No HTTPS on TBN?

[vvanders]

What's with the lack of HTTPS on TBN these days? Not cool to be sending passwords and session IDs in the clear. Plenty of great options out there like Let's Encrypt - Free SSL/TLS Certificates.

Heck if it's a cost thing I'd happily pitch in for an SSL cert.

 

[/pine]

The passwords are encrypted...even if someone was able to hack or exploit the database the passwords would not be compromised...Even the site owner/administrator cannot see actual passwords...just the encrypted hash...

 

[ericm979]

In the auth protocol that TBN uses passwords are sent across the network hashed using the MD5 algorithm. That algorithm is deprecated because it's too easy to brute force. Session IDs, cookies, etc do not even have that very trivial protection. Those are what's used for authentication on TBN most of the time (when you click "remember me" on login). You should never use the same password for a site with weak security like TBN as you use for any account that you value. Really you should not re-use the same passwords for any site. Your TBN password should be a good random password, which means you'll need a password manager to remember it for you. There's free ones. TBN should use https (all sites should) but as I follow those security practices and I assume the world will see everything I post here, I'm not too exercised about them not using it.

(A hash is not encryption, though it's a cryptographic algorithm. It's a one way function- its not feasible to calculate the input to the hash when you only know the output. The problem with MD5 is that on modern computers it is so fast that it is feasible to hash a dictionary of likely input values, such as passwords, until you find an output that matches. This is called a "brute force" attack. There's a number of programs out there that have optimized hash routines specifically for doing brute force attacks on password hashes and can check hundreds of thousands per second on a reasonably fast CPU... much more on a commonly available GPU. Sorry for the nerdsplain but cryptography is what I do).

 

[ericm979]

A point that I didn't make in the last post- since the traffic between your computer and TBN is not encrypted, an attacker who can view the traffic can see the MD5 of your password. They don't even need to brute force the password to use it- they can just send the hash and they're logged into your TBN account. The same is true with the session Id and auth cookie. They can be replayed to gain access to the account.

 

[/pine]

A point that I didn't make in the last post- since the traffic between your computer and TBN is not encrypted, an attacker who can view the traffic can see the MD5 of your password. They don't even need to brute force the password to use it- they can just send the hash and they're logged into your TBN account. The same is true with the session Id and auth cookie. They can be replayed to gain access to the account.

In my experience with MYSQL and VB software etc...submitting a password hash rather than the actual language pw...access will be denied...

 

[John Fitzgerald]

A TBN account would not be a highly desirable hacker target IMO.

 

[/pine]

A TBN account would not be a highly desirable hacker target IMO.

The biggest draw would be the popularity of the forum and the attraction of the challenge...
You are right that there is really nothing here that would be of interest to a *professional*...(* used in a criminal sense)

Script kiddies that are just out trying to run sql injection and URI manipulator scripts etc., etc...are a different story...

FWIW VB is always improving it's database security...These days most sites that use session cookies also employ scripts that recognize "brute force" assaults...

 

[LMychajluk]

A TBN account would not be a highly desirable hacker target IMO.

Someone gaining access your TBN account may not be a big deal. The issue is if a hacker can get an ID and password, it's easy to try that same ID and PW at other sites. If you happen to have the same ID/PW at a shopping site like Amazon, or your bank, you could be compromised pretty quickly.

 

[/pine]

Someone gaining access your TBN account may not be a big deal. The issue is if a hacker can get an ID and password, it's easy to try that same ID and PW at other sites. If you happen to have the same ID/PW at a shopping site like Amazon, or your bank, you could be compromised pretty quickly.

That's what the prior posts are about...Even if someone could see the creds being passed they can't see anyone's actual password...all they could possibly see is the hash...

 

[ericm979]

The MD5 hash can readily be attacked as I explained above. My latop can do about 2 million MD5s/second. That'll find a lot of passwords. Especially since most people use weak passwords based on words.

At 2 million/sec it would take about 8 hours to check all possible combinations of letters and numbers for a six character password. (on average you'd find the password in half that time). A full search is not needed as most passwords are not random strings of letters and numbers, but are based on words. Password guessers use dictionaries and modification rules to construct likely passwords to try. Such as try the word, then the word with 'l's replaced with '1's, then try with a 1 appended, etc. All based on studies of actual passwords. That greatly narrows and speeds the search. A full brute force search is only needed for truly random passwords.

 

[LMychajluk]

...and, as ericm979 pointed out, the hash that is used isn't that hard to brute force to get the original password. Encrypting all traffic with a stronger algorithm is much more secure than just hashing a password.

 

[aczlan]

Hard to include 3rd party ads on your site when you use SSL...

Aaron Z

 

[vvanders]

Glad to see this kicked off a lively conversation, hopefully I can help clear up a couple things.

First off, 3rd party ads are possible with TLS. If you visit the TBN store you'll see that it's a mixed security site with that exact setup. It's not totally ideal since it does allow another party to inject an arbitrary payload if they wanted. That said even in a mixed page, your session id and password would be secure over TLS.

As for md5 hashes, those haven't been secure since '99 or so. There's a lovely little thing called Rainbow Tables which make them trivial to reverse. They also aren't encrypted, they're hashed which is something that has different goals than encryption(they're meant to speed up comparison operations and be *fast* rather than secure). Heck even SHA1 is getting deprecated these days in favor of other algorithms. Something like BCrypt or elliptical curve encryption is a better solution here. The problem is that you'll need to share an initial key(which gets sent in the clear) and then you're back to square one. Really the only secure solution here is a public key based cryptography which is basically what TLS/HTTPS gives you.

Another problem is that the session key is sent in the clear(usually via a cookie) which means that as soon as someone knows that number/id they can log in as you on TBN and do anything you could do.

Even if you're not worried about leaking the PW you use with TBN or session id sending everything in the clear means that your ISP/peering provider is free to scrape and data you send or read, associate it with your IP and then sell that information to anyone who wants to buy it.

Anyway, happy to cover anything in more depth above that isn't clear. I think TBN is an awesome community and would like to see it thrive in the modern web rather than drive away more security conscious people who would bounce off of a HTTP base registration/login.

 

[/pine]

A point that I didn't make in the last post- since the traffic between your computer and TBN is not encrypted, an attacker who can view the traffic can see the MD5 of your password. They don't even need to brute force the password to use it- they can just send the hash and they're logged into your TBN account. The same is true with the session Id and auth cookie. They can be replayed to gain access to the account.

This is what inspired my reply...it is incorrect...

The entire scenario that is the gist of a secure interface i.e., the OP is a very long stretch at best...

...Unless a site's entire database of user creds are compromised...there is little or no value in individual cred sets and either a manual or scripted application to run string breaking software on individual password hashes for a forum site like TBN is ludicrous...

For the above scenario to occur it would mean that an individual user is being "hacked"...and I really don't think their TBN creds would be a score...!...Now if the entire database of TBN user creds were compromised it might be of a little more concern and the user base should be notified of a breach...

IMO, if someone wanted to serve their fellow TBN user in regard to the topic...they would recommend using unique ID and passwords ("credentials/creds") for all registrations...

 

[Oldpath05]

Most likely all forums are the same way, what can be gained by hacking into TBN, there's no Russian collusion, no CC numbers, no SS numbers, I suppose someone could hack in and offer a brand new tractor, all's you have to do is send a $1000.00 for processing fee and you'll receive a spanking brand new tractor with a 50 year warranty...........

 

[vvanders]

This is what inspired my reply...it is incorrect...

Nope, very much a real thing called a Replay Attack(Replay attack - Wikipedia) which is why you usually use a pseudo-random sequence id to salt anything that's sent to the server. Like I mentioned earlier though, Rainbow Tables make any MD5 trivial to reverse.

The entire scenario that is the gist of a secure interface i.e., the OP is a very long stretch at best...

...Unless a site's entire database of user creds are compromised...there is little or no value in individual cred sets and either a manual or scripted application to run string breaking software on individual password hashes for a forum site like TBN is ludicrous...

For the above scenario to occur it would mean that an individual user is being "hacked"...and I really don't think their TBN creds would be a score...!...Now if the entire database of TBN user creds were compromised it might be of a little more concern and the user base should be notified of a breach...

IMO, if someone wanted to serve their fellow TBN user in regard to the topic...they would recommend using unique ID and passwords ("credentials/creds") for all registrations...

If anyone uses the same password on another site(or heaven forbid their google account) that would be a score.

Another common thing is to serve malware ads, which if you don't have a certificate chain from TLS is a very real and possible thing, see Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency | Ars Technica for a more sophisticated version of this that happened earlier this week.

 

[vvanders]

Most likely all forums are the same way, what can be gained by hacking into TBN, there's no Russian collusion, no CC numbers, no SS numbers, I suppose someone could hack in and offer a brand new tractor, all's you have to do is send a $1000.00 for processing fee and you'll receive a spanking brand new tractor with a 50 year warranty...........

Worst case? Zero-day exploit gets delivered via man-in-the-middle attack that installs a keylogger on your machine that gets them into anything else you interact with online.

TLS uses a certificate chain to make sure that anything sent to you is actually sent by TBN and not another actor.

Is it likely? Probably not, most likely thing is your ISP/peering selling your browsing history so that when you hit the Kubota forums they can mail you a flyer next week about how you should buy a Kubota.

The nice thing about TLS/HTTPS is it stops all of this. With let's encrypt certs are basically free and if you don't want to go with them there's a bunch of other CAs that offer reasonably priced certs.

 

[/pine]

Nope, very much a real thing called a Replay Attack(Replay attack - Wikipedia) ...

Nope...ask the admin to privately send you the actual hash for your PW from the database...then try to log on using it in place of your actual PW...it simply won't work..

Like I said, the average script kiddie is about the only type that is going to be running that type of script

It's one thing to read about possibilities but it's an entirely different story actually executing them

Again...if a sites database is compromised...the user base would be notified...DATABASES ARE NOT PROTECTED BY USER INTERFACE PROTOCOLS...so about the only way a TBN user is going to be hacked is they are already being targeted by someone that can access their network...

 

[Wagtail]

Most likely all forums are the same way, what can be gained by hacking into TBN, there's no Russian collusion, no CC numbers, no SS numbers, I suppose someone could hack in and offer a brand new tractor, all's you have to do is send a $1000.00 for processing fee and you'll receive a spanking brand new tractor with a 50 year warranty...........

Ooooh! Ooooh!!! Tell me more and can I pay with 10x US$100 iTune gift cards???

(I suppose the tractor is one of those "Kabuto" or "Jon Deare" models)