SoylentNews is people
SoylentNews
The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.
"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (the link was made private shortly after this post went live). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."
Around the same time this post was going live, participants of this Reddit thread claimed to hack the site using what's known as a SQL injection exploit. Multiple people claimed that passwords were stored in plaintext rather than the standard practice of using cryptographic hashes. A few minutes after the insecurity first came up in the online discussion, a user reported the database was deleted. Ars has contacted the site operator for comment on the claims, but currently Ars can't confirm them. The site, http://www.oilandgasinternational.com, was displaying content as it did earlier at the time this post was being updated.
As a member of the Mozilla developer team pointed out in reply to the complaint, both Firefox and Chrome routinely issue warnings whenever users encounter a login page that's not protected by HTTPS encryption. The warnings became standard earlier this year.
The site in question appears to be completely offline at this time.
Source: ArsTechnica
(Score: 4, Informative) by Zyx Abacab on Wednesday March 22 2017, @07:23AM (1 child)
Editors routinely change authors' text without consent, or with forced consent. This sometimes leads to errors and false information. Are books insufficient in conveying linguistic messages?
HTTP works perfectly well for its original purpose: transferring static hypertext documents, as well as a limited set of auxiliary documents, from server to heterogeneous clients.
The problem, if any, is that people keep using HTTP for stuff it can't do well; like authentication across an insecure network, or transferring sensitive information.
And just because the solutions to those particular problems lie above, or below, HTTP doesn't mean that HTTP itself sucks—it just means that those particular solutions have been implemented on another layer.
(Score: 0) by Anonymous Coward on Wednesday March 22 2017, @03:11PM
Blame commercialization of the Internet.
When it was mostly LANs with interconnects between numerous trusted administrative domains, and not "foreign" entities, user IDs and passwords were privacy locks, not security locks. A bad apple anywhere can ruin apples when placed amongst good ones--jerks could still mess that up, but scientific communities had more jerk egos than jerk trolls looking to cause issues.
It isn't true, but I blame AOL for it. At least dial-up was reasonable security. wire-tapped modem traffic recorded and played back later for review was not as easily deciphered as modern technology is.