Author Topic: Insecure Connection  (Read 800 times)

lepus

  • Regular Member
  • **
  • Posts: 38
  • Human Being
Insecure Connection
« on: April 17, 2017, 02:48:11 AM »
Recently, my updated Firefox has begun to warn me about insecure login connections to forums and messageboards with:
Quote
movsd.com
Connection is Not Secure
Logins entered on this page could be compromised.
It is apparent that the login name and password are not transmitted over a secure connection and could be intercepted and read by an intermediate node. Is it doable to have look at this? Is it easy or complicated to implement a https connection for the login procedure?

hutch--

  • Administrator
  • Senior Member
  • *****
  • Posts: 534
  • Bespoke Snippers
Re: Insecure Connection
« Reply #1 on: April 17, 2017, 03:41:21 PM »
It is based on requiring a certificate which only costs a fortune, a technique of leverage marketing to extract more money out of site owners. Interesting as Firefox is freeware. I personally use a Google clone that has far better security "Slimjet 64 bit" and I don't see the problem.
The magnificent tools of the professional tailor
http://www.movsd.com/tailors_shears/  ;) ;D

Schneiderfrei

  • Research
  • Senior Member
  • ****
  • Posts: 388
  • Resembles Human Being
Re: Insecure Connection
« Reply #2 on: April 17, 2017, 10:24:21 PM »
I am glad you mentioned this Hutch.  I have recently tried out firefox.  I would like to give another a go.

Schneiderfrei

  • Research
  • Senior Member
  • ****
  • Posts: 388
  • Resembles Human Being
Re: Insecure Connection
« Reply #3 on: April 17, 2017, 10:51:15 PM »
Goodness Hutch, that is snappy. :)

hutch--

  • Administrator
  • Senior Member
  • *****
  • Posts: 534
  • Bespoke Snippers
Re: Insecure Connection
« Reply #4 on: April 17, 2017, 11:28:17 PM »
I re-checked to make sure but there are no settings in the forum software to handle secured connections and in any case, this forum does not require secured data as it does not collect payments or any other form of remuneration. Personal data is both secured and encrypted by default in the forum software so even if someone could work out how to hack the server that this forum is on, they would have a terrible time trying to access the data base.

Look for the settings in any browser you choose to use and make an exception for any forum you wish to log onto. If the browser does not have that option, use another browser.
The magnificent tools of the professional tailor
http://www.movsd.com/tailors_shears/  ;) ;D

hutch--

  • Administrator
  • Senior Member
  • *****
  • Posts: 534
  • Bespoke Snippers
Re: Insecure Connection
« Reply #5 on: April 17, 2017, 11:38:35 PM »
Just for your amusement, a few years ago I got a complain from my server provider that some bunch of vigilantes in Germany had scanned the server and found an infected file. The file dated about 1997 and was an old programming language source file that had been zipped. These morons identified a trojan that dated about 2012, something like 15 years after the old zip file was created so it was impossible for the old zip file to be infected.

For having wasted my time, I asked my server provider to send my response back to them which advised them to actually check the file date of the zip file and actually learn what file specifications were about including the Microsoft Portable Executable specifications instead of trusting some crappy AV scanner that was dropping false positives. Predictably we did not get a response back.  ;D
The magnificent tools of the professional tailor
http://www.movsd.com/tailors_shears/  ;) ;D

lepus

  • Regular Member
  • **
  • Posts: 38
  • Human Being
Re: Insecure Connection
« Reply #6 on: April 28, 2017, 09:00:02 AM »
It is based on requiring a certificate which only costs a fortune, a technique of leverage marketing to extract more money out of site owners. Interesting as Firefox is freeware. I personally use a Google clone that has far better security "Slimjet 64 bit" and I don't see the problem.

That is in it's generality not true. Certainly, you can purchase a certificate, but there are authorities that supply them for free, the most well-known of those probably being Let's Encrypt (letsencrypt.org). That leaves the second part of that sentence also hanging in the air. Of course you can use a browser that doesn't show a warning, or turn it off, but that doesn't mean the fundamental issue is resolved. The web has become a much more complicated place since Tim Berners-Lee developed it and offers numerous opportunities for clever criminals.

I re-checked to make sure but there are no settings in the forum software to handle secured connections and in any case, this forum does not require secured data as it does not collect payments or any other form of remuneration. Personal data is both secured and encrypted by default in the forum software so even if someone could work out how to hack the server that this forum is on, they would have a terrible time trying to access the data base.

I would expect that private data are kept secure on the site, but that has very little to do with the issue.

Look for the settings in any browser you choose to use and make an exception for any forum you wish to log onto. If the browser does not have that option, use another browser.

That reaction is, frankly, unworthy of someone, who, I presume, knows what a MOVSQ instruction is (I updated it a bit to appear up with the times) and therefore can't be considered a computer illiterate. A weak spot that has been pointed out does not go away by closing your eyes to it.

I'm certainly no Firefox Friend, I've had my quarrels with them over the years, but they definitly have a point here. That it creates a vulnerability to, for instance, man-in-the-middle attacks should be obvious, made all the more important by the fact that many users use the same password, and not seldom also the same login name, on many different sites.
So, if I start posting about genital enlargement, an instant cure for any type of cancer or the one and only formula that produces perfectly fitting trousers for every size and shape of figure, my password may have been stolen...

For others who wonder what's it all about, I include a few pointers. As I don't expect much interest, I have not warned the webmasters of impending DoS issues  ;)

https://support.mozilla.org/en-US/kb/insecure-password-warning-firefox
"Insecure password warning in Firefox"

https://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords
"Insecure passwords"

https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
"No More Passwords over HTTP, Please!"


hutch--

  • Administrator
  • Senior Member
  • *****
  • Posts: 534
  • Bespoke Snippers
Re: Insecure Connection
« Reply #7 on: April 29, 2017, 11:10:36 PM »
Herein lies the problem with your suggestion, there is nothing to steal here, no financial transactions, no credit card numbers, no bank account details or anything else apart from a few members showing a few of their trade secrets and that is offered in public. Pick your browser, pick your problem, I have used a couple of Google clones in my time, I had a stray before that and Netscape before that. I have never trusted Internet Exploder, don't like Edge on Win10 64 and won't even have FireFox installed on a machine.

> but there are authorities that supply them for free

Except that I don't know who they are, what their security arrangements are or if they secretly pass data to the KGB, Mossad, CIA, MI5/6 and I don't care. KISS principal applies here, when you don't need serious security as there is nothing to secure, don't waste your time, money or trust bothering to do it. I will certainly never be a vehicle funnelling data to anyone and members are protected in what data they put here as the database is really hard to get at.
The magnificent tools of the professional tailor
http://www.movsd.com/tailors_shears/  ;) ;D