Toggle sidebar

New Platform - What do you think?

  • Some of the links on this forum allow SMF, at no cost to you, to earn a small commission when you click through and make a purchase. Let me know if you have any questions about this.
Remove the Ads for LIFE - 50% Off!
SMF is reader-supported. When you buy through links on our site, we may earn an affiliate commission.
ddave

ddave

Master of the Pit
Original poster
OTBS Member
SMF Premier Member
Mar 3, 2008
1,843
31
Far Northern California
Disclaimer:  This is somewhat techy but I have tried to make it straight forward and easy to understand.
 

Quote:
bmudd14474 said:
Not sure that is related Rob. That sounds like spywares and viruses that would cause that issue. I would go to malwarebytes.org and download the program. It should scan and detect almost all issues.
Click to expand...
I must admit I'm kind of surprised at how the security and privacy concerns regarding Huddler are getting swept aside as evidenced by how quickly this thread http://www.smokingmeatforums.com/forum/thread/94572/some-concerns-about-huddler

was closed.

I too noticed some strange behavior regarding redirects when clicking in white space and the fact that when I go to the forum, NetNanny (hey, I have young kids
biggrin.gif
) says that someone is trying to get to Facebook.

3a1d9022_fb.jpg


So I decided to do some checking as to what other sites my browser was going to when I went to the forum.  So using a network capture packet tool called Wireshark http://www.wireshark.org/

I decided to analyze the traffic leaving and coming into my computer.  The following screenshot shows a capture of just loading the main page.

55a8f750_DNSonload.jpg


The results have been filtered (trust me you 
biggrin.gif
  don't want to see the entire capture) to just show the names of the site and not each and every packet.  Lots of advertising/social networking and data mining sites there but I guess we already knew about that.

The other thing that we techy types like to capture is the login sequence.  Wireshark has a function called Follow TCP Stream where you can see the conversation between your PC and the server.  Most of the info is gobbleygook which is normal.  Some stuff will be in plain text.  Some stuff SHOULD NOT be in plain text.  Imagine my shock when I saw my password was in plain text as well.

a181ce44_HuddlerLogin.jpg


I changed my password for the demonstraton and changed it to something else after so don't anyone try and get into my account.
biggrin.gif


Out of curiosity, I captured the login sequence of another forum I am a member of.

0ce76fe2_smokedmeatlogin.jpg


As you can see, the password is encrypted, as it should be.  Incidentally, as you can see, that site is a vBulletin site.

What does this mean?  It means that your passwords are travelling to the server in plain text, folks.  That means they can be easily read and collected.  Will they be?  I don't know.  Will I be using the same password that I used to use for other accounts.  Absolutely not!! 

Probably an oversight on the Huddler folks part but a pretty poor security practice none the less.  Something to think about.

Dave
 
Last edited:
Regarding "plain text" passwords:  (Question answered by Huddler)

"What he describes in his post as a security flaw is actually a fairly common practice across the Internet.  Wikipedia (the 11th most popular site on the Internet), Digg (the 36th most popular), and every phpBB forum out there all send passwords over plain text.  It is true that vBulletin encrypts the password before sending it, but it does so using an algorithm that is so insecure that the US Government describes it as "cryptographically broken and unsuitable for further use".  In other words, the encrypted version of the password that vBulletin uses is almost no more secure than sending it in plain text.

He is right about one thing though.  When he says "Will I be using the same password that I used to use for other accounts.  Absolutely not!!", that is absolutely the right attitude.  Security best practices suggest that you should use different passwords for different websites that you visit.  And any time that you do not see the "lock" which indicates that a website is encrypted using SSL, you should always assume that any information that you send will be transmitted in plain text.

[color= rgb(0, 0, 0)][color= rgb(0, 0, 0)]---[/color][/color]

[color= rgb(0, 0, 0)][color= rgb(0, 0, 0)]Kyle Harmon[/color][/color]

[color= rgb(0, 0, 0)][color= rgb(0, 0, 0)]Partner Services - Huddler.com[/color][/color]

*****

The last portion of his response is the most important, and that is a reminder that this site is not a secure site, nor was it secure on the original vBulletin platform.  

e.g., feel free to analyze the security of Huddler, but remember to compare fairly to other sites that are also using ads--such as vBulletin forums that use Google ads.  (like www.sharky.com/forum/www.smoked-meat.com/forum/  or www.bbq-brethren.com/forum/) Also, www.sausagesource.com/forum/index.php  is a phpBB forum, so you might try capturing their traffic as well, and see if your full password turns up.   (I'm curious about that, too.)

No one is going to sweep aside privacy and security concerns, however, there needs to be a fair comparison between other similar forums in order to ascertain what unique problems actually exist.  Those unique problems can be analyzed and addressed as they are found.  
 
Also remember that you should never use the same password for normal browsing and your banking. You should always have different ones. Also remember to not use passwords that are easy to guess like your birthday, last 4 of your ssn, name. You should try to use a combination of letters and numbers. Also use uppercase and lowercase. Change a i into a 1 or O into 0. I know its not easy to keep track of all of these passwords but your identity and financial information are worth the hassle. 
 
ROFL!!!!!  Brian--insider alert/high-five!!!!!  
PDT_Armataz_01_12.gif
  (P.S.  You are 100% right!)
bmudd14474 said:
Also remember that you should never use the same password for normal browsing and your banking. You should always have different ones. Also remember to not use passwords that are easy to guess like your birthday, last 4 of your ssn, name. You should try to use a combination of letters and numbers. Also use uppercase and lowercase. Change a i into a 1 or O into 0. I know its not easy to keep track of all of these passwords but your identity and financial information are worth the hassle. 
Click to expand...
 
Last edited:
 feel free to analyze the security of Huddler, but remember to compare fairly to other sites that are also using ads--such as vBulletin forums that use Google ads.  (like www.sharky.com/forum/www.smoked-meat.com/forum/  or www.bbq-brethren.com/forum/) Also, www.sausagesource.com/forum/index.php  is a phpBB forum, so you might try capturing their traffic as well, and see if your full password turns up.   (I'm curious about that, too.)
Click to expand...
Okay.  I included a screenshot of the smoked-meat.com login sequence in my original post, but can do so again.  I replaced the image with one that I took AFTER I changed my password  
biggrin.gif
so if anyone is wondering why that post is edited, now you know.

I am not a member of Sharky or SausageSource but here are the DNS queries that occur when the Smoked-Meat, BBQBrethren and QJoint sites load.

364cf565_smDNSLoad.jpg


92375566_brethrenDNSLoad.jpg

 What he describes in his post as a security flaw is actually a fairly common practice across the Internet.  Wikipedia (the 11th most popular site on the Internet), Digg (the 36th most popular), and every phpBB forum out there all send passwords over plain text.
Click to expand...
Can you imagine the uproar if Microsoft used that response when someone pointed out a potential security flaw?  Just because it is common practice doesn't mean it is a good idea.  And clearly forum software can be made to encrypt passwords.  But it doesn't sound like Huddler is going to do that anytime soon.
 It is true that vBulletin encrypts the password before sending it, but it does so using an algorithm that is so insecure that the US Government describes it as "cryptographically broken and unsuitable for further use".  In other words, the encrypted version of the password that vBulletin uses is almost no more secure than sending it in plain text.
Click to expand...
 Okay, then tell me what my password was?  I changed mine back after the demo, but I posted a screen shot of the traffic capture.  If there encryption is almost no more secure than plain text, then decrypt it and tell me what it was.

I did not set out to prove that vBulletin is/was more secure than Huddler.  But with all the discussion of strange behavior that users have been experiencing as far as strange pages popping up and how these reports were dismissed as "problems with your ISP" or "the problem is on your end" I was curious about what was going on behind the scenes on the network.

  When I originally posted this, Jeff moved it to the Mod forum and PMed me saying that it shouldn't be in the general forum.  I responded that I felt the members should be aware of it so they could take appropriate measures as they see fit as far as their password choice.  He has done that after checking with Huddler, and I commend him for that.

However, I think it is pretty evident that there is more going on here than meets the eye.  I don't think it is something that is intentionally being allowed and I would hope that the bug reports will be taken seriously and not casually dismissed.  The new platform has a ton of potential.  I'll admit some of the new features are really starting to interest me but all the strange background stuff is concerning me.

Okay, I am taking off my propeller head cap now and getting ready to select some ribs for tomorrow's smoke.
biggrin.gif


Dave
 
Well..thanks for the detailed reply!  I appreciate that. 
PDT_Armataz_01_28.gif
   You're obviously a smarter cookie than I am--my eyes are crossing just staring at the screenshots!  The diversity between the screen shots probably has to do with the fact that we're on an ad network instead of just on Google ads, so since we're pulling ads from multiple sites, I would assume there to be multiple, diverse sources. With that said, the number of links may be less important, comparatively speaking, than the types of links.  Is there something to be concerned about by the sheer number of addresses shown?  Are there any malicious things in there that we should be worried about?  

As far as the passwords go, I agree with Brian that it's a good precaution to use a new [unique from your normal] password for the new platform until all the kinks have been worked out, and unless or until the passwords can be encrypted in the code.   Good work, btw.

In the meantime, asking Huddler to encrypt passwords is a reasonable request.  The complaint has been submitted to Huddler, and hopefully they'll get back to us with a resolution. 
cool.gif
 
Last edited:
 Well..thanks for the detailed reply!  I appreciate that.
Click to expand...
 You're welcome.
 my eyes are crossing just staring at the screenshots!  
Click to expand...
 Sorry about that.  Occupational hazard.
icon_redface.gif

  Is there something to be concerned about by the sheer number of addresses shown?
Click to expand...
 Not really.  Not as long as each site provides a necessary function that can be explained and that you and Jeff are comfortable with.  It will just take longer to completely load the page for some folks.
 Are there any malicious things in there that we should be worried about?
Click to expand...
You may want to do some research on secure-us.imrworldwide.com.  It has been associated with various spyware problems as this Google search illustrates.

http://www.google.com/#hl=en&q=secu...&oq=secure-us.im&gs_rfai=&fp=7c72d76feb718279

It could be the source of the as yet unexplainable behavior discussed in the  "Not Sure What the Problem Is" thread.  For what it's worth, I've had pages pop up when I clicked on white space in the forum pages.
 In the meantime, asking Huddler to encrypt passwords is a reasonable request.  The complaint has been submitted to Huddler, and hopefully they'll get back to us with a resolution
Click to expand...
 Given Huddler's response that plain text password transmission is a "fairly common practice across the Internet" makes me think it's not too high on their list of priorites.

But at least the membership knows about the issue and can take steps to safeguard their passwords.

Dave
 
thx dave for some insight............now i must go and uncross my eyes!
PDT_Armataz_01_05.gif
 
You must log in or register to reply here.
SmokingMeatForums.com is reader supported and as an Amazon Associate, we may earn commissions from qualifying purchases.

Similar threads

W
First offset smoke, what do you think?
Replies
4
Views
321
Poultry
JLinza
JLinza
W
New member, so many questions-
Replies
15
Views
849
For New Members
JKey
J
chilerelleno
Damn.... Do Y'all Think They're Safe?
Replies
25
Views
998
General Discussion
DougE
DougE
schlotz
Wagyu - know what you are buying
Replies
6
Views
1K
Blowing Smoke Around the Smoker.
schlotz
schlotz
Smokin Okie
What are you reading ?
Replies
25
Views
1K
Blowing Smoke Around the Smoker.
sandyut
sandyut
JckDanls 07
UH OHHH... How Long Is To Long ?
Replies
4
Views
380
Sausage
SmokinEdge
SmokinEdge
Rafter H BBQ
Just Curious On What All States Do?!
Replies
38
Views
1K
Wild Game
K9BIGDOG
K9BIGDOG
racerjohnbf
What should I do?
Replies
30
Views
2K
General Discussion
JLeonard
JLeonard

Latest posts

Hot Threads

Top Bottom
Back
Clicky