I
sincerely apologize for re-opening an old thread, and I want to clearly acknowledge that it does come to a responsible end...but because I came here specifically to address my concern with plain-text logins, I feel compelled to give feedback on a couple of comments. I am not picking on anyone--but I administer a forum with over 100K members and I work in security, so for me this is of notable concern.
stevemaury wrote:The login is secure. Do a search on this board to see how many people have had passwords intercepted. Or don't, because there are none.
Without intending to be rude--at all--the lack of feedback on this issue doesn't prove it doesn't exist. Today's packet capture reveals my login and password information in clear text--even while registering and logging in to THIS forum--and I have recent experience with boards that have been inexplicably compromised. Is the liklihood of interception high? No. But the forum I administer has a significantly large profile, and I can reasonable expect intersection of interest in a city with 60K college students. I'd be lax in my duties if I allowed an insecure coffeehouse login--frequented by computer science students--to result in a forum takedown.
stevemaury wrote:[it's just not worth the trouble...] Because it is a job to set it up, it slows things down, and it has no real security advantages. Guys that sniff packets do it for credit card numbers and such, not so they can get on a board they can register for anyway.
Again, without intending to be rude--this statement is overwhelmingly true--I want to carefully avoid reinforcing the unspoken tenet that only people with monetary interests will seek to intercept. Curiosity, boredom, malicious intent...while the monetary side is clearly larger than it used to be, the fact remains that some people just break in if they can. I have walked into companies and experienced, first-hand, destruction of websites for no reason at all. This doesn't mean the FBI wasn't interested (they were)...but the time required to put stuff back several times far exceeds the effort required to plug the hole.
Lumpy Burgertushie wrote:I think maybe you are a bit paranoid or just don't understand how this stuff works very well.
When you log in to your ftp or when you log into your cpanel or when you log on to your computer, do you have all of that being encrypted via SSL or anything else?
FTP is indeed insecure; this is the reason for SFTP. Cpanel is typically set up to use system prompts--rather than leaving it to browser/scripting language control--so you're implementing a different kind of (already encrypted) key exchange, and SSL encryption is discussed elsewhere in this thread.
continued from above wrote:
I don't think so. Your email is not encrypted when you log on to check it, etc. etc.
order forms, financial info, etc. those are the things that are sent via a secure connection SSL.
Many email services these days are encrypted; at the very least with an initial redirect to secure login, e.g., Facebook supports https--then punts you back out to the unsecured site--and of the major social sites I checked recently, only MySpace seems to have completely ignored it.
continued from above wrote:
first, why would anyone care to try and snatch a login to your board?
are you discussing state secrets in private forums or something?
That's the problem: some people don't care either way--they just like the mayhem. Assuming the board is completely tame, no one ever gets angry at anyone else, and it doesn't have many users, I could accept this as no problem. In my case, the board is NOT tame, has a high user base, is constantly visited by bots, and some people get thoroughly angry at each other, banned, and/or publicly warned for violating the rules. Further, there are scores of moderators, all of whom have different responsibilities and temperaments. Finally, there's an interested party who's not apparently connected to the boards at all--and for this person it needs to always appear to be UP and trouble-free. The people who care then are the ones who have to put, everything back, the way, it was...and no matter how good your backups are...any compromise can mean discovery, reporting, downtime, reinstall, patch, and test, and that can take a lot of time.
continued from above wrote:
second, in order for someone to be able to "sniff" out a login to your board, they would have to be within a certain distance of the person who was logging in, and have the correct equipment and software to be able to do it and be monitoring that person all the time to be able to catch it.
if you need to protect against that type of possibility, then you probably should not be trying to use a normal web based open source type of software as phpbb.
While the security community has an old, tired, and oft-proven rule: Most compromises come from inside the system, the accessible distance of some public access points is thousands of feet, though these are reliable only within the low hundreds in ideal conditions. However, with a low-budget / low-power laptop and free software, I am able to capture login information from miles away, depending upon a number of factors that would be irresponsible to discuss here. My total investment is a laptop I got for free, a little time, the ability to type one word into my search, and grab a coffee.
I wholeheartedly agree with the second comment...but when we have so much energy invested in an existing system...and some kind of encrypted handshake during login would be "relatively" simple to implement, I'm still looking for a MOD...and if I don't find one, I'd rather spend the time writing it than spearhead a whole new set of hurdles for server admins, programmers, board members, moderators, and administrators...when all I really want is obfuscated passwords.
Cheers, folks.
(20+ years in IT, 10 in security)