!Website Not Secure - reassurance |
Page 12> |
Author | |
bonneville
Senior Member Joined: 19 May 2007 Country: United Kingdom Status: Offline Posts: 2654 |
Post Options
Quote Reply
Topic: !Website Not Secure - reassurance Posted: 21 November 2018 at 11:52 |
I have a question:
Whenever I now log on to Dyxum on my iMac desktop I get a warning in red in the address bar. It is an exclamation mark in a circle and "Website Not Secure". Now I have been a happy member of the Dyxum community for over ten years and can honestly say it has never been the cause of any issue on iMac, MacBook or ipad. Has something changed recently to trigger this or am I right in assuming that the message simply indicates that the site content is not encrypted , or is there more I should think about? Thanks |
|
Bob J
Admin Group Dyxum Administrator Joined: 23 December 2005 Country: United Kingdom Location: London Status: Offline Posts: 27334 |
Post Options Quote Reply Posted: 21 November 2018 at 11:57 |
I think chrome highlights where you don't have a https option for a website - I don't think it is a big issue if you are not conducting financial transactions..
|
|
RBJ ~ Moderation on Dyxum
|
|
bonneville
Senior Member Joined: 19 May 2007 Country: United Kingdom Status: Offline Posts: 2654 |
Post Options Quote Reply Posted: 21 November 2018 at 12:01 |
Thanks Bob. I thought it wouldn't be sinister. After all, how can the best moderated forum on the 'net be a problem |
|
sdblanchet
Senior Member Joined: 26 November 2005 Country: Canada Location: Dégelis Status: Offline Posts: 274 |
Post Options Quote Reply Posted: 21 November 2018 at 12:31 |
Just to add some
I have been told (unofficially) that the web is going encrypted (https-SSL) in the near future and pre-emptively the browsers are starting to state the websites that are not encrypted (https). It is nowhere dangerous unless you go to websites that are not recommended. The https version of the web will protect you against "the man in the middle" attack because of the encryption that will take place between your browser and the website you're visiting. It also "certifizes" the authenticity of the website. Adding encryption to a website entails getting an authencitity certificate that validate ownership and status of the website using it. But it also add another cost to owning a website because those certificate are not free. Ball park figures are about 300$ to 1000$ per year per certificate. And if your site is using a redirection like dyndns you cannot get those certificates because your ip address is not static and you don`t own the domain name. www.sdbl.webhop.net, my site, is as such a redirection from dyndns. I don't own the domain name (webhop.net) and I don`t have a fix (static ip) address. Either I will have to correct the situation ($$$) or simply close the site !!! |
|
A99ii,A77,A700,7D,28/50/SAL1650/24-105D/28-75D/70-210/SAL70200G/SAL20TC/Tamron 150-600G2... Gs :-))) sdbl.webhop.net
|
|
sybersitizen
Senior Member Joined: 04 August 2006 Country: United States Location: California Status: Offline Posts: 14457 |
Post Options Quote Reply Posted: 21 November 2018 at 16:43 |
There is more to think about. I have strong evidence that one of my dyxum sessions was 'tapped' while I was on a public wireless network a few months ago. The timing suggests that it happened wile I was traveling in the UK, but the same thing could happen anywhere. When I got home there was a message (in my dyxum-specified email account) saying that my password (my dyxum password, which the emailer included in the message) had been hacked. The emailer claimed to have also planted a keylogger on my computer, taking control of it, and recording my web transactions while also enabling my webcam. (I knew none of that was true.) The goal was blackmail. The emailer wanted payment into a Bitcoin account. I then discovered that I was unable to login to my dyxum account. The password had been changed without my knowledge. I had to contact an admin here to arrange to reset it. No other account anywhere was affected. Since then I've received a few more nearly identical blackmail messages, and my email account is being heavily spammed. Obviously the hacked info has been disseminated among various entities. This might have been avoided if dyxum used encryption. |
|
MiPr
Admin Group Mikre Dyxum Administrator Joined: 25 August 2006 Country: Poland Location: Wroclaw Status: Offline Posts: 22292 |
Post Options Quote Reply Posted: 21 November 2018 at 17:23 |
I'm discussing this with kikop. I hope we will move to HTTPS soon.
|
|
I'm noise-blind. And noise-about-noise-deaf too ... | BTW, Dyxum Weekly Exhibitions don't grow on trees ...
|
|
horizon
Senior Member Joined: 11 September 2010 Country: Australia Location: Coral Coast Qld Status: Offline Posts: 1010 |
Post Options Quote Reply Posted: 22 November 2018 at 06:18 |
I get the same warning on many websites using chrome on my Android Phone. In fact there are times that chrome wont even allow to tell it in advanced settings to just ignore the warning and just to go to the website anyway.
Most of the time its a website that is just one of the Australian Hardware supplies, where you cant purchase online anyway or login. |
|
Miranda F
Senior Member Joined: 11 January 2014 Country: United Kingdom Location: Bristol Status: Offline Posts: 4074 |
Post Options Quote Reply Posted: 22 November 2018 at 11:03 |
Oh, worth knowing about. Thanks for sharing that. I have been quite uneasy about using public wi-fi networks for a while now, but since I have a cheap and plentiful supply of 4G data on my phone I never need to use them. |
|
Miranda F & Sensorex, Sony A7Rii, A58, Nex-6, Dynax 4, 5, 60, 500si/600si/700si/800si, various Sony & Minolta lenses, several Tamrons, lots of MF primes and *far* too many old film cameras ...
|
|
sybersitizen
Senior Member Joined: 04 August 2006 Country: United States Location: California Status: Offline Posts: 14457 |
Post Options Quote Reply Posted: 19 December 2018 at 22:04 |
And ... anything? If that doesn't happen, at least an answer to a question will help: If I'm already logged in here on a particular computer so I don't have to type my username and password, what exactly is being passed to the dyxum server when I connect - presumably from a cookie on my computer? Username? Password? A coded text string that the dyxum server decodes as my username and password? |
|
amrep
Senior Member Joined: 02 February 2015 Country: Norway Status: Offline Posts: 322 |
Post Options Quote Reply Posted: 22 December 2018 at 15:53 |
Since you have your own site I assume you have some basic knowledge about http and https.
When you log into sites (like dyxum) your browser sends a request header (specifying it's a POST-type request, listing what browser you are using and more) and a body containing parameter-value pairs like username=SomeName&password=somepassw Since dyxum.com uses http (not https) this string is sent as "plain text" (unencrypted). On an open public network it may be easy to grab by eavesdropping if a hacker have some tools. If you look at the code for the login page you will see there is a tiny bit of trickery going on using some unique strings (changing vale for every login) as field names like input type="text" name="MemberNamexyz14chrstring" input type="password" name="AB345678901STRINGLENGSTIS41CHR12345678901" So the the dyxym parameter-value string will be on the format MemberNamexyz14chrstring=SomeName&AB345678901STRINGLENGSTIS41CHR12345678901=somepassw I don't think this is a real security measure, just a small distraction for a hacker. If you install a tool like Firebug in your browser you will probably be able so see this in full details. When you successfully log in the server responds by putting a cookie (small plain text file) on your computer that includes a session id. This id is now included in every request header your browser sends back until you log out. You may think of the session id as a temporary substitute for both username and password. Cookies are not revealed tho third-party sites. You can easily find and read contents og cookies in your browser. https://www.wikihow.com/View-Cookies You will see it has content like this: dyxumforumsID SID=12345678some%char%string12345678901234 On an un-encrypted network an eavesdropper may able to grab your session id (plain text if http) and hijack your session (no need for a username and password). https://en.wikipedia.org/wiki/Session_hijacking Next step for the hacker is to go to the Member CP > Edit Profile and have your email address. On the Edit Profile page a new password can be saved if the old is known. Take away: The combination of public open networks and logging in non-encrypted (http) is a considerable security risk. Never reuse passwords for low security sites on important sites! Having someone tampering with personal data is always disgusting. |
|
sybersitizen
Senior Member Joined: 04 August 2006 Country: United States Location: California Status: Offline Posts: 14457 |
Post Options Quote Reply Posted: 22 December 2018 at 17:24 |
^ Thanks for the detailed explanation about cookies. I know about the issue concerning plain text typed on networks owned by other entities, but was unsure about cookies. I don't remember if I actually logged in while using such a network or if I was already logged in here and relying on a cookie ... but apparently the vulnerability is the same ether way.
|
|
sybersitizen
Senior Member Joined: 04 August 2006 Country: United States Location: California Status: Offline Posts: 14457 |
Post Options Quote Reply Posted: 06 February 2019 at 01:11 |
So, months later, it looks like nothing will be done to enable HTTPS here.
If that's the case, I've learned the hard way to never again access Dyxum on a wi-fi network other than my own. Too risky. |
|
Kilkry
Senior Member Joined: 06 August 2008 Country: Sweden Location: ISO1600 Status: Offline Posts: 2782 |
Post Options Quote Reply Posted: 06 February 2019 at 17:37 |
Installing a cert isn't that hard; I think the cost is the question. Ads? Maybe that Let's Encrypt would work? For the general trend is -> encryption. |
|
-
|
|
mike77
Senior Member Joined: 26 February 2011 Country: Austria Status: Offline Posts: 621 |
Post Options Quote Reply Posted: 06 February 2019 at 19:34 |
I would suggest, at the very least, to avoid sending the plaintext password over the unencrypted channel as long as HTTPS has not been implemented on the site. Why not send a browser-generated SHA-2 hash value of the password and compare it with the SHA-2 hash of the server-side password?
|
|
A99, NEX-C3, HVL-F43M, more than enough glass (A, E, M42, MD)
|
|
> Forum Home > Dyxum Community > About Dyxum.com | Page 12> |
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.078 seconds.
Dyxum.com - Home of the alpha system photographer
In memory of Cameron Hill - brettania
Feel free to contact us if needed.