StromTrooper banner

1 - 20 of 36 Posts

·
Registered
Joined
·
148 Posts
Discussion Starter #1
Why is the log in site not secure.? This is a good way to have your password info stolen. This needs to be fixed.
 

·
Administrator
Joined
·
1,128 Posts
Passwords are encrypted, so they are secured that way.

The gap in security your browser is pointing out is common on most sites, but Google has decided to start highlighting it now. It's telling you that the site is vulnerable to a MIM attack (or Man in the Middle), where someone intercepts what you are typing on the site. Since everything you type here is view-able to all, this has never been a thing it made sense to protect against. As long as you aren't typing your password into a thread in plain text, or your bank info, this doesn't effect you.

All that said, now that Google is pointing this out, we are going to have to add the protection to keep our standing as a trusted site.

Kevin
 

·
Registered
Joined
·
620 Posts
Passwords are encrypted, so they are secured that way. The gap in security your browser is pointing out is common on most sites
Passwords may be stored encrypted, but your site doesn't support secure authentication, which is the real issue. Most sites that have a login page do support secure authentication for that function.

Since everything you type here is view-able to all, this has never been a thing it made sense to protect against.
Submitting private authentication data to the site and submitting content to the site are two separate things - and that's saying nothing about the PM system. It always made sense to protect authentication data in transmission.

As long as you aren't typing your password into a thread in plain text, or your bank info, this doesn't effect you.
That is unfortunately not accurate. Currently, all communication (including username, password, PMs, etc) can be read in plaintext by any network component between the client and server. If you're on an untrusted network, say a coffee shop, internet cafe, hotel, it is trivial for someone else on that network to intercept your password. And if you're one of many who reuse passwords across several sites, you can have a serious problem.

It's a real issue, and although it will take work, it needs fixing.
 

·
Registered
Joined
·
451 Posts
I just took a look at the code on the site, and I agree. The way the login process works is a definite no-no in 2017.

The gap in security your browser is pointing out is common on most sites,
Fortunately not. Most sites today are switching over to HTTPS even for non-sensitive data. Ever done a Google search lately?

Passwords are encrypted, so they are secured that way.
They may be encrypted on your server, but they are definitely not in encrypted in transit - when they are most vulnerable. So to anyone reading this: It is currently an exceedingly bad idea to reuse your stromtrooper.com password in any other place, or reuse a password from anywhere else here.

All that said, now that Google is pointing this out, we are going to have to add the protection to keep our standing as a trusted site.
I fully agree with this. The sooner the better.
 

·
Super Moderator
Joined
·
16,877 Posts
Forum has already been hacked once I believe, perhaps nothing was learned from that?
 

·
Registered
Joined
·
451 Posts
This is not the same as hacking the forum.

This issue is about user (and moderator/admin) password being sent from the browser to the server in cleartext. Anybody who is able to intercept the traffic (say on a public Wifi) is then able to use this password to login to the site and then pose as that user, moderator or admin. In case of a user this means that you can post as that user, delete posts, read and send PMs and such. Not incredibly serious but still a bad idea. If moderators and/or admins have their passwords intercepted, the consequences can be more severe of course, but they'll still be limited to the forum.

The bigger issue is that a lot of users will reuse their passwords. If somebody grabs your password from this site, they can then use that password to login to other sites as well. With potentially severe consequences, particularly if this is for your bank account or something like that.

"Hacking the forum" means something else. If you "hack the forum" it is generally understood to mean that you somehow managed to gain access to the server that runs the forum. This means you have direct access to, for instance, the database that holds all the posts, the database of user information (including all passwords) and possibly even the database with credit card numbers.

The admins have already told us that the passwords in the user DB are encrypted. Assuming they're using an industry-standard hash function for that (MD5, SHA1 or even better one of the newer SHA versions) you can be reasonably sure that your password will not become public in case of a forum hack. Unless you are a high-profile politician or something, and you are the specific target the hackers are looking for. Then the hackers may go through the lengthy process of trying to brute-force your password.

Furthermore, I would certainly hope that the folks who setup this forum, do not handle the credit card payments themselves, but use a third-party to process these payments. Storing unencrypted/unhashed credit card numbers is an exceedingly bad idea on servers, and the credit card industry has (rightfully) setup standards that have to be adhered to if you want to process CC payments. The requirement that you use HTTPS for these transactions is just the beginning.

So "stealing a password by listening on a public wifi" and "hacking the forum" are not really the same thing, but it is certainly possible that one thing can lead to another.

To all users reading this: There's not a lot you can do about this other than to put pressure on the admins to fix this. At the very least, the login session itself should be HTTPS encrypted. Preferably the whole site should use that. In the meantime, make sure that the password you use is NOT used anywhere else. The easiest to achieve that is to logout and then follow the steps as if you had lost your password. The site will then generate a new, random password for you and mail it. Use that and don't change it.
 

·
Super Moderator
Joined
·
16,877 Posts
Vertical Scope Admins can possibly do something, us volunteer non paid Admins cannot.
 

·
Registered
Joined
·
451 Posts
I've been looking around a bit, and found some things i did not know.

Stromtrooper is hosted by VerticalScope, along with six hundred or so similar forums. The link below contains just the 279 sites in the "Powersports" category, but they have more than half a dozen other categories as well.

VerticalScope.com

Those 279 sites are hosted on just 36 IP addresses, so a lot of virtual hosting is going on. Out of those 36 addresses, only 8 have port 443 (HTTPS) open. But when I tried to connect to some of the websites hosted on these servers via HTTPS, all I got was an SSL protocol error. So my tentative conclusion is that none of these few hundred forums offer any sort of HTTPS, not even for the login process. And that's while they claim to have 84 million unique visitors monthly.

For a company the size of VerticalScope, this is truly a sorry picture. I personally run a web administration system with just few thousand users, and I've got HTTPS running. The effort to set it up is maybe an hour or two, less if you know what you're doing. Annual cost can be as low as 6 US$ per domain.

There was a huge breach of security about nine months ago, in which more than 45M user account details were stolen, including the encrypted passwords. VS supposedly was going to implement better security after this breach, but that apparently has not included a switch to HTTPS.

https://thenextweb.com/insider/2016/06/15/45m-passwords-stolen-verticalscope-forums-massive-data-breach/#.tnw_VvC54bXB

I don't envy the admins of stromtrooper.com. Our little forum is just one of the 600+ forums that are managed by VS. Pressure from one forum is not going to generate enough pressure that VS is going to do anything about this. Also, competing companies like Internet Brands also don't seem to offer HTTPS so there's no peer pressure as well.
 

·
Registered
Joined
·
245 Posts
What backend does VericalScope use to drive the forum? Is it possible to move to a provider that will deliver a secure platform?

Sent from my KFFOWI using Tapatalk
 

·
Registered
Joined
·
451 Posts
What backend does VericalScope use to drive the forum? Is it possible to move to a provider that will deliver a secure platform?
There's a couple of aspects to that.

First, there is really no technical objection to moving the whole site to HTTPS. You can easily do that on the server or, failing that, put an SSL offload server-side proxy (e.g. https://www.nginx.com/blog/nginx-ssl/) in front of it. The fact that VS hasn't done so already is probably just a matter of money: First, an SSL certificate costs money. Not a lot, but if you host 600+ sites is still a very decent amount of money. Second, SSL requires significantly more CPU capacity to perform the encryption, so it might be necessary to upgrade the servers. Since companies like VS typically operate on a shoestring - most, if not all of their income is off advertising - they might not want to go through that expense unless absolutely necessary. (Having said that, if they would only do the login process over HTTPS, and the rest of the site over HTTP, then the CPU impact would be negligible. So they would only have the added expense of the SSL certificates. But it would be a significant improvement in security.)

Whatever the backend system is doesn't really matter. It's not the backend forum software that is going to perform the encryption. But yes, there are several backends to choose from, if you want to operate a forum. And migrating from one to the other is typically not easy. Likewise, the operating system also doesn't matter: Any modern OS will do. (FWIW, it looks like VS is running Linux and Apache, at least on For Suzuki V-Strom Enthusiasts.)

Second, without the help of VS - which they're unlikely to give, given their marketing model - you would not be able to gain access to the forum database so you can't move the posts over to a different backend/server. You also would not be able to gain access to the user database to inform all users that the forum has changed. And since VS holds the registration to the stromtrooper.com name you also need their support if you want to move the stromtrooper.com domain to a new server. So moving stromtrooper.com as such away from VS will be impossible without their help and consent.

The only way to make a statement to VS is if the users of all their forums (not just this one) would be migrating en-masse to a competing forum provider. That would hurt their bottom line (less advertising income) and that is probably something that would get the attention of the CEO/CTO. Unfortunately the competing forums that I checked (VSRI, v-strom.nl and a few others) all suffer from the same problem: No HTTPS, not even for their login page.

The only other options I see that would cause VS to move to HTTPS is some sort of consumer action/exposure, possibly by some sort of consumer privacy/security organisation, or a lawsuit by somebody who had his password stolen/intercepted, suffered some kind of identity theft, and sues VS for negligence.

But I don't have a lot of hope that that's going to happen anytime soon...:frown2:
 

·
Registered
Joined
·
279 Posts
Site doesn't use https. Simple solution for all users is to use a PW you do not use anywhere else. There is no sensitive data on here that would call for PCI compliance so I'm OK with it. Who cares if someone hacks my stromtrooper account.... wait, that post wasn't written by me! :)
 

·
Registered
Joined
·
268 Posts
"Simple solution for all users is to use a PW you do not use anywhere else"

Really, I believe that is a best practice no matter what security your website has, and it seems like it solves the problem without the administrater having to do anything.

I am not just saying this to be a smart ass. Or more correctly only to be a smart ass. I would be interested in someone smarter than me explaining what is at risk with an unsecured site if you segregate the password and do not put sensitive information on the site.

I have got to stop using my social security number followed by my date of birth and mom's maden name as a password.
 

·
Registered
Joined
·
451 Posts
I would be interested in someone smarter than me explaining what is at risk with an unsecured site if you segregate the password and do not put sensitive information on the site.
You are quite correct. If you use a truly unique password for each and every site on the internet, then the worst that can happen if somebody intercepts the password, is that they login as you. That gives them access to anything you've got stored on the site (including PMs, which may contain sensitive information) and gives them the ability to pose as you (which may ruin your reputation). If you're not too worried about those two issues then, indeed, you don't have a lot to worry about.

Also, I quickly looked at the payment section of the site, which you need to access if you want to become a "premium" member. As far as I can see, that is all handed off to PayPal, which has a solid reputation as far as security is concerned. So you should not need to worry about hackers being able to access your bank or credit card details - VB doesn't see or handle these.

However, two things:

Most people reuse their passwords. And I have to admit I'm one of those. I've got a set of passwords that range from not very secure but short and easy, to passwords that are longer and more secure. Especially the short & easy passwords are reused a lot, for non-sensitive sites like this one. Unique passwords for each and every site would be a nightmare, since I would need more than a hundred passwords for various sites and places, both for work and private. Having a password manager inside the browser helps, but there are other places that I need access to that do not work via a browser, and that only allow password authentication. Comes with the job I guess.

Some people have suggested a system where you can create unique passwords from a sort of master password. So if my master password is "secret", the password for stromtrooper.com would be "secret#st". In case of a password intercept, how hard would it be for the hacker to guess that your Facebook password might be "secret#fb"??? So I do not recommend this. Instead, you should create a truly unique password for each and every site.

And the second thing is that the mods and the admin of this site also use the same, unprotected HTTP interface to login to the site. Obviously those people have a lot more power, so if a hacker intercepts their passwords, a lot more damage can be done. Including divulging sensitive information about/from other users, or even destroying the reputation of the whole site.

But what strikes me most is that we're having this discussion in 2017. Around 2010 or so we finally had all the tools, mechanisms, algorithms and knowledge in place to properly secure websites wholesale with HTTPS, and perform other tasks that significantly improve security. Since then we've seen a huge increase in identity theft, ransomware deployment, Wikileaks leaks and other forms of criminal activity on the internet. We have the tools and the knowledge to easily prevent such things from happening, and yet we don't care enough to deploy those tools. I know stromtrooper.com doesn't hold as much sensitive information as, say, Hillary Clintons e-mail server. But is that really an excuse to leave it like this?
 

·
Administrator
Joined
·
1,128 Posts
Hey there

Backpacker - amazing, informative posts. I hope people take the time to read through them and understand. Thank you for taking the time to share your knowledge.

We don't have any of your banking information stored here. We never see that. Ever. It's all handled through Paypal, as noted above.

SSL/HTTPS is in the works, as Kevin mentioned. Tech is in the final stages now - this is something that was started last year with the breach (for the record, it was not our database, but that of a third party vendor). It does take a while to get everything sorted out to be deployed across nearly 1000 sites and not break everything. Tech is aiming for this to be active in the next few months.

There is no need to go to drastic measures to get our attention on this matter :) Our CEO and CTO have long been discussing this. The warnings your seeing on your browsers are just 'phase 2' in the push for all sites to move to SSL/HTTPS and we are doing just that.

As per your second point in the post above, access to the sensitive information that mods and admins would have does have its own set of additional security measures. A forum login will only get you so far here.

And as always, not re-using your passwords across multiple platforms is definitely good practice although tedious. As mentioned, more and more attacks and stolen data are being reported every day; do what you can to protect yourself.

Dayle
 

·
Registered
Joined
·
451 Posts
Dayle, excellent news. I can certainly imagine the challenges associated with getting SSL up and running for about a thousand virtual domains, and that it isn't something that can be implemented overnight. Nevertheless, the sooner the better...

Good luck with the implementation!
 

·
Registered
Joined
·
451 Posts
SSL/HTTPS is in the works, as Kevin mentioned. Tech is in the final stages now - this is something that was started last year with the breach (for the record, it was not our database, but that of a third party vendor). It does take a while to get everything sorted out to be deployed across nearly 1000 sites and not break everything. Tech is aiming for this to be active in the next few months.
Dayle, two months since your post above. Any progress to report?0:)
 

·
Registered
Joined
·
451 Posts
Another, what, eight months, without progress?

Starting about July 2018, Google Chrome will even more prominently display a "Not Secure" icon for this site. And rightfully so: Even the login process itself is still using (unencrypted) http instead of (encrypted) https. This wasn't acceptable in 2010, and is definitely not acceptable in 2018.

https://www.thesslstore.com/blog/deadline-install-ssl-certificate-google-marks-not-secure/

In the meantime, let me repeat the advice to all users of this forum that I gave almost 10 months ago:

Make sure that the password you use here is NOT used anywhere else. The easiest to achieve that is to logout and then follow the steps as if you had lost your password. The site will then generate a new, random password for you and mail it. Use that and don't change it.
 

·
Super Moderator
Joined
·
16,877 Posts
Another, what, eight months, without progress?

Starting about July 2018, Google Chrome will even more prominently display a "Not Secure" icon for this site. And rightfully so: Even the login process itself is still using (unencrypted) http instead of (encrypted) https. This wasn't acceptable in 2010, and is definitely not acceptable in 2018.

https://www.thesslstore.com/blog/deadline-install-ssl-certificate-google-marks-not-secure/

In the meantime, let me repeat the advice to all users of this forum that I gave almost 10 months ago:
I would imagine that all of the MANY forums that verticalscope runs aren't secure as well?

Edit: I just checked another moto forum that I frequent, and it is secure.........so WTF isn't this forum secure?
 

·
Super Moderator
Joined
·
16,877 Posts
Looks like neither ADVrider or the goldwing forums are secure either, appears they are run by verticalscope.
 

·
Registered
Joined
·
466 Posts
Looks like neither ADVrider or the goldwing forums are secure either, appears they are run by verticalscope.
I'm not arguing any of this cause the tech stuff is over my head - but i did recall this post and was able to find it. Unless it's changed since Dec2017, i was led to believe that ADVRider was specifically not sold to VerticalScope. Again not trying to argue, i really appreciate the time and effort Big B and the others put in on this site.

"For quite a few years, companies that buy forums such as VerticalScope would reach out and ask if I was ready to sell ADVrider. I was only into ADVrider for my irrational love of riding and the community, so I always passed on selling. I was lucky, I worked at SmugMug and they were willing to cover most of the costs of hosting, and donations paid for the rest. I simply didn't have time to worry about ads, subscriptions, licensing the name, yada.
@rudy1220 & I had gotten to know each other over the years, and he had good experience with other communities. We gradually became friends and business partners and I could see that he knows far more than I about supporting a community through ads, subscriptions to opt out of the ads, etc.
So instead of selling ADVrider to someone big like VerticalScope and riding off in the sunset, David and I became partners in both ADVrider and Cake, the company I had been working on for a couple of years. "

Pretty big change to ADVrider coming | Page 29 | Adventure Rider
 
1 - 20 of 36 Posts
Top