Results 1 to 8 of 8

Thread: Your CC is safe

  1. #1
    Immortal Executioner & Hero
    2015 DDO Players Council
    CavernDragon's Avatar
    Join Date
    Sep 2006
    Location
    Darkest part of your mind
    Posts
    539

    Default Your CC is safe

    You cant stay logged in long enough to do any hacking? I usemy ipad all day to read up on the forums and every time i want to read some new posts i have to log back in. Unlike the old forums were i stayed logged in for ever unless i rebooted.

    Have to say guys you have a lot of work to do right now. And also the forumsload wayyyyy to slow, how can i sit and drink my McCafe on mcDs wifi and get any reading done about all the new bugs..

    Site grade. D-
    >>>>>>> NobleFist Guild <<<<<<<
    DeepCutter ~ MidnightRed ~ Cardeeo ~ Dalmore ~ TracyDragon ~ Aftershock ~ MakersMark ~Imortalwrath
    Beta player & Leader of a Founders Guild 9yrs and going

  2. #2
    2014 DDO Players Council Flavilandile's Avatar
    Join Date
    Aug 2010
    Location
    France
    Posts
    3,794

    Default

    Actually not.. as you have to resend every few minutes your login information anybody with wireshark can grab them along the way... it's not as if https was secure.

    Now it's just like the rest of that forum upgrade : unfinished, unwanted, sloppy and badly implemented work, a Computer Science student could do better in less time for a student union website forum.
    On G-Land : Flavilandile, Blacklock, Yaelle, Millishande, Larilandile, Gildalinde, Tenalafel, and many other...

  3. #3
    Community Member Charononus's Avatar
    Join Date
    Jun 2010
    Posts
    5,345

    Default

    Quote Originally Posted by Flavilandile View Post
    Actually not.. as you have to resend every few minutes your login information anybody with wireshark can grab them along the way... it's not as if https was secure.

    Now it's just like the rest of that forum upgrade : unfinished, unwanted, sloppy and badly implemented work, a Computer Science student could do better in less time for a student union website forum.
    The cs students I knew back in college would be embarrassed if they had worked on this.

  4. #4
    Community Member
    Join Date
    Apr 2013
    Posts
    10

    Default

    Quote Originally Posted by Flavilandile View Post
    Actually not.. as you have to resend every few minutes your login information anybody with wireshark can grab them along the way... it's not as if https was secure.

    Now it's just like the rest of that forum upgrade : unfinished, unwanted, sloppy and badly implemented work, a Computer Science student could do better in less time for a student union website forum.
    yeeeah, even if this didn't happen tho, you could hijack the session, and change the password. So really logging in more often isn't any more or less secure than never logging in, logging in once an hour, or every few minutes, for the security of THIS site. You don't need their creds if you can simply, hijack the session, change their password and steal the account that way.

    _however_ sessions expire which cause users to log in more often could aid the attacker in comprimising other accounts besides this forum, IF the user is on a public network, since:
    a. a large portion of people use the same password everywhere on all their internet apps (VERY BAD PEOPLE)
    b. once you compromised their ddo account you can get their email account which is very often the login ID for many applications (ALSO VERY BAD!!!)
    c. logging in every few minutes makes it easier to sniff their password to use on the other accounts. THAT is the real added danger with sessions that expire every few minutes.

    That being said, wireshark is only useful if you are in the _same network_. You can't wireshark people's sessions if they are sitting at home.

    Logging into anything on a public network of any type is really really really REALLY bad. So really your post applies to a very small number of users. HTTPS is plenty secure if you are on a private network, assuming Turbine has adequate physical security and practices defense in depth, and your own network is secure (BIG FAT IF)
    ~Sarlona~
    =S= Roving Guns =S=
    ~ Filene Nukeyalur Sollega Candio ~

  5. #5
    2014 DDO Players Council Flavilandile's Avatar
    Join Date
    Aug 2010
    Location
    France
    Posts
    3,794

    Default

    Quote Originally Posted by LordOfBlades View Post
    Logging into anything on a public network of any type is really really really REALLY bad. So really your post applies to a very small number of users. HTTPS is plenty secure if you are on a private network, assuming Turbine has adequate physical security and practices defense in depth, and your own network is secure (BIG FAT IF)
    Consider how many people knows how to harden a Wifi connection.
    Now Consider how many people have full control over their triple play box at home. ( or even a hint of knowledge about hiw it works )
    Now consider how many people can do the first on the second...
    Last, consider how many people are using wifi instead of wire, because it avoids running a 20m cable between the box and the PC...

    Sniffing Wifi is easy, you can do it from the street, or even from next street... so you won't even be seen .
    Sniffing Wifi, with run the mill configurations ( basic out of the factory stuff like 99% of the boxes are set up )
    is really easy.
    getting rid of the https encryption on top of that is not long...

    Wifi is unsecure as hell, the constant relogging makes it even more unsecure.

    Personally I don't care, I have wires...
    The only wifi connected computer at home uses a VPN to talk to work servers...
    ( yes I have a 15m long cable running through the living room to the office for the Ultra 45 Sparc Workstation, but it wouldn't have worked on wifi anyway, so cable was mandatory )
    On G-Land : Flavilandile, Blacklock, Yaelle, Millishande, Larilandile, Gildalinde, Tenalafel, and many other...

  6. #6
    Immortal Executioner & Hero
    2015 DDO Players Council
    CavernDragon's Avatar
    Join Date
    Sep 2006
    Location
    Darkest part of your mind
    Posts
    539

    Default

    Wow, makes me feel good and safe.. NOT.. removing CC from server after done posting..
    >>>>>>> NobleFist Guild <<<<<<<
    DeepCutter ~ MidnightRed ~ Cardeeo ~ Dalmore ~ TracyDragon ~ Aftershock ~ MakersMark ~Imortalwrath
    Beta player & Leader of a Founders Guild 9yrs and going

  7. #7

    Default

    Quote Originally Posted by Flavilandile View Post
    Actually not.. as you have to resend every few minutes your login information anybody with wireshark can grab them along the way... it's not as if https was secure.

    Now it's just like the rest of that forum upgrade : unfinished, unwanted, sloppy and badly implemented work, a Computer Science student could do better in less time for a student union website forum.
    ^^^^^

  8. #8
    Community Member
    Join Date
    Apr 2013
    Posts
    10

    Default

    Quote Originally Posted by Flavilandile View Post
    Consider how many people knows how to harden a Wifi connection.
    Now Consider how many people have full control over their triple play box at home. ( or even a hint of knowledge about hiw it works )
    Now consider how many people can do the first on the second...
    Last, consider how many people are using wifi instead of wire, because it avoids running a 20m cable between the box and the PC...

    Sniffing Wifi is easy, you can do it from the street, or even from next street... so you won't even be seen .
    Sniffing Wifi, with run the mill configurations ( basic out of the factory stuff like 99% of the boxes are set up )
    is really easy.
    getting rid of the https encryption on top of that is not long...

    Wifi is unsecure as hell, the constant relogging makes it even more unsecure.

    Personally I don't care, I have wires...
    The only wifi connected computer at home uses a VPN to talk to work servers...
    ( yes I have a 15m long cable running through the living room to the office for the Ultra 45 Sparc Workstation, but it wouldn't have worked on wifi anyway, so cable was mandatory )
    Incorrect. I'm not going to argue with you, but I will drop a couple of nuggets of wisdom for you.

    I write my own, and ethically hack other people's applications for a living and I know all about WPA2-PSK security. I am a software engineer myself. How secure your WPA2-PSK connection is is directly related to how long and random your key is and whether or not WPS is turned on or off.

    If I have a sniffer running in your network path or on your wireless segment, all I need to do to hack your forum account is have you request a page while logged in. I don't even need your UID/PW to own your account.

    Look up session hijacking, specifically session fixation and in the case of wireless, session sidejacking in google to understand what I'm talking about.

    Your session timeout has no effect on security unless I have physical access to your machine, or I am brute forcing session IDs. In that case a longer session makes it _less_ secure.

    If I'm in a position to sniff your password, there are easier ways than sniffing your password and session timeout has absolutely no effect on my chances of success.

    It only takes one request from your computer for me to jump right into your session, change your password, and log out, invalidating your session. It would kick you out of the forum.
    Last edited by LordOfBlades; 05-01-2013 at 09:33 PM.
    ~Sarlona~
    =S= Roving Guns =S=
    ~ Filene Nukeyalur Sollega Candio ~

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

This form's session has expired. You need to reload the page.

Reload