ISP: Your login detail is insecure. (Clientzone)

[wakevinr]

Hi Prophet

The only way to secure that information would be to use SSL. Unfortunately most of our website (except the customer zone) runs on normal http (for performance reasons). This means that we're unable to post to a secure server and read the response due to cross domain scripting limitations.
http://en.wikipedia.org/wiki/Same_origin_policy

If you can show me a reliable cross-browser technique to get around this issue, then we'll implement it.

Web Africa, Axxess and Cybersmart are "insecure" by that standard. The only reasons why the other guys are secure is because they don have a global login.

Web Africa
http://i45.tinypic.com/ff2s1u.png

Axxess
http://i46.tinypic.com/9vkx3k.png

Cybersmart
http://i46.tinypic.com/333d11y.png

[Pr⊕phet]

And you are who exactly ?

[WAJeff]

And you are who exactly ?

As the username states, KevinR - Kevin Rademan, our Development Manager.

[Pr⊕phet]

As the username states, KevinR - Kevin Rademan, our Development Manager.

Thanks.

Hi Prophet

The only way to secure that information would be to use SSL. Unfortunately most of our website (except the customer zone) runs on normal http (for performance reasons). This means that we're unable to post to a secure server and read the response due to cross domain scripting limitations.
http://en.wikipedia.org/wiki/Same_origin_policy

If you can show me a reliable cross-browser technique to get around this issue, then we'll implement it.

Web Africa, Axxess and Cybersmart are "insecure" by that standard. The only reasons why the other guys are secure is because they don have a global login.

Web Africa
http://i45.tinypic.com/ff2s1u.png

Axxess
http://i46.tinypic.com/9vkx3k.png

Cybersmart
http://i46.tinypic.com/333d11y.png

I'm always a little worried when I read a reply like this:

1) We can stick to insecure login because others are doing it.
2) We'd rather have the login detail be insecure for sake of convenience.
3) Passing on the onus.

Quick pass on ISPA membership policies

F. Cyber crime
ISPA members must take all reasonable measures to prevent unauthorised access to, interception of, or interference with any data on that members network and under its control.

[link]

If I understand this correctly and looking at your response, there seems to be a conflict, right?

Now I'm not being a dick, I'm highlighting a concern here. Would be interesting to get ISPA's take on this. I think I'm going to pass this by them on Monday for WebAfrica, Cybersmart and Axxess.

[wakevinr]

Thanks for the feedback, while it’s a fairly low-risk you are right in the sense that the login could be made even more secure, and anything that we can do to improve security is always a win.

We’re looking into it, and will feedback.

[wamatt]

Now I'm not being a dick, I'm highlighting a concern here. Would be interesting to get ISPA's take on this. I think I'm going to pass this by them on Monday for WebAfrica, Cybersmart and Axxess.

Think it's worth point out the major sites exhibit the same behaviour, and by the same argument, 'insecure'.

Wikipedia (https://img.skitch.com/20120803-xbiy...nqs5mis474.jpg)
Reddit
etc

Even Facebook until recently (with 900m+ users) also used plain text http logins, before they decided to force HTTPS across the board.

Also I believe for those that specifically want SSL, going to www.webafrica.co.za/client directly forces SSL.

That said, I'm also a bit uneasy in general of plaintext passwords, even if the practical risks are low. Especially considering things like Firesheep and public unsecured wifi.

PS speaking in my personal capacity. I am not the CEO.

[Centaur]

Ahm, your post is completely illogical. Show me a major banking site, or shopping portal, that gives you an insecure login page. Since, an ISP is a service that is offered, which contains all the user's info, you can't compare it to Wikipedia or Reddit, etc.

[wamatt]

Ahm, your post is completely illogical. Show me a major banking site, or shopping portal, that gives you an insecure login page. Since, an ISP is a service that is offered, which contains all the user's info, you can't compare it to Wikipedia or Reddit, etc.

Fair enough. Banks I should hope are using full HTTPS across their sites. I'm not sure about all shopping sites.

What is interesting is IINet for example, much larger than our ISP's here in SA, also uses a http login page on their homepage. So it seems it's a well established practice.

But @Kev, if you take a look at IInet and Internode, while the homepage is HTTP, but it appears like it may be passing the info securely still using HTTPS.

I'm not 100% on how that works and if it is in fact secure. But check this out:

Internode https://img.skitch.com/20120804-ct41...wwgegxm1fh.jpg

There is also an "https" everywhere movement, that seems to be gaining some momentum.

https://www.eff.org/https-everywhere/

Wonder if we will see any ISP's going full SSL in the future.

[wamatt]

FWIW, this is rather a fun and complex issue in general

More on StackOverflow:

http://stackoverflow.com/questions/2...-form-to-https

If what some of those answers are saying is true, then even HTTP->HTTPS suffers from MITM attacks and is insecure.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

[koeksGHT]

We've pushed a change live earlier, can you guys please double check?

I have noticed that when you get redirected from your account to your control panel it logs in using GET and the in the URL are the username and password in clear text.. Doesn't seem too safe, maybe a bruteforce attack.

On that note, will make a small script tomoz to try crack the control panel login

[wamatt]

It's worth noting that mint.com (an extremely popular personal finance site, with full access to your bank accounts), used to allow http, but have since forced the entire site to https.

While I've yet to see any ISP's website do this, maybe this the way to go...

[HavocXphere]

Frankly I find the responses in this thread more alarming than anything else.

The only reasons why the other guys are secure is because they don have a global login.

Unfortunately most of our website (except the customer zone) runs on normal http (for performance reasons).

it’s a fairly low-risk

None of those responses are giving me that warm fuzzy feeling - especially not the part about plain text passwords being low-risk.

Even if it is low risk - simple business sense would suggest that plastering the entire website full of ssl is a winning move: The only thing most customers know is that they're supposed to look for that small lock thing.

Now in this particular case I'm not particularly concerned in practice (DSL Secure, accessed from secure PC etc) - but as a matter of principle the above does not fly.

[Centaur]

Forcing the entire site over a secure protocol is definitely the way to go. Especially a site that works with money and people's info.
It will give that extra trust. Since a lot of people look for that lock when they want to buy something. Also, the speed decrease these days with modern browsers and fast internet, is fairly negligible.

However, if you have made this massive oversight. I'm wondering how you store these passwords and info on your db. Especially credit card info.

[wamatt]

Disclaimer: Views are personal and I'm not part of management at WA though do try to be naturally as impartial as possible. This particular topic is of greater general interest to me as well.

None of those responses are giving me that warm fuzzy feeling - especially not the part about plain text passwords being low-risk.

Yeah, I can see how you'd feel like that. I personally used to want a strong "Confident Sounding Message^TM" from the top brass of any company I was doing business with. But over time observed that positive messaging seemed to hardly ever correlate, with actual security or competence, and was more to do with people's feelings of security. The reality always is nearly always more shaded and complex, than simple assurances.

So few companies actually come out and say, "Hey guys, yeah are systems are a ****". Many would be surprised how much really sloppy stuff goes on behind the scenes and across the board. Humans are simply not infallible, no matter how big or important sounding the company is.

If anyone is interested, I highly recommend anything by the legendary security demigod, Bruce Schneier. His recent TED talk on the feeling of security vs the actual state of security is particularly good:

http://www.youtube.com/watch?v=wQJC2MMB8nA

The economics are very also interesting. Like in terms of encryption software, often it's actually cheaper to make people feel secure, than be secure, which unfortunately creates a rather big market incentive, to be evil.

I'm wondering how you store these passwords and info on your db. Especially credit card info.

It's encrypted within the DB, and the keys I believe are stored seperately with a pretty strict access protocol and audit. I'm not sure of the exact details though, I'm just remember from a security overview meeting a few years back, so my mem is probably a little hazy

[coralsea]

I'm not sure if anything has changed, there are some pretty funny holes in the smaller ISP's stuff last I looked - but the one that made me smile was mweb.

I know that internally they don't store passwords as hashes (anyone in the call center can view any account password in plaintext), but it was quite funny to notice that their mailserver had been specifically modified to only check the first 6 characters of a password (if you put more, they are discarded silently - almost certainly they are not using hashes here either) - some sections of their pages also choke on punctuation. Pretty sure the mailserver still only checks the first 6

Then again, when you look at how Standard**** deal with security - you'll understand just how small ISP problems are.