Author Topic: Authentication doesn't mean security  (Read 1094 times)

0 Members and 1 Guest are viewing this topic.

cron

  • Guest
Authentication doesn't mean security
« on: October 26, 2010, 08:32:34 »
FYI, whenever you authenticate to a site (like geocaching.com, for example), you're sending your user's credentials in cleartext and anyone sniffing the network can easily get your password and have fun with your account. In order to protect yourself, you need to use SSL (https if you prefer). Online banking uses this technology to protect their customers.

Unfortunately, some sites will use SSL for the authentication part and switch to normal HTTP right after you are authorized because the load of a . How can the site know you're still the same person accessing the site afterwards? Because it sends your browser a unique cookie. People used to be able to steal these cookies, but it took some more work.

Now, there's a single Firefox add-on that let's you do that in a click of a button (for people on the same network, or open wifi spots). Facebook, Twitter and all others are not more secure than your own network connection.

To defeat this tool and the manual sniffing of your network, you can use another add-on called ForceTLS which you'll configure to force the use of SSL on certain sites.

What is the value of our geocaching.com accounts? Not much, but still... I always wondered why it was not possible to use SSL on that site. I just discovered you can indeed use SSL to connect/log in on the first page, but any links you click on will revert to HTTP (there seems to be a rule on the server side). Using ForceTLS with geocaching.com would probably send you in a looping spiral of death.

Time to put some pressure on Groundspeak so they allow SSL on all the site?

EDIT: submitted a "feedback" report
« Last Edit: October 26, 2010, 08:41:23 by cron »

bluelamb03

  • Administrator
  • Big Time Cacher
  • *****
  • Posts: 1636
  • Good hunting everyone!
Re: Authentication doesn't mean security
« Reply #1 on: October 26, 2010, 09:22:41 »
This is a good idea! I'll go and support the 'feedback' ASAP.

I used to think that it wasn't necessary to 'secure' GC.com because who would want to 'hack' my account? What conceivable benefit could anyone get by pretending to be me on a geocaching listing service? But now we've seen 'bots logging 'needs archived' logs on thousands of caches, and disgruntled individuals vandalizing or stealing caches, so it's time to consider all the time and effort we've put into these online personas and take steps to safeguard the site, and our accounts on it, from the malicious bozos out there.

Blue -
Without shared stories we are strangers.
- Sheila Mendonça


cron

  • Guest
Re: Authentication doesn't mean security
« Reply #2 on: October 26, 2010, 09:54:51 »
Darn, I tried using ForceTLS for www.geocaching.com, but it barely works... It will force https://www.geocaching.com if you type http://www.geocaching.com, but almost any links you'll follow will revert back to http... I'm pretty sure Groundspeak are forcing the non-use of SSL on all other pages to avoid the performance hit of SSL. They probably were confident the stealing of cookies wasn't a big concern. Now it is.

graciious

  • Guest
Re: Authentication doesn't mean security
« Reply #3 on: October 26, 2010, 10:00:37 »
I gave you three votes.  :)