FAQ FAQ  Forum Search   Events   Register Register  Login Login

!Website Not Secure - reassurance

Page  12>
Author
bonneville View Drop Down
Senior Member
Senior Member

Joined: 19 May 2007
Country: United Kingdom
Location: Rutland
Status: Offline
Posts: 1408
Post Options Post Options   Quote bonneville Quote  Post ReplyReply Direct Link To This Post Topic: !Website Not Secure - reassurance
    Posted: 21 November 2018 at 11:52
I have a question:

Whenever I now log on to Dyxum on my iMac desktop I get a warning in red in the address bar. It is an exclamation mark in a circle and "Website Not Secure". Now I have been a happy member of the Dyxum community for over ten years and can honestly say it has never been the cause of any issue on iMac, MacBook or ipad.

Has something changed recently to trigger this or am I right in assuming that the message simply indicates that the site content is not encrypted , or is there more I should think about?

Thanks
 



Back to Top
Bob J View Drop Down
Admin Group
Admin Group
Dyxum Administrator

Joined: 23 December 2005
Country: United Kingdom
Location: London
Status: Offline
Posts: 24921
Post Options Post Options   Quote Bob J Quote  Post ReplyReply Direct Link To This Post Posted: 21 November 2018 at 11:57
I think chrome highlights where you don't have a https option for a website - I don't think it is a big issue if you are not conducting financial transactions..
Back to Top
bonneville View Drop Down
Senior Member
Senior Member

Joined: 19 May 2007
Country: United Kingdom
Location: Rutland
Status: Offline
Posts: 1408
Post Options Post Options   Quote bonneville Quote  Post ReplyReply Direct Link To This Post Posted: 21 November 2018 at 12:01
Originally posted by Bob J Bob J wrote:

I think chrome highlights where you don't have a https option for a website - I don't think it is a big issue if you are not conducting financial transactions..

Thanks Bob. I thought it wouldn't be sinister. After all, how can the best moderated forum on the 'net be a problem
Back to Top
sdblanchet View Drop Down
Senior Member
Senior Member

Joined: 26 November 2005
Country: Canada
Location: Montreal
Status: Offline
Posts: 249
Post Options Post Options   Quote sdblanchet Quote  Post ReplyReply Direct Link To This Post Posted: 21 November 2018 at 12:31
Just to add some

I have been told (unofficially) that the web is going encrypted (https-SSL) in the near future and pre-emptively the browsers are starting to state the websites that are not encrypted (https).

It is nowhere dangerous unless you go to websites that are not recommended.

The https version of the web will protect you against "the man in the middle" attack because of the encryption that will take place between your browser and the website you're visiting. It also "certifizes" the authenticity of the website.

Adding encryption to a website entails getting an authencitity certificate that validate ownership and status of the website using it. But it also add another cost to owning a website because those certificate are not free. Ball park figures are about 300$ to 1000$ per year per certificate.

And if your site is using a redirection like dyndns you cannot get those certificates because your ip address is not static and you don`t own the domain name.

www.sdbl.webhop.net, my site, is as such a redirection from dyndns. I don't own the domain name (webhop.net) and I don`t have a fix (static ip) address.

Either I will have to correct the situation ($$$) or simply close the site !!!





A99ii,A77,A700,7D,28/50/SAL1650/24-105D/28-75D/70-210/SAL70200G/SAL20TC/Tamron 150-600G2... Gs :-))) sdbl.webhop.net
Back to Top
sybersitizen View Drop Down
Senior Member
Senior Member

Joined: 04 August 2006
Country: United States
Location: California
Status: Offline
Posts: 14126
Post Options Post Options   Quote sybersitizen Quote  Post ReplyReply Direct Link To This Post Posted: 21 November 2018 at 16:43
Originally posted by bonneville bonneville wrote:

... am I right in assuming that the message simply indicates that the site content is not encrypted , or is there more I should think about?

There is more to think about.

I have strong evidence that one of my dyxum sessions was 'tapped' while I was on a public wireless network a few months ago. The timing suggests that it happened wile I was traveling in the UK, but the same thing could happen anywhere.

When I got home there was a message (in my dyxum-specified email account) saying that my password (my dyxum password, which the emailer included in the message) had been hacked. The emailer claimed to have also planted a keylogger on my computer, taking control of it, and recording my web transactions while also enabling my webcam. (I knew none of that was true.) The goal was blackmail. The emailer wanted payment into a Bitcoin account.

I then discovered that I was unable to login to my dyxum account. The password had been changed without my knowledge. I had to contact an admin here to arrange to reset it. No other account anywhere was affected.

Since then I've received a few more nearly identical blackmail messages, and my email account is being heavily spammed. Obviously the hacked info has been disseminated among various entities.

This might have been avoided if dyxum used encryption.
Back to Top
MiPr View Drop Down
Admin Group
Admin Group
Mikre Dyxum Administrator

Joined: 25 August 2006
Country: Poland
Location: Wroclaw
Status: Offline
Posts: 21051
Post Options Post Options   Quote MiPr Quote  Post ReplyReply Direct Link To This Post Posted: 21 November 2018 at 17:23
I'm discussing this with kikop. I hope we will move to HTTPS soon.
I'm noise-blind. And noise-about-noise-deaf too ... |   BTW, Dyxum Weekly Exhibitions don't grow on trees ...
 



Back to Top
horizon View Drop Down
Senior Member
Senior Member

Joined: 11 September 2010
Country: Australia
Location: Coral Coast Qld
Status: Offline
Posts: 973
Post Options Post Options   Quote horizon Quote  Post ReplyReply Direct Link To This Post Posted: 22 November 2018 at 06:18
I get the same warning on many websites using chrome on my Android Phone. In fact there are times that chrome wont even allow to tell it in advanced settings to just ignore the warning and just to go to the website anyway.

Most of the time its a website that is just one of the Australian Hardware supplies, where you cant purchase online anyway or login.


Please dont edit my photo's
Wildlife Horizons
Back to Top
Miranda F View Drop Down
Senior Member
Senior Member

Joined: 11 January 2014
Country: United Kingdom
Location: Bristol
Status: Offline
Posts: 3207
Post Options Post Options   Quote Miranda F Quote  Post ReplyReply Direct Link To This Post Posted: 22 November 2018 at 11:03
Originally posted by sybersitizen sybersitizen wrote:


I then discovered that I was unable to login to my dyxum account. The password had been changed without my knowledge. I had to contact an admin here to arrange to reset it. No other account anywhere was affected.


Oh, worth knowing about. Thanks for sharing that. I have been quite uneasy about using public wi-fi networks for a while now, but since I have a cheap and plentiful supply of 4G data on my phone I never need to use them.
Miranda F & Sensorex, Sony A58, 5d, Dynax 4, 5, 60, 500si/600si/700si/800si, various Sony & Minolta lenses, several Tamrons, lots of MF primes and *far* too many old film cameras . . .
Back to Top
sybersitizen View Drop Down
Senior Member
Senior Member

Joined: 04 August 2006
Country: United States
Location: California
Status: Offline
Posts: 14126
Post Options Post Options   Quote sybersitizen Quote  Post ReplyReply Direct Link To This Post Posted: 19 December 2018 at 22:04
Originally posted by MiPr MiPr wrote:

I'm discussing this with kiklop. I hope we will move to HTTPS soon.

And ... anything?

If that doesn't happen, at least an answer to a question will help:

If I'm already logged in here on a particular computer so I don't have to type my username and password, what exactly is being passed to the dyxum server when I connect - presumably from a cookie on my computer? Username? Password? A coded text string that the dyxum server decodes as my username and password?
Back to Top
amrep View Drop Down
Senior Member
Senior Member

Joined: 02 February 2015
Country: Norway
Status: Offline
Posts: 228
Post Options Post Options   Quote amrep Quote  Post ReplyReply Direct Link To This Post Posted: 22 December 2018 at 15:53
Since you have your own site I assume you have some basic knowledge about http and https.

When you log into sites (like dyxum) your browser sends a request header (specifying it's a POST-type request, listing what browser you are using and more) and a body containing parameter-value pairs like username=SomeName&password=somepassw

Since dyxum.com uses http (not https) this string is sent as "plain text" (unencrypted). On an open public network it may be easy to grab by eavesdropping if a hacker have some tools.

If you look at the code for the login page you will see there is a tiny bit of trickery going on using some unique strings (changing vale for every login) as field names like
input type="text" name="MemberNamexyz14chrstring"
input type="password" name="AB345678901STRINGLENGSTIS41CHR12345678901"
So the the dyxym parameter-value string will be on the format
MemberNamexyz14chrstring=SomeName&AB345678901STRINGLENGSTIS41CHR12345678901=somepassw

I don't think this is a real security measure, just a small distraction for a hacker.

If you install a tool like Firebug in your browser you will probably be able so see this in full details.

When you successfully log in the server responds by putting a cookie (small plain text file) on your computer that includes a session id. This id is now included in every request header your browser sends back until you log out. You may think of the session id as a temporary substitute for both username and password.

Cookies are not revealed tho third-party sites. You can easily find and read contents og cookies in your browser. https://www.wikihow.com/View-Cookies

You will see it has content like this:
dyxumforumsID
SID=12345678some%char%string12345678901234

On an un-encrypted network an eavesdropper may able to grab your session id (plain text if http) and hijack your session (no need for a username and password).
https://en.wikipedia.org/wiki/Session_hijacking

Next step for the hacker is to go to the Member CP > Edit Profile
and have your email address. On the Edit Profile page a new password can be saved if the old is known.

Take away:
The combination of public open networks and logging in non-encrypted (http) is a considerable security risk.
Never reuse passwords for low security sites on important sites!

Having someone tampering with personal data is always disgusting.
Back to Top
sybersitizen View Drop Down
Senior Member
Senior Member

Joined: 04 August 2006
Country: United States
Location: California
Status: Offline
Posts: 14126
Post Options Post Options   Quote sybersitizen Quote  Post ReplyReply Direct Link To This Post Posted: 22 December 2018 at 17:24
^ Thanks for the detailed explanation about cookies. I know about the issue concerning plain text typed on networks owned by other entities, but was unsure about cookies. I don't remember if I actually logged in while using such a network or if I was already logged in here and relying on a cookie ... but apparently the vulnerability is the same ether way.
Back to Top
sybersitizen View Drop Down
Senior Member
Senior Member

Joined: 04 August 2006
Country: United States
Location: California
Status: Offline
Posts: 14126
Post Options Post Options   Quote sybersitizen Quote  Post ReplyReply Direct Link To This Post Posted: 06 February 2019 at 01:11
So, months later, it looks like nothing will be done to enable HTTPS here.

If that's the case, I've learned the hard way to never again access Dyxum on a wi-fi network other than my own. Too risky.
Back to Top
Kilkry View Drop Down
Senior Member
Senior Member

Joined: 06 August 2008
Country: Sweden
Location: ISO1600
Status: Offline
Posts: 2492
Post Options Post Options   Quote Kilkry Quote  Post ReplyReply Direct Link To This Post Posted: 06 February 2019 at 17:37
Originally posted by sybersitizen sybersitizen wrote:

So, months later, it looks like nothing will be done to enable HTTPS here.

If that's the case, I've learned the hard way to never again access Dyxum on a wi-fi network other than my own. Too risky.


Installing a cert isn't that hard; I think the cost is the question. Ads? Maybe that Let's Encrypt would work? For the general trend is -> encryption.
-
Back to Top
mike77 View Drop Down
Senior Member
Senior Member

Joined: 26 February 2011
Country: Austria
Status: Offline
Posts: 599
Post Options Post Options   Quote mike77 Quote  Post ReplyReply Direct Link To This Post Posted: 06 February 2019 at 19:34
I would suggest, at the very least, to avoid sending the plaintext password over the unencrypted channel as long as HTTPS has not been implemented on the site. Why not send a browser-generated SHA-2 hash value of the password and compare it with the SHA-2 hash of the server-side password?
A99, NEX-C3, HVL-F43M, more than enough glass (A, E, M42, MD)
Back to Top
Dyxum main page >  Forum Home > Dyxum Community > About Dyxum.com Page  12>

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.094 seconds.

Monitor calibration strip

Dyxum.com - Home of the alpha system photographer

In memory of Cameron Hill - brettania

Feel free to contact us if needed.