Official Everybody Edits Forums

Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?

You are not logged in.

#1 2015-07-07 23:14:59

Hexagon
Member
Joined: 2015-04-22
Posts: 1,213

Security in EE (i.e sending password in plaintext)

Recently there has been a phising attack against several members of the EE community, conducted by Zoey2070 as a social experiment. Many users have been giving out their passwords to Zoey, as many comply to the false authority. Passwords are easy to bribe from users.

However, when I log into EE using the official login box, it's sent over http (plaintext.) This allows anyone intercepting their internet connection to get their username, email and password extremely easily.

My question is: why are we not taking appropriate measures to secure the credentials that get sent over the wire? ~95% of users use everybodyedits.com to login, and are susceptible to MITM attacks.

Offline

#2 2015-07-08 03:05:40

Onjit
Member
Joined: 2015-02-15
Posts: 9,709
Website

Re: Security in EE (i.e sending password in plaintext)

If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.


:.|:;

Offline

Wooted by:

#3 2015-07-08 03:41:57

mrjawapa
Corn Man 🌽
From: Ohio, USA
Joined: 2015-02-15
Posts: 5,840
Website

Re: Security in EE (i.e sending password in plaintext)

Onjit wrote:

If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.

This.

If they're hacking a particular person's internet... they have a lot of issues.


Discord: jawp#5123

Offline

Wooted by:

#4 2015-07-08 03:50:10

ZeldaXD
EE Homeboy
From: Cyprus
Joined: 2015-02-15
Posts: 1,539
Website

Re: Security in EE (i.e sending password in plaintext)

JaWapa wrote:
Onjit wrote:

If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.

This.

If they're hacking a particular person's internet... they have a lot of issues.

What if they were attacking an Administrator?


gLjTZE1.png

Offline

#5 2015-07-08 09:28:44, last edited by Mylo (2015-07-08 09:31:57)

Mylo
Master Developer
From: Drama
Joined: 2015-02-15
Posts: 829

Re: Security in EE (i.e sending password in plaintext)

What if someone actually uses the same password over and over in multiple sites? You know, these passwords can actually unlock the PayPal account of some people.

Please don't take it that easy.
/mobile

Offline

#6 2015-07-08 09:50:42

RavaTroll
Member
From: France
Joined: 2015-02-16
Posts: 820

Re: Security in EE (i.e sending password in plaintext)

JaWapa wrote:
Onjit wrote:

If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.

This.

If they're hacking a particular person's internet... they have a lot of issues.

The issue is still there though, it should be fixed in the next major update.


SNTDcGF.png Trolls be in da place, mon ! SNTDcGF.png

Offline

Wooted by: (2)

#7 2015-07-08 14:17:14

Processor
Member
Joined: 2015-02-15
Posts: 2,246

Re: Security in EE (i.e sending password in plaintext)

PlayerIO's Sitebox (which is the technology we are using for hosting the website) does not properly support HTTPS. We could make the transmission of passwords secure, but the flash game itself can be replaced at any time. (because it is transmitted over HTTP)

I'll look up the sources in a bit.

Also: forums.everybodyedits.com is available over https. How many of those who complained in this topic were smart enough to use it?

EDIT:
This for example: https://gamesnet.yahoo.net/forum/viewto … 31ca4c63f3


I have never thought of programming for reputation and honor. What I have in my heart must come out. That is the reason why I code.

Offline

Wooted by: (2)

#8 2015-07-08 16:21:14

Creature
Member
From: The Dark Web
Joined: 2015-02-15
Posts: 9,658

Re: Security in EE (i.e sending password in plaintext)

Only newbies will give their password, and who would want a poor account?


This is a false statement.

Offline

#9 2015-07-08 18:22:24

Mylo
Master Developer
From: Drama
Joined: 2015-02-15
Posts: 829

Re: Security in EE (i.e sending password in plaintext)

OT: Maybe auto redirect to https://forums.everybodyedits.com, if this would be possible?

Offline

Wooted by:

#10 2015-07-08 21:00:00

Different55
Forum Admin
Joined: 2015-02-07
Posts: 16,575

Re: Security in EE (i.e sending password in plaintext)

Mylo wrote:

OT: Maybe auto redirect to https://forums.everybodyedits.com, if this would be possible?

The thing is that our HTTPS isn't real HTTPS. Your connection to cloudflare's servers may be encrypted, but cloudflare's connection to our server is not.


"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto

Offline

#11 2015-07-09 10:36:04

Processor
Member
Joined: 2015-02-15
Posts: 2,246

Re: Security in EE (i.e sending password in plaintext)

Mylo wrote:

OT: Maybe auto redirect to https://forums.everybodyedits.com, if this would be possible?

The issue is the incompatibility with many browsers. IE will show you 15567 warnings because images contained in signatures are not using HTTPS. So we prefer to keep the website on http, users concerned with privacy may use plugins like HTTPS Everywhere.


Plus: what Different said, but we could buy a cert should enough people show interest in using https.


I have never thought of programming for reputation and honor. What I have in my heart must come out. That is the reason why I code.

Offline

Wooted by:

#12 2015-07-09 14:08:46

Joshua708
Member
From: everybodyedits.com
Joined: 2015-03-04
Posts: 153

Re: Security in EE (i.e sending password in plaintext)

JaWapa wrote:
Onjit wrote:

If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.

This.

If they're hacking a particular person's internet... they have a lot of issues.

Or you could use a proxy and make it harder to get into the internet. There's one I heard that cost 5 dollars a month. Transmitting the data using ssh or https would be much more secure, but sadly, PlayerIO dosent support that. //forums.everybodyedits.com/img/smilies/neutral And yes onjit, i agree, It's just a flash game, not a bank account, Now lets get into details about how EE could be more secure in their login system, #1 Transmitting encrypted data, #2 Making 2-factor authentication so that you need to enter a code (if you put that on your account.), Thats about the only things you can do with http, making your own encrypted data and 2 factor authentication. Hope you liked the suggestions

written by:
-~The smart system32~-


Hey look a bunch of stats about me
browser-chrome-blue.svg visual%20studio-community%202017-7D3BC4.svg windows-10-brightgreen.svg download-70%20mbps-blue.svg upload-10%20mbps-blue.svg

ram-16%20gb-green.svg Processor-Intel%20i5--5200U-green.svg Graphics-Intel%20HD%20Graphics%205500-green.svg



kyK5VkB.png

Offline

#13 2015-07-09 14:45:29, last edited by Zumza (2015-07-09 14:46:52)

Zumza
Member
From: root
Joined: 2015-02-17
Posts: 4,656

Re: Security in EE (i.e sending password in plaintext)

@Hexagon have suggest to encrypt the login system.

Steps:
1. All clients will enter a 'service room' for authentication like http://pastebin.com/QDzmb3qM
2. Send encrypted data, doesn't even need to be complicated, just a Diffie-Hellman Key Exchange

And well be lot of benefits from this. And this adaption wouldn't be hard.


Everybody edits, but some edit more than others

Offline

#14 2015-07-09 15:19:47

goeyfun
Member
From: Mighty Japan
Joined: 2015-02-18
Posts: 667

Re: Security in EE (i.e sending password in plaintext)

3. Also do some back-end work to stop ppl from trading accounts


Ug3JzgO.png

Offline

#15 2015-07-09 18:51:35

eeisold
Member
Joined: 2015-06-14
Posts: 202

Re: Security in EE (i.e sending password in plaintext)

Zumza wrote:

@Hexagon have suggest to encrypt the login system.

Steps:
1. All clients will enter a 'service room' for authentication like http://pastebin.com/QDzmb3qM
2. Send encrypted data, doesn't even need to be complicated, just a Diffie-Hellman Key Exchange

And well be lot of benefits from this. And this adaption wouldn't be hard.

I don't know a whole lot about encryption. Certainly. But I AM gullible. So, when I see this explanation regarding javascript encryption, I figure it applies rather closely.
StackOverflow thread
So, with the argument that " it is impossible for a JavaScript client to verify that the server's key is authentic." -- is there a way for Flash to do so? I don't think so. (Again, I'm not an AS3 programmer, either). Is it possible for creative developers to re-write the flash library to allow for https connections? Is that 'voiding the warranty'? Do the developers care enough?

A post on the PlayerIO Forums explains how to use external authentication securely. I'm not for sure if this actually solves the problem of flash using a secure tunnel, but it's here for consideration. (Of course, moving the database would require some transition time for users)

Offline

Wooted by:
eeisold1436464295520086

Board footer

Powered by FluxBB

[ Started around 1732694308.0643 - Generated in 0.262 seconds, 13 queries executed - Memory usage: 1.75 MiB (Peak: 1.99 MiB) ]