Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?
You are not logged in.
Recently there has been a phising attack against several members of the EE community, conducted by Zoey2070 as a social experiment. Many users have been giving out their passwords to Zoey, as many comply to the false authority. Passwords are easy to bribe from users.
However, when I log into EE using the official login box, it's sent over http (plaintext.) This allows anyone intercepting their internet connection to get their username, email and password extremely easily.
My question is: why are we not taking appropriate measures to secure the credentials that get sent over the wire? ~95% of users use everybodyedits.com to login, and are susceptible to MITM attacks.
Offline
If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.
This.
If they're hacking a particular person's internet... they have a lot of issues.
Discord: jawp#5123
Offline
Onjit wrote:If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.
This.
If they're hacking a particular person's internet... they have a lot of issues.
What if they were attacking an Administrator?
Offline
What if someone actually uses the same password over and over in multiple sites? You know, these passwords can actually unlock the PayPal account of some people.
Please don't take it that easy.
/mobile
Offline
Onjit wrote:If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.
This.
If they're hacking a particular person's internet... they have a lot of issues.
The issue is still there though, it should be fixed in the next major update.
Trolls be in da place, mon !
Offline
PlayerIO's Sitebox (which is the technology we are using for hosting the website) does not properly support HTTPS. We could make the transmission of passwords secure, but the flash game itself can be replaced at any time. (because it is transmitted over HTTP)
I'll look up the sources in a bit.
Also: forums.everybodyedits.com is available over https. How many of those who complained in this topic were smart enough to use it?
EDIT:
This for example: https://gamesnet.yahoo.net/forum/viewto … 31ca4c63f3
I have never thought of programming for reputation and honor. What I have in my heart must come out. That is the reason why I code.
Offline
Only newbies will give their password, and who would want a poor account?
This is a false statement.
Offline
OT: Maybe auto redirect to https://forums.everybodyedits.com, if this would be possible?
Offline
OT: Maybe auto redirect to https://forums.everybodyedits.com, if this would be possible?
The thing is that our HTTPS isn't real HTTPS. Your connection to cloudflare's servers may be encrypted, but cloudflare's connection to our server is not.
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
OT: Maybe auto redirect to https://forums.everybodyedits.com, if this would be possible?
The issue is the incompatibility with many browsers. IE will show you 15567 warnings because images contained in signatures are not using HTTPS. So we prefer to keep the website on http, users concerned with privacy may use plugins like HTTPS Everywhere.
Plus: what Different said, but we could buy a cert should enough people show interest in using https.
I have never thought of programming for reputation and honor. What I have in my heart must come out. That is the reason why I code.
Offline
Onjit wrote:If someone is specifically targeting me just to get my account, they've got issues. It's a flash game, not my banking.
This.
If they're hacking a particular person's internet... they have a lot of issues.
Or you could use a proxy and make it harder to get into the internet. There's one I heard that cost 5 dollars a month. Transmitting the data using ssh or https would be much more secure, but sadly, PlayerIO dosent support that. And yes onjit, i agree, It's just a flash game, not a bank account, Now lets get into details about how EE could be more secure in their login system, #1 Transmitting encrypted data, #2 Making 2-factor authentication so that you need to enter a code (if you put that on your account.), Thats about the only things you can do with http, making your own encrypted data and 2 factor authentication. Hope you liked the suggestions
written by:
-~The smart system32~-
Hey look a bunch of stats about me
Offline
@Hexagon have suggest to encrypt the login system.
Steps:
1. All clients will enter a 'service room' for authentication like http://pastebin.com/QDzmb3qM
2. Send encrypted data, doesn't even need to be complicated, just a Diffie-Hellman Key Exchange
And well be lot of benefits from this. And this adaption wouldn't be hard.
Everybody edits, but some edit more than others
Offline
Offline
@Hexagon have suggest to encrypt the login system.
Steps:
1. All clients will enter a 'service room' for authentication like http://pastebin.com/QDzmb3qM
2. Send encrypted data, doesn't even need to be complicated, just a Diffie-Hellman Key ExchangeAnd well be lot of benefits from this. And this adaption wouldn't be hard.
I don't know a whole lot about encryption. Certainly. But I AM gullible. So, when I see this explanation regarding javascript encryption, I figure it applies rather closely.
StackOverflow thread
So, with the argument that " it is impossible for a JavaScript client to verify that the server's key is authentic." -- is there a way for Flash to do so? I don't think so. (Again, I'm not an AS3 programmer, either). Is it possible for creative developers to re-write the flash library to allow for https connections? Is that 'voiding the warranty'? Do the developers care enough?
A post on the PlayerIO Forums explains how to use external authentication securely. I'm not for sure if this actually solves the problem of flash using a secure tunnel, but it's here for consideration. (Of course, moving the database would require some transition time for users)
Those who can't do, teach.
A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
It is a well-known fact that those people who must want to rule people are, ipso facto, those least suited to do it... anyone who is capable of getting themselves made President should on no account be allowed to do the job.
I think fish is nice, but then I think that rain is wet, so who am I to judge?
For a moment, nothing happened. Then, after a second or so, nothing continued to happen.
Offline
[ Started around 1732695387.2268 - Generated in 0.318 seconds, 12 queries executed - Memory usage: 1.75 MiB (Peak: 1.99 MiB) ]