Homepage logon dangers.

Thoughts on the further development of Haven & Hearth? Feel free to opine!

Homepage logon dangers.

Postby WojtylaKarol » Tue May 11, 2021 12:28 pm

Hi, just wanted to raise the attention of devs to an security issue with their havenandhearth.com webpage.

If the user specifies havenandhearth.com search bar, by default he will be directed to unencrypted "http://havenandhearth.com", it wouldn't have been an issue if it was just for content viewing purposes but the log in functionality also will allow the user to login via http protocol. That could lead to the accounts of users being stolen in case of somebody along the way capturing the data in traffic. The https version of the website is already set up and as a best practice it would be useful to set up a redirect on the server side to redirect all browser traffic coming to http to https instead.
WojtylaKarol
 
Posts: 13
Joined: Thu Apr 08, 2021 7:31 pm

Re: Homepage logon dangers.

Postby shubla » Tue May 11, 2021 2:08 pm

Yeah allowing users to use HTTP site is irresponsible, most people don't know what it even means so they take big risks unknowingly. Which could be prevented quite easily.
Image
I'm not sure that I have a strong argument against sketch colors - Jorb, November 2019
http://i.imgur.com/CRrirds.png?1
Join the moderated unofficial discord for the game! https://discord.gg/2TAbGj2
Purus Pasta, The Best Client
User avatar
shubla
 
Posts: 13043
Joined: Sun Nov 03, 2013 11:26 am
Location: Finland

Re: Homepage logon dangers.

Postby TheTylerLee » Tue May 11, 2021 4:06 pm

When paying in the shop if you choose "other" Even if you tell the site not to save your credit card, it saves it anyway
Discord: XiliX#2791
User avatar
TheTylerLee
 
Posts: 1604
Joined: Thu Jul 21, 2011 6:00 am

Re: Homepage logon dangers.

Postby VDZ » Tue May 11, 2021 5:22 pm

WojtylaKarol wrote:Hi, just wanted to raise the attention of devs to an security issue with their havenandhearth.com webpage.

If the user specifies havenandhearth.com search bar, by default he will be directed to unencrypted "http://havenandhearth.com", it wouldn't have been an issue if it was just for content viewing purposes but the log in functionality also will allow the user to login via http protocol. That could lead to the accounts of users being stolen in case of somebody along the way capturing the data in traffic. The https version of the website is already set up and as a best practice it would be useful to set up a redirect on the server side to redirect all browser traffic coming to http to https instead.

Sadly, this is inevitable considering modern-day browser design. When you visit https://havenandhearth.com, you get to see this:

Image

Suggesting that by using HTTPS, their passwords and credit card numbers will be stolen. There is no option to continue, only a 'back to safety' option implying the HTTPS connection is the opposite of safety. Should the user be brave enough to click Advanced in an attempt to proceed regardless, the browser further tries to persuade the user to use the unprotected HTTP connection instead:

Image

Again, you are being attacked, and continuing would be unsafe. Even if you continue, the address bar will contain a red 'unlocked lock' icon indicating the connection is dangerous and unsafe.

In contrast, going to the HTTP version of the same site will just display the site immediately without any warnings or issues, and you only see a black text 'Not Secure' next to the address bar (which is very different from the more alarming 'unsafe', suggesting you are merely unprotected rather than suggesting you are being attacked). To reassure the user they are safe and not under attack, they must be redirected to the insecure version of the page which is vulnerable to such attacks.

Web browsers in 2021.
User avatar
VDZ
 
Posts: 2660
Joined: Sun Jul 17, 2011 2:27 am

Re: Homepage logon dangers.

Postby WojtylaKarol » Tue May 11, 2021 5:27 pm

VDZ wrote:
WojtylaKarol wrote:Hi, just wanted to raise the attention of devs to an security issue with their havenandhearth.com webpage.

If the user specifies havenandhearth.com search bar, by default he will be directed to unencrypted "http://havenandhearth.com", it wouldn't have been an issue if it was just for content viewing purposes but the log in functionality also will allow the user to login via http protocol. That could lead to the accounts of users being stolen in case of somebody along the way capturing the data in traffic. The https version of the website is already set up and as a best practice it would be useful to set up a redirect on the server side to redirect all browser traffic coming to http to https instead.

Sadly, this is inevitable considering modern-day browser design. When you visit https://havenandhearth.com, you get to see this:

Image

Suggesting that by using HTTPS, their passwords and credit card numbers will be stolen. There is no option to continue, only a 'back to safety' option implying the HTTPS connection is the opposite of safety. Should the user be brave enough to click Advanced in an attempt to proceed regardless, the browser further tries to persuade the user to use the unprotected HTTP connection instead:

Image

Again, you are being attacked, and continuing would be unsafe. Even if you continue, the address bar will contain a red 'unlocked lock' icon indicating the connection is dangerous and unsafe.

In contrast, going to the HTTP version of the same site will just display the site immediately without any warnings or issues, and you only see a black text 'Not Secure' next to the address bar (which is very different from the more alarming 'unsafe', suggesting you are merely unprotected rather than suggesting you are being attacked). To reassure the user they are safe and not under attack, they must be redirected to the insecure version of the page which is vulnerable to such attacks.

Web browsers in 2021.


Thats simply an issue with invalid certificate, you could simply use LetsEncrypt certificate which is free to set up and would not raise an alert like this. Its half an hour fix to that.
WojtylaKarol
 
Posts: 13
Joined: Thu Apr 08, 2021 7:31 pm

Re: Homepage logon dangers.

Postby VDZ » Tue May 11, 2021 5:44 pm

WojtylaKarol wrote:Thats simply an issue with invalid certificate, you could simply use LetsEncrypt certificate which is free to set up and would not raise an alert like this. Its half an hour fix to that.

loftar wrote:
shubla wrote:Also, maybe get some proper certificate (like from let's encrypt) this time?

I ensure you the certificate is "proper". I think the expression you're searching for is "approved by the protection racket".

loftar wrote:
sabinati wrote:what's your objection to let's encrypt though? it's free and seems like it would take minimal effort.

The fact that it entrenches the stupid X.509 authority structure even further. I'd be happy to sign my certificates with LetsEncrypt if it weren't for the fact that X.509 means that that is then the only certificate I can sign them with.

I have actually strongly considered using LetsEncrypt lately, precisely because it is free and easy, but that's how they get you, isn't it? :P

(From thread 'Certificate Expired')
User avatar
VDZ
 
Posts: 2660
Joined: Sun Jul 17, 2011 2:27 am

Re: Homepage logon dangers.

Postby WojtylaKarol » Tue May 11, 2021 6:25 pm

VDZ wrote:
WojtylaKarol wrote:Thats simply an issue with invalid certificate, you could simply use LetsEncrypt certificate which is free to set up and would not raise an alert like this. Its half an hour fix to that.

loftar wrote:
shubla wrote:Also, maybe get some proper certificate (like from let's encrypt) this time?

I ensure you the certificate is "proper". I think the expression you're searching for is "approved by the protection racket".

loftar wrote:
sabinati wrote:what's your objection to let's encrypt though? it's free and seems like it would take minimal effort.

The fact that it entrenches the stupid X.509 authority structure even further. I'd be happy to sign my certificates with LetsEncrypt if it weren't for the fact that X.509 means that that is then the only certificate I can sign them with.

I have actually strongly considered using LetsEncrypt lately, precisely because it is free and easy, but that's how they get you, isn't it? :P

(From thread 'Certificate Expired')


Still, your previous statement is wrong, it is not any issue with browsers, it is normal behaviour for browsers to accept only the certificates signed by trusted providers aka CA.

This is just a fallacy to state its any kind of issue with the browsers, the issue is that the developer does not follow secure standards instead stating "The fact that it entrenches the stupid X.509 authority structure even further. I'd be happy to sign my certificates with LetsEncrypt if it weren't for the fact that X.509 means that that is then the only certificate I can sign them with."

Self issued certificates are not trusted by browsers for a good reason.
WojtylaKarol
 
Posts: 13
Joined: Thu Apr 08, 2021 7:31 pm

Re: Homepage logon dangers.

Postby shubla » Tue May 11, 2021 6:44 pm

Suggesting that by using HTTPS, their passwords and credit card numbers will be stolen. There is no option to continue, only a 'back to safety' option implying the HTTPS connection is the opposite of safety. Should the user be brave enough to click Advanced in an attempt to proceed regardless, the browser further tries to persuade the user to use the unprotected HTTP connection instead:

HTTPS with unverified certificate is not any more secure than HTTP is, its more dangerous actually, as the user may think that he is safe, while he is not.
Image
I'm not sure that I have a strong argument against sketch colors - Jorb, November 2019
http://i.imgur.com/CRrirds.png?1
Join the moderated unofficial discord for the game! https://discord.gg/2TAbGj2
Purus Pasta, The Best Client
User avatar
shubla
 
Posts: 13043
Joined: Sun Nov 03, 2013 11:26 am
Location: Finland

Re: Homepage logon dangers.

Postby VDZ » Tue May 11, 2021 7:08 pm

shubla wrote:
Suggesting that by using HTTPS, their passwords and credit card numbers will be stolen. There is no option to continue, only a 'back to safety' option implying the HTTPS connection is the opposite of safety. Should the user be brave enough to click Advanced in an attempt to proceed regardless, the browser further tries to persuade the user to use the unprotected HTTP connection instead:

HTTPS with unverified certificate is not any more secure than HTTP is, its more dangerous actually, as the user may think that he is safe, while he is not.

How is it not more secure? It protects against MITM attacks, especially if the browser just remembers the certificate (as they did in the past if you chose to have them do so; browser makers have since removed that option). If I give you my phone number, isn't it more secure to just call the number I gave you (at risk of the phone number given to you not belonging to me, if you met someone impersonating me first before you met me) even though it's not in the telephone directory, than it is to leave your message somewhere public where everyone can hear or read it?

WojtylaKarol wrote:Still, your previous statement is wrong, it is not any issue with browsers, it is normal behaviour for browsers to accept only the certificates signed by trusted providers aka CA.


WojtylaKarol wrote:Self issued certificates are not trusted by browsers for a good reason.


Why? I can understand they are more cautious with self-issued certificates than with certificates from trusted providers, but they're still a lot more secure than having no certificate at all. Currently browsers are convincing users that self-signed certificates are less secure than using an entirely unprotected connection, which is simply not true.
User avatar
VDZ
 
Posts: 2660
Joined: Sun Jul 17, 2011 2:27 am

Re: Homepage logon dangers.

Postby shubla » Tue May 11, 2021 8:21 pm

It protects against MITM attacks,

No it doesnt, MITM can just send fake certificate and the user gladly accepts it, because user has no way of knowing its authenticity, thus a self signed certificate provides no added security, if you cannot verify who assigned it.
One has to verify that the certificate is trusted and not a fake one. How do you think is the average, quite computer illiterate user meant to do that, easily and securely?

Its good thing that browsers show bunch of warnings, think about your grandma going to log in netbank that sends a self signed certificate, then its good thing that there are bunch of scary looking warnings and not just some ok trust this site box.
Image
I'm not sure that I have a strong argument against sketch colors - Jorb, November 2019
http://i.imgur.com/CRrirds.png?1
Join the moderated unofficial discord for the game! https://discord.gg/2TAbGj2
Purus Pasta, The Best Client
User avatar
shubla
 
Posts: 13043
Joined: Sun Nov 03, 2013 11:26 am
Location: Finland

Next

Return to Critique & Ideas

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot] and 19 guests