Jump to content

No Encrypted Login On Hak5.org?


kahhak

HAK5 SSL  

4 members have voted

  1. 1. Should HAK5 implement SSL?

    • Yes, for the entire formum site
      3
    • Yes, but only for login (SSL wouldn't be anabled for cookies)
      1
    • No
      0
  2. 2. Would an SSL requirement on HAK5 limit your access in any way?

    • Yes, on all devices
      0
    • Yes, but only on my mobile phone
      1
    • No
      3
  3. 3. What are some valid reasons not to implement SSL?

    • Certificate Cost (annually as low as $30USD, maybe less)
      1
    • Performance Impact (on this shared hosting proider's box)
      2
    • Implementation difficulty
      1
    • Ad serving difficulties
      1
    • With tools like SSLStrip existing, do there's no point in using SSL
      0
    • Some phones apparently might not be able to use SSL sites
      1
    • It doesn't look good if a security site implements basic good security policies
      0
    • Other (please post)
      0
    • I can't think of any valid reason
      2


Recommended Posts

What is especially depressing is that a few years ago the site was hacked and users passwords were released. Looking at the username password combinations that were released they were obviously grabbed by a packet sniffer and not obtained from cracking the hashes from the database. At that point you would have thought that upgrading to SSL would have been a given. Then at least you are making them work to get the passwords :)

Link to comment
Share on other sites

Complex passwords aren't really that hard with tools like oclhashcat. GPU power for the win.

Yes there are some pretty cool tools that can crack password hashes quickly for certain levels of complexity, but that is no reason to continue passing passwords around in plain text.

Link to comment
Share on other sites

It's a shame that the Hak5 website doesn't have SSL, when other popular websites such Tweeter and Facebook already have it by default.

Link to comment
Share on other sites

Full site SSL would help to stop sidejacking, and that would be great. Full site SSL generally increases processor usage and usually screws up 3rd party ads. I can understand Darren's reluctance to implement that (though I encourage him to reconsider).

However, I can't think of a good excuse not to have SSL at least for the login script. I've emailed Darren and Shannon about this a couple times, but didn't get a reply.

int - I think it's time for you to continually tug on Darren's ear until he gets SSL login setup.

This makes me concerned in general. Are passwords encrypted in the backend? Salted?

Link to comment
Share on other sites

int - I think it's time for you to continually tug on Darren's ear until he gets SSL login setup.

This makes me concerned in general. Are passwords encrypted in the backend? Salted?

I'll be out in SF soon so will talk to him then. I'm not sure how the IPBoard software stores passwords; but yes, one would hope it's at least random salts + something from the SHA family; if not also multiple iterations, which really cost nothing in CPU time.

Link to comment
Share on other sites

Its a hacker forum. By default, you should be using a trash password, that you don't use anywhere else. SSL is an obstacle but one that could be easily removed if an attacker gained root. In order to sniff passwords in the clear from the web server, they would already have to of gained access. Any compromise of the site and forum software, means salts do you no good since you could just pull the salt value from the forum config files, dump the hashes from the database, and crack them offline, like mentioned above with GPU cracking/oclhashcat, etc. Its preventing attacks in the first place that is the hard part. No amount of encryption or salted passwords can prevent decryption if the server itself is compromised.

Link to comment
Share on other sites

No amount of encryption or salted passwords can prevent decryption if the server itself is compromised.

True, but SSL (provided you always use SSL for connecting to the site) can help reduce the risk of a number of other forms of attack where the attacker is on your local network and doesn't control the server.

Link to comment
Share on other sites

True, but SSL (provided you always use SSL for connecting to the site) can help reduce the risk of a number of other forms of attack where the attacker is on your local network and doesn't control the server.

If the attacker is on YOUR local network, you got bigger fish to fry than them sniffing your forum password. I'm all for reducing risk, and yes, SSL would be nice, but if the attack was from your home network, they could use SSL strip, DNS poison/clone sites or worse, compromise your machine itself and just install a keylogger.

If you connect to Hak5 from outside your home, use a VPN or SSH Tunnel.

Link to comment
Share on other sites

Its a hacker forum. By default, you should be using a trash password, that you don't use anywhere else

^^^^^^This^^^^^^. Seriously, what is the worst thing that can happen if you beloved Hak5 forum password is compromised? Let's all take a deep breath and remember to consider the value of the asset we are protecting rather than bearing pitch forks. OMFG!!1!1!11! Someone posing as hexophrenic posted some sh!t on the Hak5 forum about digip. Really?

All that being said, SSL for login pages and posts really should not be that difficult and should be the default whenever possible.

Link to comment
Share on other sites

Sorry about starting this long thread - it was more to point out the irony in preaching security, but not practicing it. Why not make the site as secure as it resaonably can be?

I use the same password here as I do on my luggage. It's unguessable, someone would have to try all 1000 combinations of the 3 digits to get in.

Link to comment
Share on other sites

If the attacker is on YOUR local network, you got bigger fish to fry than them sniffing your forum password. I'm all for reducing risk, and yes, SSL would be nice, but if the attack was from your home network, they could use SSL strip, DNS poison/clone sites or worse, compromise your machine itself and just install a keylogger.

The more advanced attacks like SSL strip are very good reasons why whole sites should be available via https. As long as you explicitly visit the https version then you will either get a secure connection, a warning about an invalid certificate or no connection at all.

So if a https version of a site is available then bookmark that one and use that.

Link to comment
Share on other sites

  • 2 weeks later...

That would cause problems, your suggesting to close port 80 and just use ssl via 443, some phone providers, etc do not allow access to ports, sadly some also include 443 meaning the site would be inaccessible.

I think what he means is that Hak5 can still use port 80 for normal browsing of the site/forums,

but only use SSL for sensitive information such as when logging into your account, so your password doesn't get sent in clear text.

Edited by Infiltrator
Link to comment
Share on other sites

Locking your front door is largely ineffective for stopping an indruder, but does that mean that we shouldn't lock our doors? Combination locks can be picked really easily, but does that mean that we should yell out the combination every time we unlock our own combo locks?

Come on guys, let's not pretend that it's ok that a website has clear text authentication, especially a site dedicated to these type of topics.

Any mobile phone service carrier that blocks SSL/443 traffic is crazy. What phones/providers do this? None of the major carriers that I know of here in the US are blocking 443.

I'm disappointed that Darren hasn't chimed in on this. I'm going to assume that he's to crazy happy about the Pineapple MK4 to bother with this. Darren: I'll trade you an annual SSL certificate for the MK4...

Link to comment
Share on other sites

Interesting concept - I can't say that I'd heard of it before. Isn't HSTS just SSL, but with theoretically better enforcement? With HSTS, SSL Strip wouldn't work, and return visitors should be alterted IF their browser remembers the visit and some sort of other stripping method is used. It would still break ads. It would still be a problem for mobile users who (apparently) can't use port 443.

Baby steps, let's get SSL enabled first....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...