redmak, as said before Neowin comes up on top again :)

[DaveLegg Developer]

Why just FS, Let's get some PFS going (Perfect Forward Secrecy)

Its a bit confusing why www.neowin.net is a cname for neowin.net, but the certs common name is www.neowin.net with no alternative of just neowin.net ?

Doesn't really matter until you start playing with certs.. But now for example you hit just https://neowin.net you get error about the cert. They could add alternative name to the cert, but not sure which one they purchased.. if just a DV, I don't think thawte provides that as addon feature?

They could work on beast attack mitigation as well ;) And should really allow for session resumption..

But hey its much better than before..

We redirect neowin.net to www.neowin.net, sounds like that automatic redirect is missing from the https version, that's all.

[fobban]

Login page should've had SSL 10 years ago.

 

Edit: Can see the login page having it now. Great!

[+Red King Subscriber²]

So, is there a way to make the site redirect me to https when I am on http ?

[+BudMan MVC]

"We redirect neowin.net to www.neowin.net"

yes you do..

budman@ubuntu:/tmp$ wget http://neowin.net

--2013-08-18 14:49:03-- http://neowin.net/

Resolving neowin.net (neowin.net)... 74.204.71.247, 74.204.71.246, 74.204.71.245

Connecting to neowin.net (neowin.net)|74.204.71.247|:80... connected.

HTTP request sent, awaiting response... 301 Moved Permanently

Location: https://www.neowin.net/ [following]

--2013-08-18 14:49:03-- https://www.neowin.net/

But here is my point about https

budman@ubuntu:/tmp$ wget https://neowin.net

--2013-08-18 14:50:00-- https://neowin.net/

Resolving neowin.net (neowin.net)... 74.204.71.246, 74.204.71.245, 74.204.71.247

Connecting to neowin.net (neowin.net)|74.204.71.246|:443... connected.

ERROR: no certificate subject alternative name matches requested host name ?neowin.net?.

To connect to neowin.net insecurely, use `--no-check-certificate'.

You can not solve the issue with a redirect in https, since you have to setup your connection before you could ever be redirected, and certain things have to match to create that connection without warning.

It's not a big deal -- just one of the fun aspects of working with certs.. The joys of technology, serving up SSL/TLS is a thing unto itself ;)

The first steps have been made, as neowin staff becomes more familiar with the peculiarities of working with https I am sure things will progress... When you score an A, we can have a party https://www.ssllabs.com/ssltest/ But the current B gets the job done.

[The_Decryptor Veteran]

Currently the only way to get an A on that test (while doing TLS 1.0) is to use RC4, which is insecure. In reality using AES CBC should be fine even with TLS 1.0 (Most clients work around BEAST, Apple being a holdout), but the ultimate solution is to use AES CBC with TLS 1.1, or AES GCM with TLS 1.2 (Which rules out like 80% of browsers)

But hey, IE 11, Chrome 29 and apparently Safari support TLS 1.1/1.2 fully (Firefox supports it, but not entirely, so it's still disabled), so it's not that far off.

Edit: Upside of AES GCM is that it's stupidly fast on Intel hardware made in the last couple of years.

[Sandor]

It always amazes me when people complain about how someone else runs THEIR free service.  

How about contributing to the sites monetary needs if you have such a problem with it? You may provide support to others for free, but to feed the monster they need virgin blood and that ****s expensive and can't be paid for with computer advice.

Neobond explained why it's not available to everyone, quit your bitchin...

Missing the obvious that the site is precisely nothing without its users.

[Sandor]

It's not a good idea to send passwords in plain text. At least send them in Word format.

top-lel.com

[cyoung1616]

https://www.neowin.net/forum/topic/1169735-https-sessions-active-for-tier-2-subscribers/page-4#entry595887537

 

Is this right?? Never has shown https:

Cody

[rr_dRock]

Missing the obvious that the site is precisely nothing without its users.

 

Okay? What's your point?

That doesn't negate the fact that the site needs money to run, and certificates cost money, and the fact that it's an extra incentive to subscribe. Again, if you don't like viewing the site without SSL, subscribe. If you don't have the measly ~$20 a year, then perhaps you need to get off the internet, and find a better job instead of wasting your time posting nonsense.

I agree about the login issue (which I believe was fixed? don't quote me), but it's not necessary to give a costly (well... it costs money) service to people for free to keep the site alive, as most people really don't give a ######.

[funkydude]

Could you also correct the order of your cipher suites? Your current setup means there is no forward secrecy for IE users, meanwhile other browsers are being forced inferior suites: https://www.ssllabs.com/ssltest/analyze.html?d=www.neowin.net&s=74.204.71.246

 

 

Brilliant explanation of how to go about this is here: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

 

Has this been ignored? Admins?

 

 

Currently the only way to get an A on that test (while doing TLS 1.0) is to use RC4, which is insecure. In reality using AES CBC should be fine even with TLS 1.0 (Most clients work around BEAST, Apple being a holdout), but the ultimate solution is to use AES CBC with TLS 1.1, or AES GCM with TLS 1.2 (Which rules out like 80% of browsers)

But hey, IE 11, Chrome 29 and apparently Safari support TLS 1.1/1.2 fully (Firefox supports it, but not entirely, so it's still disabled), so it's not that far off.

Edit: Upside of AES GCM is that it's stupidly fast on Intel hardware made in the last couple of years.

 

Indeed, but that is also explained in his blog entry linked above.

Once all the browsers support TLS 1.2 he will probably remove the grade reduction when TLS 1.1/1.2 support is detected, as they are not affected by the BEAST attack.

 

In other words, you can ignore that it got a B and not an A as TLS 1.1/1.2 is supported.

[Sandor]

Okay? What's your point?

That doesn't negate the fact that the site needs money to run, and certificates cost money, and the fact that it's an extra incentive to subscribe. Again, if you don't like viewing the site without SSL, subscribe. If you don't have the measly ~$20 a year, then perhaps you need to get off the internet, and find a better job instead of wasting your time posting nonsense.

I agree about the login issue (which I believe was fixed? don't quote me), but it's not necessary to give a costly (well... it costs money) service to people for free to keep the site alive, as most people really don't give a ****.

If I followed that advice for every site I visit I'd be paying out a fortune.

 

The site already advertises to each of us to make money.

 

How much do you think it costs to implement SSL on a site by the way? You might be in for a shock.