Not secure log in - Stromtrooper Forum : Suzuki V-Strom Motorcycle Forums
Rules, Forum Support, Help and Information [NOT FOR MOTORCYCLE RELATED QUESTIONS] Please read the rules before posting. Need help with this forum and it's functions? Post your concern in the relevant category for the volunteer moderators to assist you. [NOT for motorcycle related questions!]

 15Likes
Reply
 
LinkBack Thread Tools Display Modes
post #1 of 36 Old 03-07-2017, 06:49 PM Thread Starter
Stromthusiast!
 
Join Date: Mar 2015
Location: Hastings Ont
Posts: 148
Not secure log in

Why is the log in site not secure.? This is a good way to have your password info stolen. This needs to be fixed.
snorkie likes this.
ride on is offline  
Sponsored Links
Advertisement
 
post #2 of 36 Old 03-08-2017, 12:35 PM
Administrator
 
Administrator's Avatar
 
Join Date: Jun 2010
Posts: 1,017
Passwords are encrypted, so they are secured that way.

The gap in security your browser is pointing out is common on most sites, but Google has decided to start highlighting it now. It's telling you that the site is vulnerable to a MIM attack (or Man in the Middle), where someone intercepts what you are typing on the site. Since everything you type here is view-able to all, this has never been a thing it made sense to protect against. As long as you aren't typing your password into a thread in plain text, or your bank info, this doesn't effect you.

All that said, now that Google is pointing this out, we are going to have to add the protection to keep our standing as a trusted site.

Kevin
Administrator is offline  
post #3 of 36 Old 03-08-2017, 04:33 PM
Fox
Stromthusiast!
 
Fox's Avatar
 
Join Date: Aug 2012
Location: Philadelphia
Posts: 546
Garage
Quote:
Originally Posted by Administrator View Post
Passwords are encrypted, so they are secured that way. The gap in security your browser is pointing out is common on most sites
Passwords may be stored encrypted, but your site doesn't support secure authentication, which is the real issue. Most sites that have a login page do support secure authentication for that function.

Quote:
Since everything you type here is view-able to all, this has never been a thing it made sense to protect against.
Submitting private authentication data to the site and submitting content to the site are two separate things - and that's saying nothing about the PM system. It always made sense to protect authentication data in transmission.

Quote:
As long as you aren't typing your password into a thread in plain text, or your bank info, this doesn't effect you.
That is unfortunately not accurate. Currently, all communication (including username, password, PMs, etc) can be read in plaintext by any network component between the client and server. If you're on an untrusted network, say a coffee shop, internet cafe, hotel, it is trivial for someone else on that network to intercept your password. And if you're one of many who reuse passwords across several sites, you can have a serious problem.

It's a real issue, and although it will take work, it needs fixing.
iamsmiling and snorkie like this.
Fox is offline  
 
post #4 of 36 Old 03-08-2017, 05:13 PM
Stromthusiast!
 
Join Date: Feb 2015
Location: Amsterdam
Posts: 392
I just took a look at the code on the site, and I agree. The way the login process works is a definite no-no in 2017.

Quote:
The gap in security your browser is pointing out is common on most sites,
Fortunately not. Most sites today are switching over to HTTPS even for non-sensitive data. Ever done a Google search lately?

Quote:
Passwords are encrypted, so they are secured that way.
They may be encrypted on your server, but they are definitely not in encrypted in transit - when they are most vulnerable. So to anyone reading this: It is currently an exceedingly bad idea to reuse your stromtrooper.com password in any other place, or reuse a password from anywhere else here.

Quote:
All that said, now that Google is pointing this out, we are going to have to add the protection to keep our standing as a trusted site.
I fully agree with this. The sooner the better.
iamsmiling and ride on like this.
BackPacker is offline  
post #5 of 36 Old 03-08-2017, 08:19 PM
$tromtrooper
 
Big B's Avatar
 
Join Date: May 2005
Location: Central OHIO "Go Buckeyes"
Posts: 16,316
Garage
Forum has already been hacked once I believe, perhaps nothing was learned from that?
ride on likes this.

BRIAN "GO Buckeyes, GO Wildcats"!

2015 DL650 XT "Hector"

1997 Honda Valkyrie 1500 custom “Dolores”




Big B is offline  
post #6 of 36 Old 03-09-2017, 04:12 AM
Stromthusiast!
 
Join Date: Feb 2015
Location: Amsterdam
Posts: 392
This is not the same as hacking the forum.

This issue is about user (and moderator/admin) password being sent from the browser to the server in cleartext. Anybody who is able to intercept the traffic (say on a public Wifi) is then able to use this password to login to the site and then pose as that user, moderator or admin. In case of a user this means that you can post as that user, delete posts, read and send PMs and such. Not incredibly serious but still a bad idea. If moderators and/or admins have their passwords intercepted, the consequences can be more severe of course, but they'll still be limited to the forum.

The bigger issue is that a lot of users will reuse their passwords. If somebody grabs your password from this site, they can then use that password to login to other sites as well. With potentially severe consequences, particularly if this is for your bank account or something like that.

"Hacking the forum" means something else. If you "hack the forum" it is generally understood to mean that you somehow managed to gain access to the server that runs the forum. This means you have direct access to, for instance, the database that holds all the posts, the database of user information (including all passwords) and possibly even the database with credit card numbers.

The admins have already told us that the passwords in the user DB are encrypted. Assuming they're using an industry-standard hash function for that (MD5, SHA1 or even better one of the newer SHA versions) you can be reasonably sure that your password will not become public in case of a forum hack. Unless you are a high-profile politician or something, and you are the specific target the hackers are looking for. Then the hackers may go through the lengthy process of trying to brute-force your password.

Furthermore, I would certainly hope that the folks who setup this forum, do not handle the credit card payments themselves, but use a third-party to process these payments. Storing unencrypted/unhashed credit card numbers is an exceedingly bad idea on servers, and the credit card industry has (rightfully) setup standards that have to be adhered to if you want to process CC payments. The requirement that you use HTTPS for these transactions is just the beginning.

So "stealing a password by listening on a public wifi" and "hacking the forum" are not really the same thing, but it is certainly possible that one thing can lead to another.

To all users reading this: There's not a lot you can do about this other than to put pressure on the admins to fix this. At the very least, the login session itself should be HTTPS encrypted. Preferably the whole site should use that. In the meantime, make sure that the password you use is NOT used anywhere else. The easiest to achieve that is to logout and then follow the steps as if you had lost your password. The site will then generate a new, random password for you and mail it. Use that and don't change it.

Last edited by BackPacker; 03-09-2017 at 04:18 AM.
BackPacker is offline  
post #7 of 36 Old 03-09-2017, 11:42 AM
$tromtrooper
 
Big B's Avatar
 
Join Date: May 2005
Location: Central OHIO "Go Buckeyes"
Posts: 16,316
Garage
Vertical Scope Admins can possibly do something, us volunteer non paid Admins cannot.

BRIAN "GO Buckeyes, GO Wildcats"!

2015 DL650 XT "Hector"

1997 Honda Valkyrie 1500 custom “Dolores”




Big B is offline  
post #8 of 36 Old 03-09-2017, 03:20 PM
Stromthusiast!
 
Join Date: Feb 2015
Location: Amsterdam
Posts: 392
I've been looking around a bit, and found some things i did not know.

Stromtrooper is hosted by VerticalScope, along with six hundred or so similar forums. The link below contains just the 279 sites in the "Powersports" category, but they have more than half a dozen other categories as well.

VerticalScope.com

Those 279 sites are hosted on just 36 IP addresses, so a lot of virtual hosting is going on. Out of those 36 addresses, only 8 have port 443 (HTTPS) open. But when I tried to connect to some of the websites hosted on these servers via HTTPS, all I got was an SSL protocol error. So my tentative conclusion is that none of these few hundred forums offer any sort of HTTPS, not even for the login process. And that's while they claim to have 84 million unique visitors monthly.

For a company the size of VerticalScope, this is truly a sorry picture. I personally run a web administration system with just few thousand users, and I've got HTTPS running. The effort to set it up is maybe an hour or two, less if you know what you're doing. Annual cost can be as low as 6 US$ per domain.

There was a huge breach of security about nine months ago, in which more than 45M user account details were stolen, including the encrypted passwords. VS supposedly was going to implement better security after this breach, but that apparently has not included a switch to HTTPS.

https://thenextweb.com/insider/2016/...#.tnw_VvC54bXB

I don't envy the admins of stromtrooper.com. Our little forum is just one of the 600+ forums that are managed by VS. Pressure from one forum is not going to generate enough pressure that VS is going to do anything about this. Also, competing companies like Internet Brands also don't seem to offer HTTPS so there's no peer pressure as well.
ride on likes this.
BackPacker is offline  
post #9 of 36 Old 03-09-2017, 07:26 PM
Stromthusiast!
 
booghotfoot's Avatar
 
Join Date: May 2016
Location: Northern Minnesota
Posts: 229
Garage
What backend does VericalScope use to drive the forum? Is it possible to move to a provider that will deliver a secure platform?

Sent from my KFFOWI using Tapatalk

There are 10 kinds of people: those who understand binary and those who don't.
New Rider May 2016
K9 Wee
booghotfoot is offline  
post #10 of 36 Old 03-10-2017, 01:24 PM
Stromthusiast!
 
Join Date: Feb 2015
Location: Amsterdam
Posts: 392
Quote:
Originally Posted by booghotfoot View Post
What backend does VericalScope use to drive the forum? Is it possible to move to a provider that will deliver a secure platform?
There's a couple of aspects to that.

First, there is really no technical objection to moving the whole site to HTTPS. You can easily do that on the server or, failing that, put an SSL offload server-side proxy (e.g. https://www.nginx.com/blog/nginx-ssl/) in front of it. The fact that VS hasn't done so already is probably just a matter of money: First, an SSL certificate costs money. Not a lot, but if you host 600+ sites is still a very decent amount of money. Second, SSL requires significantly more CPU capacity to perform the encryption, so it might be necessary to upgrade the servers. Since companies like VS typically operate on a shoestring - most, if not all of their income is off advertising - they might not want to go through that expense unless absolutely necessary. (Having said that, if they would only do the login process over HTTPS, and the rest of the site over HTTP, then the CPU impact would be negligible. So they would only have the added expense of the SSL certificates. But it would be a significant improvement in security.)

Whatever the backend system is doesn't really matter. It's not the backend forum software that is going to perform the encryption. But yes, there are several backends to choose from, if you want to operate a forum. And migrating from one to the other is typically not easy. Likewise, the operating system also doesn't matter: Any modern OS will do. (FWIW, it looks like VS is running Linux and Apache, at least on For Suzuki V-Strom Enthusiasts.)

Second, without the help of VS - which they're unlikely to give, given their marketing model - you would not be able to gain access to the forum database so you can't move the posts over to a different backend/server. You also would not be able to gain access to the user database to inform all users that the forum has changed. And since VS holds the registration to the stromtrooper.com name you also need their support if you want to move the stromtrooper.com domain to a new server. So moving stromtrooper.com as such away from VS will be impossible without their help and consent.

The only way to make a statement to VS is if the users of all their forums (not just this one) would be migrating en-masse to a competing forum provider. That would hurt their bottom line (less advertising income) and that is probably something that would get the attention of the CEO/CTO. Unfortunately the competing forums that I checked (VSRI, v-strom.nl and a few others) all suffer from the same problem: No HTTPS, not even for their login page.

The only other options I see that would cause VS to move to HTTPS is some sort of consumer action/exposure, possibly by some sort of consumer privacy/security organisation, or a lawsuit by somebody who had his password stolen/intercepted, suffered some kind of identity theft, and sues VS for negligence.

But I don't have a lot of hope that that's going to happen anytime soon...

Last edited by BackPacker; 03-10-2017 at 01:29 PM.
BackPacker is offline  
Sponsored Links
Advertisement
 
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Stromtrooper Forum : Suzuki V-Strom Motorcycle Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome