dcsimg
www.webdeveloper.com
Results 1 to 8 of 8

Thread: Registration page is insecure

  1. #1
    Join Date
    Mar 2013
    Location
    Maine, USA
    Posts
    6

    Exclamation Registration page is insecure

    I used the registration page earlier today, forgetting that I had already registered here many years ago. But while I was completing the registration form I noticed that the page was insecure. You might want to secure at least that page, so that registration information cannot be eavesdropped.

    To test, just logout, browse to the home page, and click the Register link.

  2. #2
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    5,434
    You are logging in to a forum not your banks online service...
    --> JavaScript Frameworks like JQuery, Angular, Node <--
    ... and please remember to wrap code with forum BBCode tags:-

    [CODE]...[/CODE] [HTML]...[/HTML] [PHP]...[/PHP]

    If you can't think outside the box, you will be trapped forever with no escape...

  3. #3
    Join Date
    Mar 2013
    Location
    Maine, USA
    Posts
    6
    "Super Moderator"? How childish a response from a website that pretends to be a resource for all Web developers. I'm done here.

  4. #4
    Join Date
    Oct 2017
    Location
    Lithuania
    Posts
    46
    This is absolutely correct, that's a forum. However, that's a forum for web developers; therefore, using a HTTP protocol (which is getting not preferred by an increasing number of search engines and browsers) doesn't seem like a great thing. Especially for a website which is targeted at latest website development techniques. And since SSL certificate can be obtained at no cost, it's a no-brainer...

  5. #5
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    5,434
    Simply put, any attack on you will be down to poor security between you and this server.
    --> JavaScript Frameworks like JQuery, Angular, Node <--
    ... and please remember to wrap code with forum BBCode tags:-

    [CODE]...[/CODE] [HTML]...[/HTML] [PHP]...[/PHP]

    If you can't think outside the box, you will be trapped forever with no escape...

  6. #6
    Join Date
    Oct 2017
    Location
    Lithuania
    Posts
    46
    Yes, just like any stolen vehicle will be down to poor security of owner's garage, so car makers should never protect their vehicles with anti-theft systems.

  7. #7
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    5,434
    Quote Originally Posted by phpmillion View Post
    Yes, just like any stolen vehicle will be down to poor security of owner's garage, so car makers should never protect their vehicles with anti-theft systems.
    Security is only as good as the settings in the users router, most hacks happen because WiFi is in adhoc mode or has never been configured and is on but not used by the home owner, so that is the fault of the modem vendor and the ISP you buy from for not stipulating a more secure default set up, even with the more secure systems, the fact that a default setting is still used, in all my encounters with modems, the default settings have been adhoc wifi with a login of admin and the username also as admin, when I was on a hardline, the passwords were the allocated telephone number to the property and in that case, if you changed the password, the ISP got a bit shirty because they would remote in to resolve network problems or make changes to the router like increasing bandwidth or the other way...

    So security is realy down to the end user and I don't see that security position changing. As for the car analogy, not a very good comparator because car manufacturers have to build in a minimum level of security just like many systems that do require some level of security, unfortunately with the world of the internet, this concept is not implements, people want to "Plug and Play" which is 99% of the problem.

    So when it comes to websites, just because a site has no https, does not mean that it is insecure, what happens in the backend is only going to be the same thing under https as it is under http. So in the case of this website, there is no need for HTTPS because the type of information you give the registration is not in legal terms "Sensitive Data" which if you were passing banking details, you would expect HTTPS and not HTTP.

    If you sign up to any site, you are at risk and the biggest risk is the site owner and what they do with your data, HTTPS or not HTTPS, I can tell you from personal experience with a very well known web site on coding that a situation arose where my paypal account got hacked and whilst speaking to paypal, there was an account login attempt from a user in Florida and the previous user was UK based, this so called professional web site abused my data that I registered through HTTPS pages. After the autopsy of what happened, it became apparent that the hack came the admin of the site in question because the type of information requested in the registration was no different than on this site, only difference is that I know that the type of forum software that group used actually stored plain text passwords... on here, only the hash value is stored.

    So if I signed up via HTTPS to a web forum that stored plain text passwords, that was where my security failed, putting my faith in HTTPS. Had I not lapsed in my concentration, I would have not used the same email address that is used for my paypal account, nor would I have inadvertently used a password that was similar to that in my paypal account that was used in the site registration.

    Generally as a rule of thumb I have three email accounts, one is top level and personal, my bank and anything that needs securing with an email account like my bank, government, local authority all are using one account, web sites I use a different account and passsword. A third address is my back up alternative account for recovery.

    What had happened is I had crossed my wires, this is why paying attention to what you do on your PC is important, like you may have heard many times before, the weak point in any secure system is the user. In my case, I blame my self, so in real world terms, there is nothing wrong with the security of this site. If the site adopts HTTPS, which has been discussed, it would be overkill and an overhead that for delivery of a site that is mainly text, is really an overkill, for login and registration purposes, a good idea.

    On the whole HTTPS is a tool for a specific set of uses, every tool has its purpose and IMHO it is not needed on this site, there is nothing to secure between the user and the server, we are in what I call a stuffed shirt scenario, people in offices coming up with ideas to justify the need for something just because they want to dupe people in to handing over more money for things that are not needed by the masses so these stuffed shirts can justify their jobs in the industry.

    If you can, for any valid reason, beyond login to a site can justify the need for HTTPS on a site like this that is non-sensitive information, be my guest, knock yourself out, make your case.
    --> JavaScript Frameworks like JQuery, Angular, Node <--
    ... and please remember to wrap code with forum BBCode tags:-

    [CODE]...[/CODE] [HTML]...[/HTML] [PHP]...[/PHP]

    If you can't think outside the box, you will be trapped forever with no escape...

  8. #8
    Join Date
    Feb 2005
    Location
    Indianapolis, IN
    Posts
    550
    HTTPS is in the works for the forum. It was planned to happen in the near future.

    Brad
    Lots Of Software, LLC
    --- My Signature ---

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center