Account login Security change

[Janet H]

I wanted to let you know that in the next day or so you may see a small change to the site login screen. This is being done as we add an extra layer of security to usernames and passwords. The login pages, registration page and pages where you might update your account login info will be behind an https url rather than the usual http url.

This change is being made to stay current with recommended security practices and not in response to any problem with the site or accounts.

HTTPS adds security in several ways; verifying that the site is the one a server is supposed to be talking to and by preventing tampering by 3rd parties. It stops Man-in-the-middle attacks, improving security for both the site and for those logging in.

This should not impact your usual browsing experience. You will still login, still tick the remember me box, etc. The location of the login button has changed however and the page looks a bit different.

[Brian B-P]

I noticed that the login page change has already occurred - I thought it was yesterday, but perhaps just this morning.

I think it's a little bizarre that any web site ever collected login credentials through an unencrypted connection in this century... and this forum still operates unencrypted for everything other than select pages. (The HTTPS transport means that information is encrypted.) At least the change is in the right direction.

The password change page is still not encrypted, so presumably that change is still coming...

[Brian B-P]

Hmmm... the new secure login page is gone again, so maybe what I was seeing was a trial before the full deployment.

[J Mac]

what kind of cryptic information is being protected? Is/has there been some form of secret or private information collected on this site I only want the administration to be privy to?

[Donna D.]

Quote:

Originally Posted by J Mac

what kind of cryptic information is being protected? Is/has there been some form of secret or private information collected on this site I only want the administration to be privy to?

You must not have been around when FiberglassRV was hacked. We lost over 100,000 posts and ALL the pictures. It WASN'T pretty. Four of us spent almost three days straight trying to get back as much as we could. No there wasn't any process in place to backup the system (hindsight), but anything that's done to increase the security of a website such as this, is worth whatever inconvenience I may have momentarily.

[J Mac]

Quote:

Originally Posted by Donna D.

You must not have been around when FiberglassRV was hacked. We lost over 100,000 posts and ALL the pictures. It WASN'T pretty. Four of us spent almost three days straight trying to get back as much as we could. No there wasn't any process in place to backup the system (hindsight), but anything that's done to increase the security of a website such as this, is worth whatever inconvenience I may have momentarily.

Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!

[escape artist]

Quote:

Originally Posted by J Mac

Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!

Hi: J Mac... Prolly they said "Yes" MFRV was hacked& "No" there wasn't anything they could do about it IMHO!!! Alf
escape artist N.S. of Lake Erie

[J Mac]

Quote:

Originally Posted by escape artist

Hi: J Mac... Prolly they said "Yes" MFRV was hacked& "No" there wasn't anything they could do about it IMHO!!! Alf
escape artist N.S. of Lake Erie

Oh I see. Escape Forum assumes it was hacked.

[Janet H]

Quote:

Originally Posted by J Mac

what kind of cryptic information is being protected? Is/has there been some form of secret or private information collected on this site I only want the administration to be privy to?

Your username and password are the issue here. When you transmit them to the server to log in there is some possibility they could be intercepted along the way and "repurposed". While the site itself doesn't have much sensitive info many folks use the same login info at many sites and so if that info fell into the wrong hands in theory it could be used in harmful ways. This is the reason for the change - to increase security of this info.

[Donna D.]

Quote:

Originally Posted by J Mac

Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!

Yes, someone did hack in and the FBI was involved. They found out a general area (a university!), but no one was ever prosecuted, nor were we able to get back the data or pictures. The hackers weren't stealing anything, just deleting everything. MEAN!

Mary F. and I were both administrators on FiberglassRV when this happened. Never, ever want to go through that again...

[rbryan4]

Quote:

Originally Posted by Donna D.

Yes, someone did hack in and the FBI were involved. They found out a general area (a university!), but no one was ever prosecuted, nor were we able to get back the data or pictures.

The fact that a university may have been involved doesn't surprise me. Many IT students attack websites to see if they can be breached. It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.

[Donna D.]

Quote:

Originally Posted by rbryan4

The fact that a university may have been involved doesn't surprise me. Many IT students attack websites to see if they can be breached. It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.

Too, the hack happened more than 11 years ago. 11/11/2005. Site security wasn't nearly the concern as it is now. In fact, there wasn't a whole lot of info on the web like now. But the loss of the data and pictures was heartbreaking. So much good stuff, just gone.

[thoer]

Unfortunately there are hackers who do damage just for the fun of it and/or just to test their abilities. To me, it just another form of senseless vandalism - something I could never understand.

[Janet H]

Quote:

Originally Posted by rbryan4

.... It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.

This is the same reason that sessions are disconnected now after a period of inactivity. While it is occasionally an inconvenience for posters who may step away mid-post, it's an important security step.

Quote:

Originally Posted by Donna D.

Too, the hack happened more than 11 years ago. 11/11/2005. Site security wasn't nearly the concern as it is now. In fact, there wasn't a whole lot of info on the web like now. But the loss of the data and pictures was heartbreaking. So much good stuff, just gone.

The site is now fully backed up every 24 hours now so that it could be restored if needed.

[Ron in BC]

Quote:

Originally Posted by Janet H

This is the same reason that sessions are disconnected now after a period of inactivity. While it is occasionally an inconvenience for posters who may step away mid-post, it's an important security step.

.

Is there a ballpark number involved? I frequently post photos with my posts and sometimes go through my photos mid-post looking for suitable photos. Are we talking something like 10 minutes or an hour or more?

Ron

[Janet H]

I would have to double check but believe it's about 25 minutes... this has been in place for several years so if you have not experienced a problem I would not be concerned.

It's also worth noting that many browsers will save your content via caching. You can sometimes recover unposted content in a reply editor by using the back arrow on your browser judiciously. How well this works for you depends entirely on your own systems settings and is not related to site function.

[Brian B-P]

Quote:

Originally Posted by J Mac

Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!

Of course you can't "steal" a virtual object and take it away from the owner, and there would have been no theft report. What happened in FiberglassRV was that someone hacked into the forum and deleted content. This was before the forum was sold to Social Knowledge, and the forum administrators of the time didn't have effective backups; they were only able to restore some older posts (without photos or account information) from an old backup, and were not able to recover anything at all from a substantial period of activity.

That hacker then posted some random offensive material for a while.

Securing website traffic which contains account credentials is pretty fundamental to reducing this sort of problem. As is was (until today), anyone monitoring an administrator's session could intercept their username and password and use those to delete forum content (posts, images, documents, account profiles...).

[Brian B-P]

The new secure login page is back, or perhaps is just now active on the server that I'm currently hitting and was only on some servers yesterday. However, the login challenge page (presented to a user who tries to post after being timed out, or to a user who simply has not logged in and tries something requiring a logged-in session) is still not secure; I doubt this is what the forum's administrators would intend.

The "i" in a circle beside the URL is Chrome's indication that there is information about the page security, and that info shows that the page is still presented via HTTP (not HTTPS)... and that the many other bits of content on the page are from a mix of secure and insecure sources.

[ThomasG]

Another reason to use HTTPS is to protect the users of the website. A hacked website could attempt to hack the user's device (computer, phone, tablet, etc.) and inject malicious code onto their device. This code could be used to gather information from the user (logins, bank accounts, etc.) or use the device to attack other systems on the internet (along with thousands of other similarly hacked devices). There may be not be any outward signs the website or the user's device was hacked in this situation. The website has to use HTTPS everywhere to provide this type of protection (not just at login). Fortunately, setting up HTTPS is now free thanks to the Let's Encrypt project (https://letsencrypt.org/) and other similar services. HTTPS should not inconvenience the user unless they are using a very old web browser or operating system. Current accepted good security practice dictates that all websites, regardless or the content, should use HTTPS all the time.

[Defenestrator]

Good to see it's going to https for the login page. Is there any reason not to just go to HTTPS for all pages? That seems like it would be both easier and more secure.