Disclaimer: This is somewhat techy but I have tried to make it straight forward and easy to understand.
I must admit I'm kind of surprised at how the security and privacy concerns regarding Huddler are getting swept aside as evidenced by how quickly this thread http://www.smokingmeatforums.com/forum/thread/94572/some-concerns-about-huddler
I too noticed some strange behavior regarding redirects when clicking in white space and the fact that when I go to the forum, NetNanny (hey, I have young kids ) says that someone is trying to get to Facebook.
So I decided to do some checking as to what other sites my browser was going to when I went to the forum. So using a network capture packet tool called Wireshark http://www.wireshark.org/
I decided to analyze the traffic leaving and coming into my computer. The following screenshot shows a capture of just loading the main page.
The results have been filtered (trust me you don't want to see the entire capture) to just show the names of the site and not each and every packet. Lots of advertising/social networking and data mining sites there but I guess we already knew about that.
The other thing that we techy types like to capture is the login sequence. Wireshark has a function called Follow TCP Stream where you can see the conversation between your PC and the server. Most of the info is gobbleygook which is normal. Some stuff will be in plain text. Some stuff SHOULD NOT be in plain text. Imagine my shock when I saw my password was in plain text as well.
I changed my password for the demonstraton and changed it to something else after so don't anyone try and get into my account.
Out of curiosity, I captured the login sequence of another forum I am a member of.
As you can see, the password is encrypted, as it should be. Incidentally, as you can see, that site is a vBulletin site.
What does this mean? It means that your passwords are travelling to the server in plain text, folks. That means they can be easily read and collected. Will they be? I don't know. Will I be using the same password that I used to use for other accounts. Absolutely not!!
Probably an oversight on the Huddler folks part but a pretty poor security practice none the less. Something to think about.
Edited by DDave - 5/29/10 at 12:34pm