ProBoards is Transitioning to HTTPS

[Takamaka]

I'd be worried on FB, but not really a forum that no one would want your password to, unless your wife spies on us.

Well https in full is here in under 2 weeks.

[Topanga]

Jan 29, 2020 18:59:32 GMT -5 miqrogroove said:

Jan 29, 2020 17:49:55 GMT -5 maplesyrup said:

This. And all login areas and places that mattered here were always https.

That is not accurate. The login screen always forwarded to the non-encrypted address after authentication, meaning your password was encrypted but your session tokens were always broadcast in the clear and easily hijacked.

That would have to be a very specific target. PB doesn't even store passwords. Wouldn't this have to occur the moment you're logging in?

[bigballofyarn]

Jan 29, 2020 18:59:32 GMT -5 miqrogroove said:

Jan 29, 2020 17:49:55 GMT -5 maplesyrup said:

This. And all login areas and places that mattered here were always https.

That is not accurate. The login screen always forwarded to the non-encrypted address after authentication, meaning your password was encrypted but your session tokens were always broadcast in the clear and easily hijacked.

"When a user logs in on our secure login page (HTTPS), we generate a unique token that is a one time use before sending the user to the forum. The user is sent to the forum with that token, and it is then immediately invalidated so that it can not be used again." -Patrick Clinger

[BlondeHanson]

Thank you for letting us know.

[pumpkinpie]

From both messages, it sounds like we're safe, even now.

[CrazyBoy]

Jan 29, 2020 14:42:23 GMT -5 Bubbles said:

Jan 29, 2020 14:33:17 GMT -5 CrazyBoy said:

You may type https://bigballofyarn.proboards.com/
not http://bigballofyarn.proboards.com/
to get the site secure.

But then will all http content look broken?

They work with http but the site won't be szcure then

[Madam Moriarty]

Jan 29, 2020 20:31:26 GMT -5 bigballofyarn said:

Jan 29, 2020 18:59:32 GMT -5 miqrogroove said:

That is not accurate. The login screen always forwarded to the non-encrypted address after authentication, meaning your password was encrypted but your session tokens were always broadcast in the clear and easily hijacked.

"When a user logs in on our secure login page (HTTPS), we generate a unique token that is a one time use before sending the user to the forum. The user is sent to the forum with that token, and it is then immediately invalidated so that it can not be used again." -Patrick Clinger

GOOD. And within ten days, it'll all be SSL anyway.

[miqrogroove]

Jan 29, 2020 20:31:26 GMT -5 bigballofyarn said:

"When a user logs in on our secure login page (HTTPS), we generate a unique token that is a one time use before sending the user to the forum. The user is sent to the forum with that token, and it is then immediately invalidated so that it can not be used again." -Patrick Clinger

Sorry but that guy is full of BS. If the forum session token were single-use then nobody would be able to see more than one page ever before logging in again. I guarantee the non-encrypted traffic for this forum can be hijacked in one step.

[CrazyAgent]

Jan 30, 2020 9:16:02 GMT -5 miqrogroove said:

Jan 29, 2020 20:31:26 GMT -5 bigballofyarn said:

"When a user logs in on our secure login page (HTTPS), we generate a unique token that is a one time use before sending the user to the forum. The user is sent to the forum with that token, and it is then immediately invalidated so that it can not be used again." -Patrick Clinger

Sorry but that guy is full of BS. If the forum session token were single-use then nobody would be able to see more than one page ever before logging in again. I guarantee the non-encrypted traffic for this forum can be hijacked in one step.

I don't know how it works either way. If your claim is true, wouldn't an account have to be targeted from the account owner's own computer? This is an unlikely attack.

[Pøĸē]

Jan 30, 2020 9:16:02 GMT -5 miqrogroove said:

Jan 29, 2020 20:31:26 GMT -5 bigballofyarn said:

"When a user logs in on our secure login page (HTTPS), we generate a unique token that is a one time use before sending the user to the forum. The user is sent to the forum with that token, and it is then immediately invalidated so that it can not be used again." -Patrick Clinger

Sorry but that guy is full of BS. If the forum session token were single-use then nobody would be able to see more than one page ever before logging in again. I guarantee the non-encrypted traffic for this forum can be hijacked in one step.

I think I understand what he's saying.

To log in to proboards everyone starts on login.proboards.com regardless of the forum you're intending to browse. For this forum, the link to the login page looks like this: login.proboards.com/login/355429/1. My guess is that the other path parameters note the forum you're trying to use so that you can be redirected back there later.

Anyway once you log in login.proboards.com cannot just arbitrarily set a cookie on bigballofyarn.proboards.com since that's not the subdomain you're on. It must first redirect you to bigballofyarn.proboards.com all the while retaining that you are actually authenticated. This part, I believe, involves the one-time-use token that Patrick is talking about. It's either the g_session_id that is set on .proboards.com or the path parameter in the url once you're redirected back to (my guess is the latter). Mine looked like this: bigballofyarn.proboards.com/login/goJ5CENSORED/86/1.

Now that you're on the bigballofyarn.proboards.com domain a cookie can actually be set on said domain. Furthermore if I try to use the same link that I just pasted to access this forum again I get a "We couldn't find the page you are trying to access". Anyway the resulting bigballofyarn.proboards.com cookie looks a little something like this:

POST http://bigballofyarn.proboards.com/login/goJ5CENSORED/86/1 HTTP/1.1

> HTTP/1.1 302 Found
> Set-Cookie: session_id=mcofCENSORED; path=/; domain=bigballofyarn.proboards.com; HttpOnly
> Location: http://bigballofyarn.proboards.com/

... and tada, you're logged in.

Here we can plainly see that the cookie is set on an http address and that the cookie does not have the Secure attribute so groove and Patrick are both correct but they're talking about different things.

EDIT: Remember this gem? bigballofyarn.proboards.com/thread/41928/https-question

[xea989]

That's all so confusing, from the announcement to the replies, but it looks like things are moving in the right direction.

[Pøĸē]

Jan 30, 2020 9:32:05 GMT -5 CrazyAgent said:

Jan 30, 2020 9:16:02 GMT -5 miqrogroove said:

Sorry but that guy is full of BS. If the forum session token were single-use then nobody would be able to see more than one page ever before logging in again. I guarantee the non-encrypted traffic for this forum can be hijacked in one step.

I don't know how it works either way. If your claim is true, wouldn't an account have to be targeted from the account owner's own computer? This is an unlikely attack.

It's worth noting that attacks are generally not targeting a single individual or even a single website/service. Attacks are usually as generic as can be until an attacker gets a hit. From there maybe someone reused a password or divulged a little personal information (doesn't even have to be the person who just got owned) which can then be used to social engineer other services. You can sorta think about it like "no one is secure unless everyone is secure"

[xea989]

Jan 30, 2020 9:51:34 GMT -5 Pøĸē said:

Jan 30, 2020 9:32:05 GMT -5 CrazyAgent said:

I don't know how it works either way. If your claim is true, wouldn't an account have to be targeted from the account owner's own computer? This is an unlikely attack.

It's worth noting that attacks are generally not targeting a single individual or even a single website/service. Attacks are usually as generic as can be until an attacker gets a hit. From there maybe someone reused a password or divulged a little personal information (doesn't even have to be the person who just got owned) which can then be used to social engineer other services. You can sorta think about it like "no one is secure unless everyone is secure"

Because I don't understand fully, let's create a hypothetical.

Joe from Provider Online wants to spy on clients. He finds some http sites that the person accesses, and then sets up a construction crew to take down information that may go through other sites? I don't understand. My networking knowledge doesn't go very far.

[Pøĸē]

Jan 30, 2020 9:59:52 GMT -5 xea989 said:

Jan 30, 2020 9:51:34 GMT -5 Pøĸē said:

It's worth noting that attacks are generally not targeting a single individual or even a single website/service. Attacks are usually as generic as can be until an attacker gets a hit. From there maybe someone reused a password or divulged a little personal information (doesn't even have to be the person who just got owned) which can then be used to social engineer other services. You can sorta think about it like "no one is secure unless everyone is secure"

Because I don't understand fully, let's create a hypothetical.

Joe from Provider Online wants to spy on clients. He finds some http sites that the person accesses, and then sets up a construction crew to take down information that may go through other sites? I don't understand. My networking knowledge doesn't go very far.

As a hacker, or a scammer, or just a bad dude in general I don't care about Joe from Provider Online. I'm just trying to find any Joe NoName who happens to be doing insecure things online. Maybe he's logging in on a website that doesn't use https. Maybe I send out a mass spam email with phishing links and he clicks it. Maybe I call random phone numbers pretending to be Microsoft tech support until I find this magically ignorant Joe NoName who allows me to remote access his computer to fix his network ip virus problem that I made up. From any of those entry points I'm certainly stealing information from Joe NoName... but the more scary part is that I now have Joe NoName's contact lists and more. Maybe he shares passwords between sites and now I have access to his Facebook. From there I have all of his social network. Maybe I impersonate Joe NoName in order to get more information on other people. I can now send emails from his email address or IMs from his social networking accounts. I now have a new pool of information to play with and with which to spread my attack. Maybe my overall goal is to install the tiniest bit of malware onto peoples' computers until I've created a botnet and THEN I attack Provider Online itself now with the power of hundreds or thousands of stolen computers.

It starts small. It escalates fast. This is happening every day to random people. I personally gain great enjoyment out of watching scambaiters like Kitboga

[miqrogroove]

Jan 30, 2020 9:32:05 GMT -5 CrazyAgent said:

I don't know how it works either way. If your claim is true, wouldn't an account have to be targeted from the account owner's own computer? This is an unlikely attack.

Without encryption, the hijack would be as simple as using the same restaurant or hotel Wi-Fi as the victim. No access to your device is needed.