Account login Security change

Janet H

Janet H

Senior Member
Site Team
RV LIFE Pro
Joined
Jul 29, 2008
Posts
16,003
Location
OlyPen
I wanted to let you know that in the next day or so you may see a small change to the site login screen. This is being done as we add an extra layer of security to usernames and passwords. The login pages, registration page and pages where you might update your account login info will be behind an https url rather than the usual http url.

This change is being made to stay current with recommended security practices and not in response to any problem with the site or accounts.

HTTPS adds security in several ways; verifying that the site is the one a server is supposed to be talking to and by preventing tampering by 3rd parties. It stops Man-in-the-middle attacks, improving security for both the site and for those logging in.

This should not impact your usual browsing experience. You will still login, still tick the remember me box, etc. The location of the login button has changed however and the page looks a bit different. :)
 
I noticed that the login page change has already occurred - I thought it was yesterday, but perhaps just this morning.

I think it's a little bizarre that any web site ever collected login credentials through an unencrypted connection in this century... and this forum still operates unencrypted for everything other than select pages. (The HTTPS transport means that information is encrypted.) At least the change is in the right direction. :)

The password change page is still not encrypted, so presumably that change is still coming...
 
Hmmm... the new secure login page is gone again, so maybe what I was seeing was a trial before the full deployment.
 
what kind of cryptic information is being protected? Is/has there been some form of secret or private information collected on this site I only want the administration to be privy to?
 
J Mac said:
what kind of cryptic information is being protected? Is/has there been some form of secret or private information collected on this site I only want the administration to be privy to?
Click to expand...
You must not have been around when FiberglassRV was hacked. We lost over 100,000 posts and ALL the pictures. It WASN'T pretty. Four of us spent almost three days straight trying to get back as much as we could. No there wasn't any process in place to backup the system (hindsight), but anything that's done to increase the security of a website such as this, is worth whatever inconvenience I may have momentarily.
 
Donna D. said:
You must not have been around when FiberglassRV was hacked. We lost over 100,000 posts and ALL the pictures. It WASN'T pretty. Four of us spent almost three days straight trying to get back as much as we could. No there wasn't any process in place to backup the system (hindsight), but anything that's done to increase the security of a website such as this, is worth whatever inconvenience I may have momentarily.
Click to expand...
Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!
 
J Mac said:
Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!
Click to expand...
Hi: J Mac... Prolly they said "Yes" MFRV was hacked& "No" there wasn't anything they could do about it IMHO!!! Alf
escape artist N.S. of Lake Erie;)
 
J Mac said:
what kind of cryptic information is being protected? Is/has there been some form of secret or private information collected on this site I only want the administration to be privy to?
Click to expand...

Your username and password are the issue here. When you transmit them to the server to log in there is some possibility they could be intercepted along the way and "repurposed". While the site itself doesn't have much sensitive info many folks use the same login info at many sites and so if that info fell into the wrong hands in theory it could be used in harmful ways. This is the reason for the change - to increase security of this info.
 
J Mac said:
Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!
Click to expand...
Yes, someone did hack in and the FBI was involved. They found out a general area (a university!), but no one was ever prosecuted, nor were we able to get back the data or pictures. :( The hackers weren't stealing anything, just deleting everything. MEAN!

Mary F. and I were both administrators on FiberglassRV when this happened. Never, ever want to go through that again...
 
Last edited:
Donna D. said:
Yes, someone did hack in and the FBI were involved. They found out a general area (a university!), but no one was ever prosecuted, nor were we able to get back the data or pictures. :(
Click to expand...
The fact that a university may have been involved doesn't surprise me. Many IT students attack websites to see if they can be breached. It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.
 
rbryan4 said:
The fact that a university may have been involved doesn't surprise me. Many IT students attack websites to see if they can be breached. It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.
Click to expand...
Too, the hack happened more than 11 years ago. 11/11/2005. Site security wasn't nearly the concern as it is now. In fact, there wasn't a whole lot of info on the web like now. But the loss of the data and pictures was heartbreaking. So much good stuff, just gone.
 
Unfortunately there are hackers who do damage just for the fun of it and/or just to test their abilities. To me, it just another form of senseless vandalism - something I could never understand.
 
rbryan4 said:
.... It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.
Click to expand...

This is the same reason that sessions are disconnected now after a period of inactivity. While it is occasionally an inconvenience for posters who may step away mid-post, it's an important security step.

Donna D. said:
Too, the hack happened more than 11 years ago. 11/11/2005. Site security wasn't nearly the concern as it is now. In fact, there wasn't a whole lot of info on the web like now. But the loss of the data and pictures was heartbreaking. So much good stuff, just gone.
Click to expand...

The site is now fully backed up every 24 hours now so that it could be restored if needed.
 
Janet H said:
This is the same reason that sessions are disconnected now after a period of inactivity. While it is occasionally an inconvenience for posters who may step away mid-post, it's an important security step.

.
Click to expand...

Is there a ballpark number involved? I frequently post photos with my posts and sometimes go through my photos mid-post looking for suitable photos. Are we talking something like 10 minutes or an hour or more?

Ron
 
I would have to double check but believe it's about 25 minutes... this has been in place for several years so if you have not experienced a problem I would not be concerned.

It's also worth noting that many browsers will save your content via caching. You can sometimes recover unposted content in a reply editor by using the back arrow on your browser judiciously. How well this works for you depends entirely on your own systems settings and is not related to site function.
 
J Mac said:
Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!
Click to expand...
Of course you can't "steal" a virtual object and take it away from the owner, and there would have been no theft report. :rolleyes: What happened in FiberglassRV was that someone hacked into the forum and deleted content. This was before the forum was sold to Social Knowledge, and the forum administrators of the time didn't have effective backups; they were only able to restore some older posts (without photos or account information) from an old backup, and were not able to recover anything at all from a substantial period of activity.

That hacker then posted some random offensive material for a while.

Securing website traffic which contains account credentials is pretty fundamental to reducing this sort of problem. As is was (until today), anyone monitoring an administrator's session could intercept their username and password and use those to delete forum content (posts, images, documents, account profiles...).
 
Last edited:
The new secure login page is back, or perhaps is just now active on the server that I'm currently hitting and was only on some servers yesterday. :) However, the login challenge page (presented to a user who tries to post after being timed out, or to a user who simply has not logged in and tries something requiring a logged-in session) is still not secure; I doubt this is what the forum's administrators would intend.

The "i" in a circle beside the URL is Chrome's indication that there is information about the page security, and that info shows that the page is still presented via HTTP (not HTTPS)... and that the many other bits of content on the page are from a mix of secure and insecure sources.
 

Attachments

  • ReLogin-insecure.JPG
    ReLogin-insecure.JPG
    85.6 KB · Views: 24
Another reason to use HTTPS is to protect the users of the website. A hacked website could attempt to hack the user's device (computer, phone, tablet, etc.) and inject malicious code onto their device. This code could be used to gather information from the user (logins, bank accounts, etc.) or use the device to attack other systems on the internet (along with thousands of other similarly hacked devices). There may be not be any outward signs the website or the user's device was hacked in this situation. The website has to use HTTPS everywhere to provide this type of protection (not just at login). Fortunately, setting up HTTPS is now free thanks to the Let's Encrypt project (https://letsencrypt.org/) and other similar services. HTTPS should not inconvenience the user unless they are using a very old web browser or operating system. Current accepted good security practice dictates that all websites, regardless or the content, should use HTTPS all the time.
 
Good to see it's going to https for the login page. Is there any reason not to just go to HTTPS for all pages? That seems like it would be both easier and more secure.
 
You must log in or register to reply here.

Similar threads

Janet H
Forum Software Update - Downtime Oct 22-24
Janet H
Janet H

New posts

Try RV LIFE Pro Free for 7 Days

  • New Ad-Free experience on this RV LIFE Community.
  • Plan the best RV Safe travel with RV LIFE Trip Wizard.
  • Navigate with our RV Safe GPS mobile app.
  • and much more...
Try RV LIFE Pro Today
Back
Top Bottom