Jump to content
Sign in to follow this  
kbarber

Desperately need to upgrade website security

Recommended Posts

Even if you connect to this forum using HTTPS, as soon as you navigate to a different page, the connection changes back to HTTP. Even the login page for this forum is served over HTTP. HTTP is unencrypted, so anybody can read the network packets to see our passwords in plain text and impersonate us. The security on this forum is terrible!

 

The main W3Schools website is not much better. While it does use HTTPS, it fails the SSL Server Test with an F:

https://www.ssllabs.com/ssltest/analyze.html?d=w3schools.com

 

Please upgrade the security of both websites so that they use HTTPS by default and score A+ on the SSL Server Test. For extra good measure, consider submitting w3schools.com for HSTS preloading:

https://hstspreload.org/?domain=w3schools.com

Share this post


Link to post
Share on other sites

HTTPS is not necessary for the main site since there is no sensitive information passed to or from it, but I do agree that the forum should be encrypted.

Share this post


Link to post
Share on other sites

That is incorrect. There are so many cookies you can access. There is also a link to the forum, which could be intercepted and there is something for someone to pretend to be an "admin" about. 

"Hey, so I see you are new here, I am going to need you to make a new password. You can just send a message in this format, 

Old: OLDPASSWORD
New: NEWPASSWORD

and we will set it. Sorry for the inconvenience, we just moved over to a new system and the devs messed something up haha."

When thinking of security on the internet, it is important to think of every possible situation. Hackers can be quite creative. There are at least a million variations of the website redirect where it tells you to download a virus but it is "windows-fix.exe" 

While you are somewhat accurate, since no sensitive information is actually passed through it, there is a way to get that information.

Share this post


Link to post
Share on other sites

There are so many cookies you can access.

3 cookies on the home page, actually, and all of them are for Google Analytics.  That's typically not considered sensitive information.

There is also a link to the forum, which could be intercepted

What are you referring to technically?  How does an attacker "intercept a link?"  Are you referring to a MITM attack?

there is something for someone to pretend to be an "admin" about.

Again, what are you referring to, technically?  What something on the website can someone pretend to be an admin about, and how?  And, technically, how would SSL/TLS prevent it?

Hey, so I see you are new here, I am going to need you to make a new password.

How does SSL/TLS prevent phishing attacks?

There are at least a million variations of the website redirect where it tells you to download a virus but it is "windows-fix.exe" 

Sure.  How does SSL/TLS prevent that?  Is the w3schools.com site hosting malware?  If not, why bring this up?

While you are somewhat accurate, since no sensitive information is actually passed through it, there is a way to get that information.

Again, since you're speaking with a technical audience, I would appreciate a technical description of the problem, and specifically how it can be rectified with SSL/TLS.

Share this post


Link to post
Share on other sites

Well, most of those you can see what I actually mean if you look in the context.

For me, there are more than 3 cookies, a lot more. I don't know what it is, maybe because I use the website a lot, but there are more than 3. With google analytics you can learn a lot about someone. You can use it to pretend like you know someone. And to "intercept a link" you would have to just listen to the webservers responses. The examples I gave were purely examples of what could happen. And SSL doesn't prevent any of this, it is the very strong implementation of the concept that will. But even with that, there is always a way.

Share this post


Link to post
Share on other sites

With google analytics you can learn a lot about someone. You can use it to pretend like you know someone.

What do you mean by that?  Just with the GA tracking cookies you can determine how to contact someone and gain some insight about their browsing habits?  Is there a proof-of-concept of that or anything?  I'm assuming you're not talking about the website administrator and just some random attacker trying to intercept traffic, I don't understand how that person would gain enough information to contact someone and act like they know them.

And to "intercept a link" you would have to just listen to the webservers responses.

Again, I'm looking for technical details on how an attack like that would work.  I'm a technical person, I can understand the details.

The examples I gave were purely examples of what could happen.

What I don't understand is how you think they can happen, in a technical sense.  I mean, if the website is currently vulnerable, then wouldn't attacks like that be happening now?

But even with that, there is always a way.

There's not, though.  It IS possible to negate a specific attack, and websites that are not interactive and which don't do things like having people create accounts and log in and post content (like the w3schools site), are simple not vulnerable to several classes of attacks which rely on those kinds of things.

Share this post


Link to post
Share on other sites

I wouldn't be concerned about it. This is an education forum.

There are numerous forums out there that don't have have an encryption. This site doesn't make any money, so it is funded through some ads.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×