PSA Regarding NS2 Account Passwords
FadedParadigm
Join Date: 2013-03-03 Member: 183654Members, Constellation, Reinforced - Shadow
Join Date: 2013-03-03 Member: 183654Members, Constellation, Reinforced - Shadow
Hello,
I'm making this announcement in the interest of all NS2-forum goers who care about the safety of their passwords.
As you may or may not be aware, whenever you browse the pages and forums of unknownworlds.com, you are currently doing so over HTTP and not HTTPS.
For those who don't know what this means: browsing web pages over HTTPS means that you are browsing content over a secure connection. Content sent to and from a web server over HTTPS is encrypted and generally safe from any third party interested in stealing your information by sniffing the packets of your connection. You can check if you are browsing a website over HTTPS by looking for "https://" at the start of the URL in the address bar.
Most major websites (google.com, facebook.com, etc.) now enforce HTTPS as the standard protocol for all connections established with their users. However, this is not the default and requires additional setup by the administrators of the web servers to enable HTTPS. This process typically means the administrators must purchase an SSL certificate from a recognized certificate authority so that your web browser knows that the website you are browsing is in fact the same website you believe it to be, and not the spoof of some malicious third party. From the user's perspective, this is all very transparent and shows up in the browser as a trusted HTTPS connection (typically with green font or a padlock adjacent the URL).
ANYWAY. What this means for you, the user, is simple; all content sent over regular HTTP is transferred in unencrypted cleartext. This means that unless the website you are browsing takes very, very careful precautions, all sensitive information you send to the server (passwords, credit card numbers, etc.) is sent in the clear, and anyone along the path to the server can easily listen in and steal your information.
Since unknownworlds.com does not yet use HTTPS, every time you enter your password and login to the forums, you are sending your password in cleartext over the internet and putting the safety of your password at risk. If you use the same password for anything else very important (like a bank account), consider changing those passwords immediately.
The good people of Unknown Worlds know of this situation and are working to setup HTTPS for their web pages. Once this happens, you will be able to enter your password over an encrypted connection. However, until this happens, understand that you are currently broadcasting your password loudly over the internet whenever you login to the forums. If this is important to you, you may want to change your forum password to something you definitely don't use anywhere else and consider the consequences of what would happen should your original password be in the wrong hands and act accordingly.
To be very clear, this problem is not unique to unknownworlds.com. This applies to any website you browse over regular, unencrypted HTTP. Always be smart about who you give which passwords to and pay attention to whether or not the connection is over HTTPS when entering any sensitive information.
Also to be clear, this does not mean that your password has been stolen. This means that your password may be stolen the moment you use it to login to these forums (depending on where you are connecting from).
More information about HTTPS:
http://en.wikipedia.org/wiki/HTTP_Secure
TL;DR:
Entering your password on websites that don't use HTTPS (including unknownworlds.com, currently) is exposing your password in cleartext over the internet. If the wrong person is close enough to listen, they may easily steal your password. Consider changing passwords if you use the same password elsewhere.
Regards,
FadedParadigm
I'm making this announcement in the interest of all NS2-forum goers who care about the safety of their passwords.
As you may or may not be aware, whenever you browse the pages and forums of unknownworlds.com, you are currently doing so over HTTP and not HTTPS.
For those who don't know what this means: browsing web pages over HTTPS means that you are browsing content over a secure connection. Content sent to and from a web server over HTTPS is encrypted and generally safe from any third party interested in stealing your information by sniffing the packets of your connection. You can check if you are browsing a website over HTTPS by looking for "https://" at the start of the URL in the address bar.
Most major websites (google.com, facebook.com, etc.) now enforce HTTPS as the standard protocol for all connections established with their users. However, this is not the default and requires additional setup by the administrators of the web servers to enable HTTPS. This process typically means the administrators must purchase an SSL certificate from a recognized certificate authority so that your web browser knows that the website you are browsing is in fact the same website you believe it to be, and not the spoof of some malicious third party. From the user's perspective, this is all very transparent and shows up in the browser as a trusted HTTPS connection (typically with green font or a padlock adjacent the URL).
ANYWAY. What this means for you, the user, is simple; all content sent over regular HTTP is transferred in unencrypted cleartext. This means that unless the website you are browsing takes very, very careful precautions, all sensitive information you send to the server (passwords, credit card numbers, etc.) is sent in the clear, and anyone along the path to the server can easily listen in and steal your information.
Since unknownworlds.com does not yet use HTTPS, every time you enter your password and login to the forums, you are sending your password in cleartext over the internet and putting the safety of your password at risk. If you use the same password for anything else very important (like a bank account), consider changing those passwords immediately.
The good people of Unknown Worlds know of this situation and are working to setup HTTPS for their web pages. Once this happens, you will be able to enter your password over an encrypted connection. However, until this happens, understand that you are currently broadcasting your password loudly over the internet whenever you login to the forums. If this is important to you, you may want to change your forum password to something you definitely don't use anywhere else and consider the consequences of what would happen should your original password be in the wrong hands and act accordingly.
To be very clear, this problem is not unique to unknownworlds.com. This applies to any website you browse over regular, unencrypted HTTP. Always be smart about who you give which passwords to and pay attention to whether or not the connection is over HTTPS when entering any sensitive information.
Also to be clear, this does not mean that your password has been stolen. This means that your password may be stolen the moment you use it to login to these forums (depending on where you are connecting from).
More information about HTTPS:
http://en.wikipedia.org/wiki/HTTP_Secure
TL;DR:
Entering your password on websites that don't use HTTPS (including unknownworlds.com, currently) is exposing your password in cleartext over the internet. If the wrong person is close enough to listen, they may easily steal your password. Consider changing passwords if you use the same password elsewhere.
Regards,
FadedParadigm
Comments
I'm not saying it can't be done, I'm sure it can, but it's got to be unbelievably uncommon, or like I said, no one would use it. I would say that well WELL over the majority of websites with a login page do not use HTTPS. Though perhaps they should.
tldr; don't freak out general public.
EDIT: Though this is a valid concern in a public network, eg. an internet cafe or something.
I'm not trying to argue that this happens at any frequency (and surely that does depend on where you are connecting from); however, people should be made aware of risks they undertake with their sensitive information - especially, considering that more often than not, people reuse their same passwords all over the place.
Again, I'm not trying to argue how common this is. It is still very possible. The vast majority of login pages I use daily do provide HTTPS because of how insecure plain HTTP is. This is the only forum I use where I have to enter password information over HTTP.
Really, NS2 gaming community is VERY old. The average age is VERY old. If people don't already know this, there is no hope for them....
I appreciate your concern, but why do you feel the need to post this on this site? Because they don't use https for login? Are you a vigilante going around every forum on the internet which doesn't use https to spread the message of warning, or did you feel it was only necessary to spread it here?
all the forums I use are HTTP...
Or an alternative is to educate people who would have otherwise taken action to protect themselves. Just because a user is not tech-savvy, does not mean they are not interested in protecting their passwords. Obviously some people don't care about security; however, many users do. I posted in this forum because I care about this community. And as I've said before, this is the only website I use where I have to enter password information over HTTP.
Even still, following such procedures does nothing to protect against sniffing HTTP traffic, which is why I created this thread. Users who use public networks are at the greatest risk. However, the sniffing doesn't have to happen near the user. Imagine if a node near the server were compromised, an attacker could potentially have access to all user login information as it is sent to the server. The benefits of using HTTPS are wide where as the cost of its implementation is cheap. Sure, you can hope that your network is not infected (it probably isn't if you're safe about your practices), but by using HTTP, you are also trusting that no other machine close enough to the network path to the server is infected. This is the difference that I believe people should be made aware of.
This is really the main concern, if you use a universal password for all websites then you are putting yourself at risk.
Indeed. Unfortunately, I'm willing to bet a hefty portion of users fall into this category.
Even though I am currently unemployed and studying to follow my dream of becoming a doctor like my parents, in my spare time I have pursued my hobby and become a Microsoft certified Windows Server administrator, I am well aware of all of what you told me. Though, I do believe we have our noggin' for a reason, and sometimes it is good to use it, heh.
If you are truly concerned with your data's security to that extent, the best practice is not to access personal accounts or transfer important information unless you are using your own machine in your own ISP line, behind a controlled firewall unless strictly necessary, taking the necessary precautions and making use of extras such as one-time login features, password management software such as KeePass, sandboxing software and e-mail/SMS authentication, for example while implementing HTTPS or SMS authentication adds expense to UWE; most forum software all the way down to SMF is factory capable of e-mail authentication, KeePass is free and one-time login could be added using e-mail confirmation as well.
Implementing HTTPS on a website is not the easiest thing ever, so much that most e-commerce websites do not use HTTPS until you reach checkout. The forum software must support secure socket layer technology, the server the forum runs on has to have an increased bandwidth and data processing capability to handle all the secure connections, you will require more expensive hardware or a costly professional CDN service, additional licenses if the software runs on proprietary software, you will need to pay for a certification authority, and all that adds expense... it's not that easy.
If you're familiar with tracert, you'd know that to reach this forum, or most places in the Internet your data goes plenty of places and numerous third parties...
all of which, believe me, will take their systems' health very seriously, unless they are not a for-profit company that seeks to defend its reputation. Webhosting companies, particularly those dealing with secure data opt for Linux and Apache over Windows Server, not for the licensing cost but as you might know by now, viruses written specifically for Microsoft Windows do not work under GNU/Linux OS, and those OS's are specifically tailored towards their purpose, often operating in pure CLI. It's like Android, that is tailored to fit on your phone and have easy multimedia capabilities, but the other way around turned and strengthened for the ultimate security.
It's the same reason why OS X doesn't get infected, the only way to infect a Mac is running a trojan built for OS X (approximately one in a million compared to Windows), manually allowing it through Gatekeeper and allowing it to achieve root access, all of which has to be manually confirmed by a human beforehand.
It does cost a bundle, aside from requiring paid man hours to code and maintain it (nobody works for free), the cheapest way would be to contract the most expensive plan their server provider offers atm. Someone who knows the admin should ask what plan they use, but i'm almost totally sure it's already the $1200/mo one.
http://vanillaforums.com/plans
With sites getting hacked left and right you're better of going straight for separate passwords on a website per website basis.
Secure connections are nice and all but its not gonna protect you against a website security leak.
Do you use google\gmail\google+???
They dont have youre information crypted on their servers..... (because of the business model they currently using, selling us adds based on search history..) Reason for this is that they collect up to 24m GB of metadata everyday, and having to crypt\decrypt this on their systems would be a way to big task, for the allready buring 125 degree servers they are running....
Reason enough to stop using them? No.....
Anyone from the US stopped shopping at Target, after hackers got a hold of 40m creditcards information from their shops?
People need to understand that you dont need to crypt EVERYTHING, because if the right people want the information, they gonna get it no mather what. Is it that hard to hack a forum account, http or https???? NOOOOOOO!! Reason is that people dont hack like u see on movies, i would say that 90% of hacking that goes on today is social engineering... (aka the victim is stupid and gives away information that could back and haunt him...e.g router password or something silly like that)
Then what is really HTTPS gonna do for u? Nothing execpt retarded high expences for the ones in charge of the website.....
The NSA way of doing things is more similar to what you desribe in a somewhat scary Http MITM attack....
But they showed the world (or atleast i tought so) that HTTPS wasent really as safe as people tought...??? Did u not see this Edward Snowden slide sir?
Both NSA and FBI raised huuuuge conserns about the start of crypting info on the web in 1994... They called it for "going dark"....
Then a few years down the line, we hear that they are stripping SSL sertificates to and from a HTTPS based google server to spy on inocent people?
Did Https really help? Wasent Https allways available in google deeeeep down in the account settings? ( Actually yes
Did this really stop the "hackers\nsa" to steal peoples info? I think you know the answer too all these.... :P
They even paid RSA 10 million$ to make a backdoor in their "security" crypto system... So they could basicly ram the rest of the world in the a.........
If this is the "good guys", imagine what the BAD guys can, and are doing atm....
Go download Kali linux and go see for youreself how easy it is to bypass most off home network security, start their webcams etc....
Crypting stuff wont help in the wireless world we live in today..... Info is in the air, and the air is free for all to breathe....
If people really wanted to hurt this community by attacking this forum.. Do you really think HTTPS would save us all? =P
With the passwords that have been stolen from various sites over the years, and CC details in some cases, the risk is always there. If you don't want anyone to know your passwords ever on the internet, don't ever submit a password on the internet.
We used to host our own website and our host got virus'd, despite being an apache linux server, all of their website and forums got infected by injection code. Would HTTPS have been able to prevent that? No. People would still have lost their password or what ever it was that the injection attack was doing. I discovered it, had a long argument with our provider (they spent 2 months telling me their servers cannot get hacked as they are Linux :P), until it got resolved.
By the very nature of what it is, the internet is unsafe. If you are using the internet at any time, and you think your information is safe, you are a poor mis-guided fool. Sure, people need to know the internet is not safe, but your one man mission isn't going to save anyone. Particularly if this is the only site you use without HTTPS, so the only site you have posted this warning on. What about going and protecting all the users of the Billions of other un-HTTPS secured forums?
With this community being as informed as it is, you are unlikely to help anyone here, but I am sure some of those billions of other sites have need for such big warning messages.
But is there anyone out there who really thinks the internet is safe anyway?
I agree. It's a bit ironic I got three disagrees for saying the exact thing. Paranoia is the new game in town, but at the same time people don't seem to know the financial and corporate view of the implementation of such service, whose costs far outweigh any possible benefits.
Everyone knows the safest way to store your passwords in this day and age is written down on a piece of paper stored in your draw. It is the ONLY thing internet hackers can't get to.
@DarkLaunch357 - It's a weird world..
Don't you mean thin tightly folded wads of post it notes stuffed into the hidden flap in my wallet?
What good is a password if you left it at home in a drawer in front of a webcam dragon can hack?
I've been using lastpass for a few years now and the security options are plentiful. Multiple layers of authentication, one time use login for "dirty pc's" etc makes it a fantastic service.
I use a random pass for every single website which means if something gets hacked I really couldn't care less.
It seems like a lot of effort at first but ultimately it pays of and you'll never have to bother with security leaks again.
Course you could get pretty far by having only a handful of passwords. e.g, email, banking, steam, game accounts, shops and forums. Even with that in place you'll still end up getting your game, shop and forum password leaked on a regular basis. And then there's a few shoddy sites that still store your password in clear text..
It should be pretty obvious that at the bare minimum you always need multiple password layers. I'm shocked when I hear of people using the same pass for everything.
But because I have so many, they all reside on a piece of paper. I don't really worry about programs like Keeppass, I was just being humorous, but at the same time, where do you store your password for keeppass? haha...
The real answer:
If i was to take a "WILD" guess, i would say that keeppass stores your password database, in the database.kdb file using AES or twofish encryption on your local pc.
The answer you are looking for:
They send it over the internett to some shady U(N)S(A) server????
LOL!
To mr OP:
Btw; having a discussion about the dangers off http these days is kinda funny imo:
When "new" (5-10year old) prism slide news, showed that NSA has hacked and compromised about 100 000 computers, THAT DOSENT EVEN HAVE TO HAVE A INTERNETT CONNECTION!!!!!!!!!
And we are scared to send things trough a wire, into servers for logging\storing...?
When the info basicly could have been captured before it even reached the RAM of youre own pc that you are typing on.
Reason why i underline COULD, is because it is what it is.... Everything CAN get hacked, everything CAN get compromised...
In this case and in EVERY case regarding forums, there wont be a need for HTTPS, because there shouldent simply be any shady things/sensitive info going on here... Hence the cost will never be able to make up for the "security reward", that is 0.
You can actually get keylogged from radio signals from the 0&1 power signals your keyboard cord leaks out in the air, if the attacker has a "all mighty 10 dollar radio usb device" and some very basic c++ skills.... He can then basicly recreate what you just wrote....
This tech works with most, if not all electronic devices, unless you put them in a microwave or something...
Basicly in todays world, if you dont want someone to know some information about you... Simply dont have it anyware but inn your head....
It will atleast take NSA 20-30 years more to be able to hack human flesh!!! xD
Wouldent it be a bigger chance of your house getting broken into, and your pc stolen + password note, than having NSA wiretap you.
Or some random Russian\Chineese hacker wanna take your http forum logins and change your avatar to a monkey or something?
So without a fucking doubt in my mind, the only thing that will work vs this madness they call the internettz is to make some tinfoil hats, and sign up for the next season of doomsday preppers and just pray to god that nobody finds out about our little forum!!! (j\k) xD
Lastpass for example integrates itself into your browser, automatically filling in your username and password if you so desire. Signing up to any website will prompt you to save the information. It even fills in a nice random pw whenever you need to create an account and has further auto-fill options. Furthermore when you move to another pc or mobile device the information syncs along with you.
I used to use an offline method like keepass and tag it along on an USB but it simply can't beat lastpass in ease of use.
I'm not trying to convert you, well I suppose it sounds that way. A password manager really did change the way I handle my passwords. Never having to type a single password in your browser really is such a breeze.
I have also found that safest way to use a PC, is to leave it on the desktop on top of the draws.... This way, I don't need to worry about taking my paper with me..
Also, I have to ask, Do you really think you are as likely to get mugged and lose your wallet, as you are to have a packet sniffed on the internet? If you do you are very much mistaken
Here is something else for you to consider:
You come to visit me for a cup of tea and a chat, bringing your lastpass laptop with you. When you go to the men's room, I can do this, and gain access to all your passwords....
Of course you could easily have it set so that every time you try and login you would have to re-enter the master pass. But as always security has to be weighted against usability.
Seeing as my master pass is over 16 digits long, I like to not re-enter this for every website.
Knowing you're such a bad friend however I'd consider logging out before visiting you
Sniffing a packet would be tricky as it's still SSL. Even if you manage to get the master pass you'll still need the 2nd authentication to get anywhere which happens to be my phone.