Secure Login

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Secure Login

Post by Techie-Micheal »

DarkGod wrote:So directing members to forums starting with https instead of http add more security for them when logging in?
Yes and no. No, because the https itself isn't what does it, but the SSL which makes it the https does. Yes, because when logging in, your communication between endpoints (you and the server) is encrypted.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
DarkGod
I've Been Banned!
Posts: 221
Joined: Thu Jan 06, 2005 9:16 pm

Re: Secure Login

Post by DarkGod »

Good to know. Thanks, T-M. :)
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Secure Login

Post by Techie-Micheal »

DarkGod wrote:Good to know. Thanks, T-M. :)
No problem. :)
Proven Offensive Security Expertise. OSCP - GXPN
mobstergeek
Registered User
Posts: 1
Joined: Mon Dec 22, 2008 4:15 pm

Re: Secure Login

Post by mobstergeek »

I sincerely apologize for re-opening an old thread, and I want to clearly acknowledge that it does come to a responsible end...but because I came here specifically to address my concern with plain-text logins, I feel compelled to give feedback on a couple of comments. I am not picking on anyone--but I administer a forum with over 100K members and I work in security, so for me this is of notable concern.
stevemaury wrote:The login is secure. Do a search on this board to see how many people have had passwords intercepted. Or don't, because there are none. :)
Without intending to be rude--at all--the lack of feedback on this issue doesn't prove it doesn't exist. Today's packet capture reveals my login and password information in clear text--even while registering and logging in to THIS forum--and I have recent experience with boards that have been inexplicably compromised. Is the liklihood of interception high? No. But the forum I administer has a significantly large profile, and I can reasonable expect intersection of interest in a city with 60K college students. I'd be lax in my duties if I allowed an insecure coffeehouse login--frequented by computer science students--to result in a forum takedown.
stevemaury wrote:[it's just not worth the trouble...] Because it is a job to set it up, it slows things down, and it has no real security advantages. Guys that sniff packets do it for credit card numbers and such, not so they can get on a board they can register for anyway.
Again, without intending to be rude--this statement is overwhelmingly true--I want to carefully avoid reinforcing the unspoken tenet that only people with monetary interests will seek to intercept. Curiosity, boredom, malicious intent...while the monetary side is clearly larger than it used to be, the fact remains that some people just break in if they can. I have walked into companies and experienced, first-hand, destruction of websites for no reason at all. This doesn't mean the FBI wasn't interested (they were)...but the time required to put stuff back several times far exceeds the effort required to plug the hole.
Lumpy Burgertushie wrote:I think maybe you are a bit paranoid or just don't understand how this stuff works very well.
When you log in to your ftp or when you log into your cpanel or when you log on to your computer, do you have all of that being encrypted via SSL or anything else?
FTP is indeed insecure; this is the reason for SFTP. Cpanel is typically set up to use system prompts--rather than leaving it to browser/scripting language control--so you're implementing a different kind of (already encrypted) key exchange, and SSL encryption is discussed elsewhere in this thread.
continued from above wrote: I don't think so. Your email is not encrypted when you log on to check it, etc. etc.

order forms, financial info, etc. those are the things that are sent via a secure connection SSL.
Many email services these days are encrypted; at the very least with an initial redirect to secure login, e.g., Facebook supports https--then punts you back out to the unsecured site--and of the major social sites I checked recently, only MySpace seems to have completely ignored it.
continued from above wrote: first, why would anyone care to try and snatch a login to your board?
are you discussing state secrets in private forums or something?
That's the problem: some people don't care either way--they just like the mayhem. Assuming the board is completely tame, no one ever gets angry at anyone else, and it doesn't have many users, I could accept this as no problem. In my case, the board is NOT tame, has a high user base, is constantly visited by bots, and some people get thoroughly angry at each other, banned, and/or publicly warned for violating the rules. Further, there are scores of moderators, all of whom have different responsibilities and temperaments. Finally, there's an interested party who's not apparently connected to the boards at all--and for this person it needs to always appear to be UP and trouble-free. The people who care then are the ones who have to put, everything back, the way, it was...and no matter how good your backups are...any compromise can mean discovery, reporting, downtime, reinstall, patch, and test, and that can take a lot of time.
continued from above wrote: second, in order for someone to be able to "sniff" out a login to your board, they would have to be within a certain distance of the person who was logging in, and have the correct equipment and software to be able to do it and be monitoring that person all the time to be able to catch it.

if you need to protect against that type of possibility, then you probably should not be trying to use a normal web based open source type of software as phpbb.
While the security community has an old, tired, and oft-proven rule: Most compromises come from inside the system, the accessible distance of some public access points is thousands of feet, though these are reliable only within the low hundreds in ideal conditions. However, with a low-budget / low-power laptop and free software, I am able to capture login information from miles away, depending upon a number of factors that would be irresponsible to discuss here. My total investment is a laptop I got for free, a little time, the ability to type one word into my search, and grab a coffee.

I wholeheartedly agree with the second comment...but when we have so much energy invested in an existing system...and some kind of encrypted handshake during login would be "relatively" simple to implement, I'm still looking for a MOD...and if I don't find one, I'd rather spend the time writing it than spearhead a whole new set of hurdles for server admins, programmers, board members, moderators, and administrators...when all I really want is obfuscated passwords.

Cheers, folks.

(20+ years in IT, 10 in security)
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Secure Login

Post by Techie-Micheal »

Which is what I've been trying to explain ... Hopefully when it comes from someone else, people will start to believe me. There is absolutely no reason to try and talk someone out of using SSL. That's absolutely ridiculous. Encrypting logins using a tried and true method such as SSL is a very good thing, if that's what people want to do.
Proven Offensive Security Expertise. OSCP - GXPN
suitlocal
Registered User
Posts: 95
Joined: Sat Mar 08, 2008 11:18 pm

Re: Secure Login

Post by suitlocal »

mobstergeek wrote:I wholeheartedly agree with the second comment...but when we have so much energy invested in an existing system...and some kind of encrypted handshake during login would be "relatively" simple to implement, I'm still looking for a MOD...and if I don't find one, I'd rather spend the time writing it than spearhead a whole new set of hurdles for server admins, programmers, board members, moderators, and administrators...when all I really want is obfuscated passwords.
i am not sure what you are asking for. someone could re implement ssl in javascript in theory but then again you could always use https too. and if you are not proposing re implementing ssl i have to wonder if what you are proposing would actually be secure? if you propose clients use sha-1 hashes instead of passwords there is nothing to stop an eavesdropper from doing the same thing.
ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: Secure Login

Post by ToonArmy »

Even using an challenge response type handshake is not a foolproof solution, the HTML is still sent in clear text if you are a man in the middle you can manipulate the form to do what you want. So you can modify the client side JS doing creating the response to include the raw password in some form so you can sniff. If you want secure logins use SSL to deliver the page and receive the data back.
Chris SmithGitHub
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Secure Login

Post by thecoalman »

I can think of at least one other reason why you'd want to do this. If for example you had a forum that had private areas and lets say these areas were discussing things of a sensitive nature or personal nature you sure wouldn't want something like Phorm sniffing the data of the user or other users on your forum. This technology will piggy back on a users login and be able to grab any page the user downloads if it's not encrypted.

AFAIK SSL is the only way to stop the intrusion of this technology.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
Eelke
Registered User
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: Secure Login

Post by Eelke »

suitlocal wrote:i am not sure what you are asking for.
This topic is about secure logins. Correct me if I'm wrong, but with phpBB, it is all or nothing; either you serve your entire board through HTTPS, or not. The latter, especially for large sites, often is overkill, unless you are indeed discussing state secrets (or something that to you is equally important). Encrypting takes computing power from the server, and you probably don't mind so much if the HTML for individual page requests are sniffed out, because all the attacker has is just that, the HTML for some topic, or maybe even an administrative page. Without a session, they can't do anything with it, all they have is the actual data they grabbed (we are assuming that the software is sufficiently protected against session hijacking).

However, if the HTTP exchange that is sniffed out happens to be a login exchange, the attacker now has a user's username and password, so they can log in as that user, giving them access to anything that user can do. If this user happens to be a user with administrative permissions... Well, let your imagination run free :) Obviously, logging in is only a small fraction of all the HTTP traffic from the site, but the data that is exchanged is crucial; it is the key to getting access to the site. That's why a popular compromise is to just encrypt the login process, because the extra overhead of encrypting those few HTTP exchanges that comprise logging in is massively outweighed by the need to protect the data that is exchanged.
TerraFrost
Former Team Member
Posts: 5957
Joined: Sun Dec 26, 2004 3:40 am
Location: Austin, TX

Re: Secure Login

Post by TerraFrost »

Eelke wrote:Without a session, they can't do anything with it, all they have is the actual data they grabbed (we are assuming that the software is sufficiently protected against session hijacking).
Protecting against session hijacking (aka CSRF) just means adding a nonce to each form. As such, an attacker can't make a webpage on another domain submit data blind to phpBB3 on your domain. An attacker doing packet sniffing, however, doesn't need to submit blind - they can just send an HTTP request with your session_id, get the nonces for a given form, and submit a non-blind HTTP request. If all an attacker can get you to do is to visit a webpage on their domain they cannot get your session_id and thus are limited to blind HTTP requests.
User avatar
Eelke
Registered User
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: Secure Login

Post by Eelke »

TerraFrost wrote:Protecting against session hijacking (aka CSRF) just means adding a nonce to each form.
So you're saying all this checking against IP addresses and browser identification that phpBB3 does is useless? Anyway, correct me if I'm wrong, but I think the subject was encrypting the login procedure :)
TerraFrost
Former Team Member
Posts: 5957
Joined: Sun Dec 26, 2004 3:40 am
Location: Austin, TX

Re: Secure Login

Post by TerraFrost »

Eelke wrote:
TerraFrost wrote:Protecting against session hijacking (aka CSRF) just means adding a nonce to each form.
So you're saying all this checking against IP addresses and browser identification that phpBB3 does is useless?
If you're at a coffeehouse, as per mobstergeek's scenario, you and your attacker likely have the same IP address. Since the User-Agent can be spoofed, as well, neither really protect you in this situation.
Anyway, correct me if I'm wrong, but I think the subject was encrypting the login procedure :)
Looking at the first post, it looks like that is indeed the subject at hand. I do, however, think that you're just best off using SSL constantly. Sure, you're worse off if an attacker gets your username / password (that'd let an attacker change your password, do admin reauthentication if appropriate, and might even allow access to other sites if you used the same login info at those other sites), but that also doesn't mean that you ought not be concerned about an attacker on the same LAN as you getting your session_id and User-Agent (which they'd find out along with the session_id through packet sniffing).
User avatar
Eelke
Registered User
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: Secure Login

Post by Eelke »

That's definitely a fair aside. I don't think it makes the call for a secured login any less valid, though.
digitaltoast
Registered User
Posts: 105
Joined: Thu Oct 18, 2007 9:33 am

Re: Secure Login

Post by digitaltoast »

Lumpy Burgertushie wrote:you will not gain anything by doing this .
stevemaury wrote:Do a search on this board to see how many people have had passwords intercepted. Or don't, because there are none. :)
stevemaury wrote:It's just really not worth the trouble.
stevemaury wrote:Because it is a job to set it up, it slows things down, and it has no real security advantages.
Lumpy Burgertushie wrote:I think maybe you are a bit paranoid or just don't understand how this stuff works very well.
I came here to ask the same question and found this thread. In addition to the points in this post by mobstergeek, I have to ask: If it's as complete and utter a waste of time as people with "Support Team Member", by their name, or users with 51,500 posts claim, the obvious question is..
Why is it on for THIS board then?
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Secure Login

Post by Techie-Micheal »

digitaltoast wrote:
Lumpy Burgertushie wrote:you will not gain anything by doing this .
stevemaury wrote:Do a search on this board to see how many people have had passwords intercepted. Or don't, because there are none. :)
stevemaury wrote:It's just really not worth the trouble.
stevemaury wrote:Because it is a job to set it up, it slows things down, and it has no real security advantages.
Lumpy Burgertushie wrote:I think maybe you are a bit paranoid or just don't understand how this stuff works very well.
I came here to ask the same question and found this thread. In addition to the points in this post by mobstergeek, I have to ask: If it's as complete and utter a waste of time as people with "Support Team Member", by their name, or users with 51,500 posts claim, the obvious question is..
Why is it on for THIS board then?
An old topic, but yes. :)

As mobstergeek and I both stated, SSL is the way to go. Feel free to let us know if you have any questions about setting it up.
Proven Offensive Security Expertise. OSCP - GXPN
Post Reply

Return to “phpBB Discussion”