Security certificate expired?

Socializing and general posts on wide-ranging topics. Remember, it's Poststructural!
david_h
Posts: 1735
Joined: Mon Aug 13, 2007 2:04 am
Please enter the next number in sequence: 1
Location: Mercia

Re: Security certificate expired?

Post by david_h »

If/when HTTPS gets fixed it may be an idea to tell members about it. In amongst all the emails telling me that my account with password 123456 or asdasd had been accessed was one with a genuine(but old) C&F password in the subject line. I guess this was picked up from an HTTP connection on a compromised free WiFi somewhere. No big deal but it is a temptation to open the email.
User avatar
benhall.1
Moderator
Posts: 14797
Joined: Wed Jan 14, 2009 5:21 pm
antispam: No
Please enter the next number in sequence: 8
Tell us something.: I'm a fiddler and, latterly, a fluter. I love the flute. I wish I'd always played it. I love the whistle as well. I'm blessed in having really lovely instruments for all of my musical interests.
Location: Unimportant island off the great mainland of Europe

Re: Security certificate expired?

Post by benhall.1 »

david_h wrote:If/when HTTPS gets fixed it may be an idea to tell members about it. In amongst all the emails telling me that my account with password 123456 or asdasd had been accessed was one with a genuine(but old) C&F password in the subject line. I guess this was picked up from an HTTP connection on a compromised free WiFi somewhere. No big deal but it is a temptation to open the email.
Those emails quoting actual passwords are normally not derived from websites visited or used; they are derived from hacked lists, often arising from security breaches at internet providers. You can check whether a particular email has been hacked in this fashion, and even when it was likely to have been, by visiting:

https://haveibeenpwned.com/
david_h
Posts: 1735
Joined: Mon Aug 13, 2007 2:04 am
Please enter the next number in sequence: 1
Location: Mercia

Re: Security certificate expired?

Post by david_h »

The only list containing my C&F password will be the one maintained by this board. If that had been hacked I think you would have had more comments. I suspect a hacked WiFi router at a pub or cafe somewhere, or their third-party WiFi provider - the logo for which got attached to a link to this board in Safari. With http passwords are not encrypted.
User avatar
benhall.1
Moderator
Posts: 14797
Joined: Wed Jan 14, 2009 5:21 pm
antispam: No
Please enter the next number in sequence: 8
Tell us something.: I'm a fiddler and, latterly, a fluter. I love the flute. I wish I'd always played it. I love the whistle as well. I'm blessed in having really lovely instruments for all of my musical interests.
Location: Unimportant island off the great mainland of Europe

Re: Security certificate expired?

Post by benhall.1 »

david_h wrote:The only list containing my C&F password will be the one maintained by this board. If that had been hacked I think you would have had more comments. I suspect a hacked WiFi router at a pub or cafe somewhere, or their third-party WiFi provider - the logo for which got attached to a link to this board in Safari. With http passwords are not encrypted.
I'm no IT expert, but the point is that it isn't websites that your password would have been gleaned from. When you enter a password on a computer (including a smartphone), at that moment, it can be harvested. That has nothing to do with the website concerned. It's the ISP that's been hacked. If you follow that link I gave you and you type your email address in, you'll see the likely breach that caused your password to be on a separate, hacked list. I suppose it could be a WiFi router, but, from the breaches that I've seen, it's much more likely to be an ISP. There have been many, and very well publicised.
Tor
Posts: 399
Joined: Wed Jun 06, 2012 6:23 am
antispam: No
Please enter the next number in sequence: 8
Location: Europe and Japan

Re: Security certificate expired?

Post by Tor »

There's no need to hack the ISP to get the C&F login password. Anyone on the same network can do it very easily. Any traffic that isn't encrypted, e.g. sites using http:// (and not https:// sends everything in the open, and every single computer on that network can watch the traffic in clear, with only the simplest of tools. And in hotels it's extremely likely that someone is doing just that, and in cafeterias and the like it's also not uncommon (but hotels have hundreds of guests so that's a very attractive target for harvesting).
The only way to fix that is to go to https:// where neither the login credentials nor the cookie used afterwards can be seen (using https:// just for the login part removes the most obvious problem - the one anyone can use straight away, with no knowledge: Getting the account name/password. But using http:// for the rest still leaves the cookie in the open, although using that one for nefarious purposes needs more than %0 knowledge).
david_h
Posts: 1735
Joined: Mon Aug 13, 2007 2:04 am
Please enter the next number in sequence: 1
Location: Mercia

Re: Security certificate expired?

Post by david_h »

Ben - as I understand it the situation is along the lines described by Tor. If you have a WiFi connection which does not require a password then the traffic can be intercepted. If it does have a password then the router needs to be hacked but many can be. Then the harvested passwords are put on a list and sold.

That's why people use https - so that it is encrypted all the way between the browser and the server hosting the web page. Routers and ISPs don't see the password.

For C&F admin one advantage of https would be that less passwords would go onto lists so fewer people would tell you that the site may have ben hacked. (And if a lot of people did then maybe the problem really was at your end)
Tor
Posts: 399
Joined: Wed Jun 06, 2012 6:23 am
antispam: No
Please enter the next number in sequence: 8
Location: Europe and Japan

Re: Security certificate expired?

Post by Tor »

david_h wrote:If [the wifi connection] does have a password then the router needs to be hacked but many can be.
It's not necessary to hack the router if you have access to the network via the password, as is the case for WPA- or WPA2-encrypted public (e.g. cafeterias) networks (or just via a login page as is often the case for hotels). You'll then be able to see all network traffic. The network encryption is only to protect from listening / connecting by others, it's not protecting those on the network from each other. For that you need HTTPS, VPN, or other per-device encryption.
david_h
Posts: 1735
Joined: Mon Aug 13, 2007 2:04 am
Please enter the next number in sequence: 1
Location: Mercia

Re: Security certificate expired?

Post by david_h »

Tor wrote: It's not necessary to hack the router if you have access to the network via the password, as is the case for WPA- or WPA2-encrypted public (e.g. cafeterias) networks (or just via a login page as is often the case for hotels).
Ah, OK, right you are. Anyhow, as one security advice site puts is succinctly "Public Wi-Fi is inherently insecure"
AaronFW
Posts: 411
Joined: Wed Aug 23, 2017 6:49 pm
antispam: No
Please enter the next number in sequence: 8
Tell us something.: I started with playing bamboo flutes. But I transitioned to primarily playing the Boehm flute a few lessons ago with the aim of getting good music instruction. However, I've been transitioning to playing Irish Traditional Music on simple flutes.
Location: Ohio

Re: Security certificate expired?

Post by AaronFW »

benhall.1 wrote:
david_h wrote:The only list containing my C&F password will be the one maintained by this board. If that had been hacked I think you would have had more comments. I suspect a hacked WiFi router at a pub or cafe somewhere, or their third-party WiFi provider - the logo for which got attached to a link to this board in Safari. With http passwords are not encrypted.
I'm no IT expert, but the point is that it isn't websites that your password would have been gleaned from. When you enter a password on a computer (including a smartphone), at that moment, it can be harvested. That has nothing to do with the website concerned. It's the ISP that's been hacked. If you follow that link I gave you and you type your email address in, you'll see the likely breach that caused your password to be on a separate, hacked list. I suppose it could be a WiFi router, but, from the breaches that I've seen, it's much more likely to be an ISP. There have been many, and very well publicised.

By contrast, I've never actually heard of an ISP being hacked and that being the source of passwords being lost. The main method I am familiar with is dumping passwords from a website's own database. This isn't hard to do for some websites.

Part of the problem is that this can go un-noticed for a while and then the passwords show up in some other public dump. A large portion of https://haveibeenpwned.com 's passwords are from such harvests and just added to a list. Passwords and personal information doesn't sell for a lot individually, so you usually see it in massive heaps. This is also how you end up with out-dated passwords in lists that show up in some the phishing emails where someone claims to know your password. (You can read about each of the largest breaches on the website. You'll see in the description that LinkedIn, or MySpace, had had passwords and data exposed that may have gone unknown for a while. Again, the point is that it was the website itself that had the problem.)

(I'm a little bit of a Cybersecurity enthusiast. I hope to become a Security auditor at some point; so I read up on how to hack websites and try to practice hacking on my own when I get the chance.)
david_h
Posts: 1735
Joined: Mon Aug 13, 2007 2:04 am
Please enter the next number in sequence: 1
Location: Mercia

Re: Security certificate expired?

Post by david_h »

I see it's been fixed: https://forums.chiffandfipple.com/ :)
User avatar
Nanohedron
Moderatorer
Posts: 38211
Joined: Wed Dec 18, 2002 6:00 pm
antispam: No
Please enter the next number in sequence: 8
Tell us something.: Been a fluter, citternist, and uilleann piper; committed now to the way of the harp.

Oh, yeah: also a mod here, not a spammer. A matter of opinion, perhaps.
Location: Lefse country

Re: Security certificate expired?

Post by Nanohedron »

david_h wrote:I see it's been fixed: https://forums.chiffandfipple.com/ :)
Why, so it is! But is it just my computer, or are all the avatars gone defunct for everyone else, too?
"If you take music out of this world, you will have nothing but a ball of fire." - Tribal musician
User avatar
benhall.1
Moderator
Posts: 14797
Joined: Wed Jan 14, 2009 5:21 pm
antispam: No
Please enter the next number in sequence: 8
Tell us something.: I'm a fiddler and, latterly, a fluter. I love the flute. I wish I'd always played it. I love the whistle as well. I'm blessed in having really lovely instruments for all of my musical interests.
Location: Unimportant island off the great mainland of Europe

Re: Security certificate expired?

Post by benhall.1 »

Nanohedron wrote:
david_h wrote:I see it's been fixed: https://forums.chiffandfipple.com/ :)
Why, so it is! But is it just my computer, or are all the avatars gone defunct for everyone else, too?
They've never worked for me on the https version. I thought that was just the way it was.
User avatar
Nanohedron
Moderatorer
Posts: 38211
Joined: Wed Dec 18, 2002 6:00 pm
antispam: No
Please enter the next number in sequence: 8
Tell us something.: Been a fluter, citternist, and uilleann piper; committed now to the way of the harp.

Oh, yeah: also a mod here, not a spammer. A matter of opinion, perhaps.
Location: Lefse country

Re: Security certificate expired?

Post by Nanohedron »

benhall.1 wrote:
Nanohedron wrote:
david_h wrote:I see it's been fixed: https://forums.chiffandfipple.com/ :)
Why, so it is! But is it just my computer, or are all the avatars gone defunct for everyone else, too?
They've never worked for me on the https version. I thought that was just the way it was.
Practically all of them, with just an exception or two, worked for me up to now. For example, yours was a photo of a little monkey doll with a human-sized whistle in its arms, and sitting on a book. I always assumed the photo was taken in your home. Now all the avatars are replaced with a teensy square that's supposed to vaguely evoke a picture; it has a bent-inward upper right corner, and is accompanied by the words "User avatar".

I wonder what's up with the change.
"If you take music out of this world, you will have nothing but a ball of fire." - Tribal musician
david_h
Posts: 1735
Joined: Mon Aug 13, 2007 2:04 am
Please enter the next number in sequence: 1
Location: Mercia

Re: Security certificate expired?

Post by david_h »

For me avatars are still there with http - which I think is what Ben meant. Not there with https in Firefox on Windows or Safari on iThing.
User avatar
Nanohedron
Moderatorer
Posts: 38211
Joined: Wed Dec 18, 2002 6:00 pm
antispam: No
Please enter the next number in sequence: 8
Tell us something.: Been a fluter, citternist, and uilleann piper; committed now to the way of the harp.

Oh, yeah: also a mod here, not a spammer. A matter of opinion, perhaps.
Location: Lefse country

Re: Security certificate expired?

Post by Nanohedron »

david_h wrote:For me avatars are still there with http - which I think is what Ben meant. Not there with https in Firefox on Windows or Safari on iThing.
On my computer (Windows 10, Chrome) I'm not seeing anything in the way of either http or https written in any URL of any webpage I'm on, be it C&F or otherwise. I couldn't tell you if it's always been that way; I never really noticed. I just checked on my phone, and there C&F's URLs begin with https. I'm getting the same "User avatar" thingum there, too, but I don't know if that's new, as I almost never access C&F by phone; any memory for me of such features is out the window.

Hmm. I'm not seeing C&F's usual banner ads, either. I made no intentional move to block them.
"If you take music out of this world, you will have nothing but a ball of fire." - Tribal musician
Post Reply