Account login Security change - Escape Trailer Owners Community

Go Back   Escape Trailer Owners Community > Escape Community > Forum Help | Announcements | Suggestion Box
Click Here to Login
Reply
 
Thread Tools Display Modes
 
Old 01-03-2017, 07:48 PM   #1
Site Team
 
Janet H's Avatar
 
Join Date: Sep 2012
Location: Pacific NW, Washington
Trailer: 1964 Globetrotter
Posts: 648
Account login Security change

I wanted to let you know that in the next day or so you may see a small change to the site login screen. This is being done as we add an extra layer of security to usernames and passwords. The login pages, registration page and pages where you might update your account login info will be behind an https url rather than the usual http url.

This change is being made to stay current with recommended security practices and not in response to any problem with the site or accounts.

HTTPS adds security in several ways; verifying that the site is the one a server is supposed to be talking to and by preventing tampering by 3rd parties. It stops Man-in-the-middle attacks, improving security for both the site and for those logging in.

This should not impact your usual browsing experience. You will still login, still tick the remember me box, etc. The location of the login button has changed however and the page looks a bit different.
__________________

__________________
.
You have brains in your head. You have feet in your shoes.
You can steer yourself any direction you choose | Dr. Seuss


Escape Forum Custom Google Search
Janet H is online now   Reply With Quote
Old 01-04-2017, 01:04 AM   #2
Senior Member
 
Join Date: Dec 2012
Location: Edmonton, Alberta
Trailer: 1979 Boler B1700
Posts: 11,954
I noticed that the login page change has already occurred - I thought it was yesterday, but perhaps just this morning.

I think it's a little bizarre that any web site ever collected login credentials through an unencrypted connection in this century... and this forum still operates unencrypted for everything other than select pages. (The HTTPS transport means that information is encrypted.) At least the change is in the right direction.

The password change page is still not encrypted, so presumably that change is still coming...
__________________

Brian B-P is offline   Reply With Quote
Old 01-04-2017, 01:50 AM   #3
Senior Member
 
Join Date: Dec 2012
Location: Edmonton, Alberta
Trailer: 1979 Boler B1700
Posts: 11,954
Hmmm... the new secure login page is gone again, so maybe what I was seeing was a trial before the full deployment.
Brian B-P is offline   Reply With Quote
Old 01-04-2017, 10:59 AM   #4
Senior Member
 
Join Date: Sep 2010
Location: Kelowna, British Columbia
Trailer: 2008 Escape 17b
Posts: 1,890
what kind of cryptic information is being protected? Is/has there been some form of secret or private information collected on this site I only want the administration to be privy to?
J Mac is offline   Reply With Quote
Old 01-04-2017, 11:06 AM   #5
Site Team
 
Donna D.'s Avatar
 
Join Date: Nov 2008
Location: Portland, Oregon
Trailer: 2014 Escape 5.0 TA
Posts: 8,536
Quote:
Originally Posted by J Mac View Post
what kind of cryptic information is being protected? Is/has there been some form of secret or private information collected on this site I only want the administration to be privy to?
You must not have been around when FiberglassRV was hacked. We lost over 100,000 posts and ALL the pictures. It WASN'T pretty. Four of us spent almost three days straight trying to get back as much as we could. No there wasn't any process in place to backup the system (hindsight), but anything that's done to increase the security of a website such as this, is worth whatever inconvenience I may have momentarily.
__________________
Donna D.
Ten Forward
2014 Escape 5.0TA
Donna D. is offline   Reply With Quote
Old 01-04-2017, 11:12 AM   #6
Senior Member
 
Join Date: Sep 2010
Location: Kelowna, British Columbia
Trailer: 2008 Escape 17b
Posts: 1,890
Quote:
Originally Posted by Donna D. View Post
You must not have been around when FiberglassRV was hacked. We lost over 100,000 posts and ALL the pictures. It WASN'T pretty. Four of us spent almost three days straight trying to get back as much as we could. No there wasn't any process in place to backup the system (hindsight), but anything that's done to increase the security of a website such as this, is worth whatever inconvenience I may have momentarily.
Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!
J Mac is offline   Reply With Quote
Old 01-04-2017, 11:22 AM   #7
Senior Member
 
escape artist's Avatar
 
Join Date: Oct 2008
Location: St. Thomas not BVI., Ontario
Trailer: 2014 Escape 5.0TA / 2016 Ram Eco Diesel 4X4
Posts: 6,231
Quote:
Originally Posted by J Mac View Post
Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!
Hi: J Mac... Prolly they said "Yes" MFRV was hacked& "No" there wasn't anything they could do about it IMHO!!! Alf
escape artist N.S. of Lake Erie
__________________
Quote Bugs Bunny..."Don't take life too seriously, none of us get out of it ALIVE"!!!
'16 Ram Eco D. 4X4 Laramie Longhorn CC & '14 Escape 5.0TA
St.Thomas (Not the Virgin Islands) Ontario
escape artist is offline   Reply With Quote
Old 01-04-2017, 11:29 AM   #8
Senior Member
 
Join Date: Sep 2010
Location: Kelowna, British Columbia
Trailer: 2008 Escape 17b
Posts: 1,890
Quote:
Originally Posted by escape artist View Post
Hi: J Mac... Prolly they said "Yes" MFRV was hacked& "No" there wasn't anything they could do about it IMHO!!! Alf
escape artist N.S. of Lake Erie
Oh I see. Escape Forum assumes it was hacked.
J Mac is offline   Reply With Quote
Old 01-04-2017, 11:46 AM   #9
Site Team
 
Janet H's Avatar
 
Join Date: Sep 2012
Location: Pacific NW, Washington
Trailer: 1964 Globetrotter
Posts: 648
Quote:
Originally Posted by J Mac View Post
what kind of cryptic information is being protected? Is/has there been some form of secret or private information collected on this site I only want the administration to be privy to?
Your username and password are the issue here. When you transmit them to the server to log in there is some possibility they could be intercepted along the way and "repurposed". While the site itself doesn't have much sensitive info many folks use the same login info at many sites and so if that info fell into the wrong hands in theory it could be used in harmful ways. This is the reason for the change - to increase security of this info.
__________________
.
You have brains in your head. You have feet in your shoes.
You can steer yourself any direction you choose | Dr. Seuss


Escape Forum Custom Google Search
Janet H is online now   Reply With Quote
Old 01-04-2017, 11:49 AM   #10
Site Team
 
Donna D.'s Avatar
 
Join Date: Nov 2008
Location: Portland, Oregon
Trailer: 2014 Escape 5.0 TA
Posts: 8,536
Quote:
Originally Posted by J Mac View Post
Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!
Yes, someone did hack in and the FBI was involved. They found out a general area (a university!), but no one was ever prosecuted, nor were we able to get back the data or pictures. The hackers weren't stealing anything, just deleting everything. MEAN!

Mary F. and I were both administrators on FiberglassRV when this happened. Never, ever want to go through that again...
__________________
Donna D.
Ten Forward
2014 Escape 5.0TA
Donna D. is offline   Reply With Quote
Old 01-04-2017, 11:54 AM   #11
Site Team
 
rbryan4's Avatar
 
Join Date: Jun 2014
Location: Canyon Lake, Texas
Trailer: 2015 19 "Past Tents", 2018 F150 2.7L Ecoboost
Posts: 9,479
Quote:
Originally Posted by Donna D. View Post
Yes, someone did hack in and the FBI were involved. They found out a general area (a university!), but no one was ever prosecuted, nor were we able to get back the data or pictures.
The fact that a university may have been involved doesn't surprise me. Many IT students attack websites to see if they can be breached. It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.
__________________
"You can't buy happiness, but you can buy an RV. And that is pretty close."
rbryan4 is offline   Reply With Quote
Old 01-04-2017, 11:59 AM   #12
Site Team
 
Donna D.'s Avatar
 
Join Date: Nov 2008
Location: Portland, Oregon
Trailer: 2014 Escape 5.0 TA
Posts: 8,536
Quote:
Originally Posted by rbryan4 View Post
The fact that a university may have been involved doesn't surprise me. Many IT students attack websites to see if they can be breached. It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.
Too, the hack happened more than 11 years ago. 11/11/2005. Site security wasn't nearly the concern as it is now. In fact, there wasn't a whole lot of info on the web like now. But the loss of the data and pictures was heartbreaking. So much good stuff, just gone.
__________________
Donna D.
Ten Forward
2014 Escape 5.0TA
Donna D. is offline   Reply With Quote
Old 01-04-2017, 12:11 PM   #13
Senior Member
 
thoer's Avatar
 
Join Date: Oct 2009
Location: Galesville, Wisconsin
Trailer: 2017 21 "Blue II" & 2017 Highlander XLE (previously 2010 17B "Blue" & 2008 Tacoma)
Posts: 4,207
Unfortunately there are hackers who do damage just for the fun of it and/or just to test their abilities. To me, it just another form of senseless vandalism - something I could never understand.
__________________
Eric (and Mary who is in no way responsible for anything stupid I post)

"Beware of false knowledge; it is more dangerous than ignorance." George Bernard Shaw
thoer is offline   Reply With Quote
Old 01-04-2017, 12:44 PM   #14
Site Team
 
Janet H's Avatar
 
Join Date: Sep 2012
Location: Pacific NW, Washington
Trailer: 1964 Globetrotter
Posts: 648
Quote:
Originally Posted by rbryan4 View Post
.... It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.
This is the same reason that sessions are disconnected now after a period of inactivity. While it is occasionally an inconvenience for posters who may step away mid-post, it's an important security step.

Quote:
Originally Posted by Donna D. View Post
Too, the hack happened more than 11 years ago. 11/11/2005. Site security wasn't nearly the concern as it is now. In fact, there wasn't a whole lot of info on the web like now. But the loss of the data and pictures was heartbreaking. So much good stuff, just gone.
The site is now fully backed up every 24 hours now so that it could be restored if needed.
__________________
.
You have brains in your head. You have feet in your shoes.
You can steer yourself any direction you choose | Dr. Seuss


Escape Forum Custom Google Search
Janet H is online now   Reply With Quote
Old 01-04-2017, 12:51 PM   #15
Senior Member
 
Join Date: Jan 2014
Location: North Van., British Columbia
Trailer: 2014 Escape 19, sold; 2019 Escape 21, Sept. 2019
Posts: 4,904
Quote:
Originally Posted by Janet H View Post
This is the same reason that sessions are disconnected now after a period of inactivity. While it is occasionally an inconvenience for posters who may step away mid-post, it's an important security step.

.
Is there a ballpark number involved? I frequently post photos with my posts and sometimes go through my photos mid-post looking for suitable photos. Are we talking something like 10 minutes or an hour or more?

Ron
Ron in BC is online now   Reply With Quote
Old 01-04-2017, 12:54 PM   #16
Site Team
 
Janet H's Avatar
 
Join Date: Sep 2012
Location: Pacific NW, Washington
Trailer: 1964 Globetrotter
Posts: 648
I would have to double check but believe it's about 25 minutes... this has been in place for several years so if you have not experienced a problem I would not be concerned.

It's also worth noting that many browsers will save your content via caching. You can sometimes recover unposted content in a reply editor by using the back arrow on your browser judiciously. How well this works for you depends entirely on your own systems settings and is not related to site function.
__________________
.
You have brains in your head. You have feet in your shoes.
You can steer yourself any direction you choose | Dr. Seuss


Escape Forum Custom Google Search
Janet H is online now   Reply With Quote
Old 01-04-2017, 04:44 PM   #17
Senior Member
 
Join Date: Dec 2012
Location: Edmonton, Alberta
Trailer: 1979 Boler B1700
Posts: 11,954
Quote:
Originally Posted by J Mac View Post
Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!
Of course you can't "steal" a virtual object and take it away from the owner, and there would have been no theft report. What happened in FiberglassRV was that someone hacked into the forum and deleted content. This was before the forum was sold to Social Knowledge, and the forum administrators of the time didn't have effective backups; they were only able to restore some older posts (without photos or account information) from an old backup, and were not able to recover anything at all from a substantial period of activity.

That hacker then posted some random offensive material for a while.

Securing website traffic which contains account credentials is pretty fundamental to reducing this sort of problem. As is was (until today), anyone monitoring an administrator's session could intercept their username and password and use those to delete forum content (posts, images, documents, account profiles...).
Brian B-P is offline   Reply With Quote
Old 01-04-2017, 05:03 PM   #18
Senior Member
 
Join Date: Dec 2012
Location: Edmonton, Alberta
Trailer: 1979 Boler B1700
Posts: 11,954
The new secure login page is back, or perhaps is just now active on the server that I'm currently hitting and was only on some servers yesterday. However, the login challenge page (presented to a user who tries to post after being timed out, or to a user who simply has not logged in and tries something requiring a logged-in session) is still not secure; I doubt this is what the forum's administrators would intend.

The "i" in a circle beside the URL is Chrome's indication that there is information about the page security, and that info shows that the page is still presented via HTTP (not HTTPS)... and that the many other bits of content on the page are from a mix of secure and insecure sources.
Attached Images
File Type: jpg ReLogin-insecure.JPG (85.6 KB, 16 views)
Brian B-P is offline   Reply With Quote
Old 01-04-2017, 09:18 PM   #19
Senior Member
 
ThomasG's Avatar
 
Join Date: Apr 2016
Location: Austin, Texas
Trailer: 2017 5.0 TA
Posts: 117
Another reason to use HTTPS is to protect the users of the website. A hacked website could attempt to hack the user's device (computer, phone, tablet, etc.) and inject malicious code onto their device. This code could be used to gather information from the user (logins, bank accounts, etc.) or use the device to attack other systems on the internet (along with thousands of other similarly hacked devices). There may be not be any outward signs the website or the user's device was hacked in this situation. The website has to use HTTPS everywhere to provide this type of protection (not just at login). Fortunately, setting up HTTPS is now free thanks to the Let's Encrypt project (https://letsencrypt.org/) and other similar services. HTTPS should not inconvenience the user unless they are using a very old web browser or operating system. Current accepted good security practice dictates that all websites, regardless or the content, should use HTTPS all the time.
__________________
Thomas G.
2017 5.0 TA
2017 F-150, 5.0L, SuperCrew, 6.5' bed, 4x2, 6-speed, 1:3.55 rear axle; B&W Turnover Ball; Andersen Ultimate Aluminum Gooseneck; Fold-a-cover w/caddy
ThomasG is offline   Reply With Quote
Old 01-05-2017, 02:21 AM   #20
Senior Member
 
Join Date: Sep 2016
Location: Redwood City, California
Trailer: 2017 Escape 19
Posts: 207
Good to see it's going to https for the login page. Is there any reason not to just go to HTTPS for all pages? That seems like it would be both easier and more secure.
__________________

Defenestrator is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off






» Featured Campgrounds

Reviews provided by

Disclaimer:

This website is not affiliated with or endorsed by Escape Trailer Industries or any of its affiliates. This is an independent, unofficial site.


All times are GMT -5. The time now is 03:38 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Copyright 2012 Social Knowledge, LLC All Rights Reserved.
×