Security alert!
Heater.
Posts: 21,230
First off I have no idea how this works.
However the following scenario worries me:
1) Find a computer available for public use, in a library or bar or wherever. Running XP in this case.
2) Open the browser, Chrome in this case.
3) Go to forums.parallax.com
4) Log in and do ones forum things.
So far so good but then:
5) Log out of the forum.
6) Close the browser.
7) Log out as a guest user of XP and go home.
Some time later...
8 ) Open the same Chrome on the same XP on the same machine and go to forums.parallax.com
9) Hit the "sign in" button.
10) Sure enough that form has your user name and password fields filled already. Just click OK and you are logged in.
WTF? That means I can never disconnect myself from that machine. I have tried by changing the password in the sign in box but it does not work.
Now, you might say it is a dumb Smile stupid thing to log in to anything from a machine you do not trust. Which is true.
However, after some experiments I found that other sites, like raspberrypi.org, do not make it possible for any random stranger to log in as you after you have left.
However the following scenario worries me:
1) Find a computer available for public use, in a library or bar or wherever. Running XP in this case.
2) Open the browser, Chrome in this case.
3) Go to forums.parallax.com
4) Log in and do ones forum things.
So far so good but then:
5) Log out of the forum.
6) Close the browser.
7) Log out as a guest user of XP and go home.
Some time later...
8 ) Open the same Chrome on the same XP on the same machine and go to forums.parallax.com
9) Hit the "sign in" button.
10) Sure enough that form has your user name and password fields filled already. Just click OK and you are logged in.
WTF? That means I can never disconnect myself from that machine. I have tried by changing the password in the sign in box but it does not work.
Now, you might say it is a dumb Smile stupid thing to log in to anything from a machine you do not trust. Which is true.
However, after some experiments I found that other sites, like raspberrypi.org, do not make it possible for any random stranger to log in as you after you have left.
Comments
Let's not jump to any conclusions until we understand exactly what you did or didn't do, OK?
I only noticed this phenomena because I always try to log out of everything before leaving such a public terminal. But in this case I see the damn thing still knows me days later. So today I started to experiment with it.
I tried to ensure that I was logged out of the forum, closed the browser and logged out of XP before getting back into XP as guest and revisiting forums.parallax.com
Sure enough when I hit "sign in" there is my user name and password ready to go.
Certainly the browser has a "remember me" check box, which I made sure was unchecked. Why would I ever check such an option in a public place?
For sure the browser, or something, is remembering my login information. Surprisingly if I enter a wrong password login fails and it reprompts with the correct password!
No I am not using any third-party password management app.
I will play with this some more, another day, when I get back to that machine.
As it stands there is an XP machine out there that any random person can use to log in as me to the forum!
There surely must be settings options related to cache and security- where you can remove history and pre-stored usernames/passwords.
Without naming names, the 3 (most popular?) browsers I have here all have such facility.
Might help get you cleaned up whilst Jim figures out if something else is possible.
What surprises me is that forums.parallax.com will let anyone in but raspberrypi.org will not.
What surprises me is that forums.parallax.com will let anyone in but raspberrypi.org will not.
It is the way Chrome is written and the way the Forum software interacts with it. I can tell you that since the new site spun up I've not had to sign back in.
Now did you remember to sign out on the public one? Its possible that since Chrome expects Google E-mail addresses, such as mine it is possible that this whole business is linked to your Google persona.
Although this doesn't address why Raspberry Pi's forum works much like those birds at Arduino.....
-Phil
Yes, as I said above I played with this a bit and tried to ensure I was signed out of everything.
The odd thing for me is that all the login details are there in the defaults of the sign in box for this forum but not others, like raspberrypi.org. @ ?? Yep, good idea. As I said, offering up your credentials to a public machine is a bad idea. But hey, those creds of mine are no use anywhere else and I'm sure any stranger posting as me here would soon be found out.
My concern here is that the browser is caching or actively storing account information. These features "should be" disabled on public machines but that is not always the case. If nothing else, it's a great social engineering device for dark hats.
Of course there is no point in worrying about any security while the site is delivered over plain text http.
Keeping an eye on the "clear history" button,
OR even better.... starting a "Private Browsing Session" before logging into membership sites, seems to be one solution.
Ctrl+Shift+P seems to do that on Firefox. Chrome will no-doubt have some similar function.
Short answer, HTTPS is the only way to do it.
You could, of course, write some Javascript that will do some encryption and send your data encrypted. But why do you trust the Javascript code itself? Without HTTPS, the Javascript that runs on the client side browser can be intercepted and modified to do whatever an attacker wants.
The solution is to set up HTTPS. It's not at all difficult since you can just set up a proxy (NGINX, HAProxy) as a SSL termination, and just pass the decrypted requests on to your VPN and servers.
I will add an SSL cert to the issue list - you can look for that to happen fairly soon.
I gave up and thought nothing of it. But this would seem to confirm what heater is seeing. iPhone 6+ ios 8.4 safari. Pretty much stock standard.
I will add an SSL cert to the issue list - you can look for that to happen fairly soon.
The difference is that the new forums are supposed to be an improvement on the old forums, whether or not the problems were publicly reported. By doing this upgrade we as a community are encouraged to revisit all aspects of the forums and look for issues.
In any case, the HTTPS issue has been reported before. Almost 6 years ago, too:
http://forums.parallax.com/discussion/118223/secure-log-in-to-parallax-forum
I went to the link you cited and noticed a dead link in your response:
http://forums.parallax.com/showthread.php?p=760608
Is this a link that did not get updated during the latest migration or one that was already dead?
-Phil
I always thought that was the case for 'heater' postings... You mean you're just one person?
dgately
As it stands there is an XP machine out there that any random person can use to log in as me to the forum!
I always thought that was the case for 'heater' postings... You mean you're just one person?
dgately
Well said.Sometime after the Linux port to the System Z (as the big blue dressed fellow is now being called) I participated in a normal trade show. (Well normal for a Linux oriented one.) The Sales Engineer for much of this area, wanted to take a photo of myself, since as he said, "The people in my unit are convinced that many people write your e-mail messages to the lists. I wanted to convince them that it was all one person's doing.".
I have since discovered that on many lists that's also the case, and even the local User's group for the bird also believe that sometimes regarding myself.
-Phil
It's a possibility though that this forum isn't using the correct do-not-cache option for the password field. Sounds like it, unless you said 'yes' to a pop-up that asked about storing the password. I haven't tested the forum for this. In any case it's enough of a problem that the rest (user name, for example) is stored on a public PC. That PC browser should have been configured to not store *any* form data. But as a user you can't be sure, so use the anonymous tab/windows and/or go to settings after the session and clear all the browsing history.
-Tor
Always with the negative waves.
Sorry to be coming over so negatively. I like to think of it as raising valid concerns. More on them later.
You may be making assumptions about how the client and browser communicate that may not be correct.
No, I'm not. The browser and server are communicating in plain, human readable, text. There is some
vanishingly small chance that is not true, without actually sniffing the line I don't know, feel
free to fire up wireshark yourself and check if you doubt it.
We can encrypt all of the traffic with HTTPS but are you sure we cannot encrypt anything without HTTPS?
No, we cannot encrypt without HTTPS. One could perhaps set up a VPN and tunnel the traffic through that
is not how it's done on the public internet.
What I don't understand is where was all of the security outrage when everyone used HTTP on the old
forum site for years? At some point, one has to start thinking that some folks are just looking for
anything negative to say about this site.
I would not say I am outraged. As I said, just raising valid concerns.
You make a good point about the prior lack of concern regarding security issues. Perhaps you have noticed
that in recent years, since the revelations of Snowdon and others, that security is now more prominent
on peoples radars.
-Tor
Edit: As HTTPS creates more strain on the server it's often only used for the actual login - and that's enough to protect your user and password. As the forum itself is public it isn't really important to protect the actual communication (after login), in most cases.
Chrome of course tries to be "helpful" and offer up user names and passwords when accessing login forms. When you do login a pop up asks if it should remember the credentials. I always click no or let it time out.
Clearly one should never be accessing anything serious with credentials that you use in other places via a computer in a public place. There is no telling what that machine is doing with all the data you enter.
Sure enough it no longer pre-fills the login dialogue with my user name and password.
But this gets a bit more mysterious to me.
Turns out that I can now sign in and sign out of the forum, with or without closing the XP user session, as many times as I like and the credentials do not stick in that form.
I thought it was perhaps something to do with that little "keep me signed in" check box on the login form but that seemed to have no effect. Which by the way should not be checked by default.
I don't get it, what changed?
I went to the link you cited and noticed a dead link in your response:
http://forums.parallax.com/showthread.php?p=760608
Is this a link that did not get updated during the latest migration or one that was already dead?
-Phil
I don't think I would have posted a dead link, but I have no idea where it went. Google and the Wayback machine don't have that page in their cache. I assume it was lost on a previous forum upgrade (before the June 2015 upgrade).