Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Wednesday March 22 2017, @05:14AM   Printer-friendly
from the bad-sysadmin,-no-biscuit dept.

The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.

"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (the link was made private shortly after this post went live). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."

Around the same time this post was going live, participants of this Reddit thread claimed to hack the site using what's known as a SQL injection exploit. Multiple people claimed that passwords were stored in plaintext rather than the standard practice of using cryptographic hashes. A few minutes after the insecurity first came up in the online discussion, a user reported the database was deleted. Ars has contacted the site operator for comment on the claims, but currently Ars can't confirm them. The site, http://www.oilandgasinternational.com, was displaying content as it did earlier at the time this post was being updated.

As a member of the Mozilla developer team pointed out in reply to the complaint, both Firefox and Chrome routinely issue warnings whenever users encounter a login page that's not protected by HTTPS encryption. The warnings became standard earlier this year.

The site in question appears to be completely offline at this time.

Source: ArsTechnica


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by Soylentbob on Wednesday March 22 2017, @06:43AM (10 children)

    by Soylentbob (6519) on Wednesday March 22 2017, @06:43AM (#482576)

    The only security I use is webknocking

    Yes, I think soylentnews is using something similar. To get any content, or more fundamental, any connection at all, you first have to knock using a so-called "syn"-request.

  • (Score: 0) by Anonymous Coward on Wednesday March 22 2017, @07:10AM (9 children)

    by Anonymous Coward on Wednesday March 22 2017, @07:10AM (#482581)

    That's port knocking, numb skull. Web knocking is where you request a certain secret 404 page and quietly get admin access granted without a password.

    • (Score: 2, Informative) by Soylentbob on Wednesday March 22 2017, @07:26AM (8 children)

      by Soylentbob (6519) on Wednesday March 22 2017, @07:26AM (#482586)

      Your Irony-detector is broken. And either mine is damaged as well or you actually think that security by obscurity is a good idea. (With HTTPS, the URL would still be in browser history etc.)

      • (Score: 2, Touché) by Anonymous Coward on Wednesday March 22 2017, @07:56AM (6 children)

        by Anonymous Coward on Wednesday March 22 2017, @07:56AM (#482593)

        You mock security through obscurity yet HTTPS provides security only for as long as a secret key remains obscured.

        • (Score: 0) by Anonymous Coward on Wednesday March 22 2017, @09:52AM

          by Anonymous Coward on Wednesday March 22 2017, @09:52AM (#482629)

          Actually, the path of that secret 404 page could indeed be considered a password, as it is doubtless easy to change it. Of course it still is a bad idea because the "password" will likely end up in your browser history (and your browser might "helpfully" provide it to a number of anti-phishing sites as well).

        • (Score: 1) by Soylentbob on Wednesday March 22 2017, @10:37AM (3 children)

          by Soylentbob (6519) on Wednesday March 22 2017, @10:37AM (#482635)

          Actually I was thinking as well about the question if the URL could be considered as safe as a password. As the AC above already mentioned, there are some reasons why it might not be comparable. (I already mentioned the browser history as a potential problem in my previous post.) On top of his arguments, the secret URL is only valid considering in case it is used together with HTTPS (afaik everything but the domain name is encrypted in HTTPS, also the remainder of the URL). In HTTP, the full URL including the secret part would be transferred unencrypted.

          • (Score: 0) by Anonymous Coward on Wednesday March 22 2017, @11:32AM (2 children)

            by Anonymous Coward on Wednesday March 22 2017, @11:32AM (#482654)

            Of course, in HTTP, also the password in your POST form would be transferred unencrypted as well, so this is no difference.

            BTW, how are passwords from .htaccess (how passwords originally were meant to to implemented) transmitted when using HTTP?

            • (Score: 1) by Soylentbob on Wednesday March 22 2017, @11:42AM (1 child)

              by Soylentbob (6519) on Wednesday March 22 2017, @11:42AM (#482658)

              Of course, in HTTP, also the password in your POST form would be transferred unencrypted as well, so this is no difference.

              The difference is still the entry in the browser history, which might be accessible to malicious Java scripts or plugins.

              BTW, how are passwords from .htaccess (how passwords originally were meant to to implemented) transmitted when using HTTP?

              Seems to be [stackoverflow.com] plain-text when not using https.

              • (Score: 0) by Anonymous Coward on Wednesday March 22 2017, @01:42PM

                by Anonymous Coward on Wednesday March 22 2017, @01:42PM (#482697)

                Helpfully (not), as that link mentions, every modern browser supports HTTP Digest Authentication [wikipedia.org], which actually is a well designed password authentication scheme (it does use MD5; I'm unsure if there is a security problem with that now), but no browser UI I'm aware of has ever distinguished between the secure digest auth method and the "send the password in plaintext" method (which isn't entirely stupid if the connection is HTTPS). Pretty much completely nullifying the security of digest auth. The "modern browser" part where IE6 doesn't support it is what killed it years ago.

        • (Score: 2) by tangomargarine on Wednesday March 22 2017, @03:49PM

          by tangomargarine (667) on Wednesday March 22 2017, @03:49PM (#482784)

          By that logic, all security is security through obscurity if it relies on select people knowing how to unlock the system. I guess securing something such that *nobody* can access it would fall outside that definition.

          --
          "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 2) by HiThere on Thursday March 23 2017, @12:04AM

        by HiThere (866) Subscriber Badge on Thursday March 23 2017, @12:04AM (#482999) Journal

        Security by obscurity is a valid way to buy time while trying to come up with something better. But try to be really obscure, like the factors of a large prime number or something.

        --
        Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.