KVR Audio

koalaboy · Post by **koalaboy** » Fri Feb 05, 2016 10:58 am

I shouldn't really have to describe this any further, but I think the time has come to enable HTTPS across the board.

The fact that login is allowed without HTTPS is pretty bad these days, but there's no acceptable reason to not fix it.

There used to be the certificate cost... this is now irrelevant thanks to https://letsencrypt.org/

Please, please, look to move to HTTPS.

Thank you.

chk071 · Post by **chk071** » Fri Feb 05, 2016 11:25 am

Is there a possibility that login data is being snuffed out without the site being hacked when not using HTTPS? Please elaborate.

koalaboy · Post by **koalaboy** » Fri Feb 05, 2016 1:38 pm

chk071 wrote:Is there a possibility that login data is being snuffed out without the site being hacked when not using HTTPS? Please elaborate.

The username and password are sent back to the site in plaintext, so yes, a man-in-the-middle attack is certainly possible.

This isn't particularly new - it's just that the options to solve the problem are now plentiful and cheap (if not free).

Of course, you should already be using different passwords for every website/login, but it would be sensible for KVR to move into the modern era.

Equally, generally browsing the site without HTTPS means that intermediates (ISPs/employers/governments/hackers) can intercept and monitor your behaviour.
Many people aren't overly concerned with this lack of privacy but it should be protected wherever possible.

chk071 · Post by **chk071** » Fri Feb 05, 2016 1:41 pm

koalaboy wrote:
chk071 wrote:Is there a possibility that login data is being snuffed out without the site being hacked when not using HTTPS? Please elaborate.
The username and password are sent back to the site in plaintext, so yes, a man-in-the-middle attack is certainly possible.

Does the "man-in-the-middle" have to hack the site to do so? Aren't there already security measures to prevent him from doing so?

koalaboy · Post by **koalaboy** » Fri Feb 05, 2016 2:26 pm

chk071 wrote:
koalaboy wrote:
chk071 wrote:Is there a possibility that login data is being snuffed out without the site being hacked when not using HTTPS? Please elaborate.
The username and password are sent back to the site in plaintext, so yes, a man-in-the-middle attack is certainly possible.
Does the "man-in-the-middle" have to hack the site to do so? Aren't there already security measures to prevent him from doing so?

I'm really not an expert in web attacks, but no - an MITM attack does not require any hack on the actual site - this is the 'middle' bit.

Meffy · Post by **Meffy** » Fri Feb 05, 2016 3:03 pm

This is the first I've heard of Let's Encrypt. I'd no idea such an organization and service existed. I've nothing to do with KVR's operations, but as a shoestring-budget website developer (among other jobs) you can bet this is great news. I'll PM Ben with a link to this thread.

Thank you for mentioning it.

chk071 · Post by **chk071** » Fri Feb 05, 2016 4:21 pm

koalaboy wrote:
chk071 wrote:
koalaboy wrote:
chk071 wrote:Is there a possibility that login data is being snuffed out without the site being hacked when not using HTTPS? Please elaborate.
The username and password are sent back to the site in plaintext, so yes, a man-in-the-middle attack is certainly possible.
Does the "man-in-the-middle" have to hack the site to do so? Aren't there already security measures to prevent him from doing so?
I'm really not an expert in web attacks, but no - an MITM attack does not require any hack on the actual site - this is the 'middle' bit.

Ok, no idea myself, that's why i'm asking. Well, if it helps improve security on the site, then it's a good thing of course. It's just that i know loads of sites which don't have https, and there didn't seem to be an issue.

Burillo · Post by **Burillo** » Fri Feb 05, 2016 4:36 pm

there are other reasons to use HTTPS as well, one of which is to thwart tracking. but yes, if someone wants to know what are the effects of MITM attack, look no further.

chk071 · Post by **chk071** » Sat Feb 06, 2016 12:08 pm

Burillo wrote:there are other reasons to use HTTPS as well, one of which is to thwart tracking. but yes, if someone wants to know what are the effects of MITM attack, look no further.

So the attacker has to be in the same wi-fi than myself? And does it only work with Android devices? Do the devices have to be rooted? Does the device with which you log into a http site have to be rooted to snuff it out? That article really lacks a lot of information.

Burillo · Post by **Burillo** » Sat Feb 06, 2016 12:56 pm

chk071 wrote:So the attacker has to be in the same wi-fi than myself?

not really. technically, that was a passive sniffing attack, which is why it works over wifi (because it's a broadcast network, so everyone can hear everyone else talking) - so the attacker wasn't technically "in the middle" between you and the target network, in this case it's more like eavesdropping. a canonical MITM attack is harder to accomplish (an attacker has to compromise a route from you to the target - which typically involves rerouting your connections via DNS spoofing, or malware), but it works essentially in the same way - intercepting communications between you and the target (and optionally changing content of these communications in a way that is undetectable to both you and the target).

chk071 wrote:And does it only work with Android devices? Do the devices have to be rooted?

no and no. the rooting part of the attack is only needed on Android, because by default the OS won't allow sniffing packets not intended to the device (i.e. by default, a device can only "hear" traffic targeted to itself). HTTP is a device-independent protocol. the attack is not directed towards the OS - it's directed towards unencrypted network traffic. therefore this kind of attack can be accomplished against all platforms which speak HTTP (that would be pretty much every consumer product out there). the article only demonstrates an example of such an attack, and it's the fact that it's so easy to carry it out just having a rooted phone makes HTTPS mandatory for authentication.

chk071 wrote:Does the device with which you log into a http site have to be rooted to snuff it out? That article really lacks a lot of information.

pay no attention to "on Android" and "rooted" part - this isn't what the attack is about. the attack is about intercepting plaintext authentication traffic. using HTTPS thwarts this kind of attack, because to the outsider, your communications look like gibberish (because it's encrypted), so MITM is theoretically possible, but way harder and in most cases impractical for the average Joe.

chk071 · Post by **chk071** » Sat Feb 06, 2016 3:54 pm

Ok, thanks for the informations. Of course, if this is easy to implement it's recommended anyway. I don't feel very unsafe with the way it is now, because, as usual, there's many if's, when's, and but's. I mean, the likeliness of such an attack might rather be in the 0.0x range, and it's also a question what the attacker will do with your account. He could ridicule you here on the forum, or have your e-mail adress. Big deal.

Nonetheless, of course, as i said, if it's easily being done then the site owners should think about it.

Burillo · Post by **Burillo** » Sat Feb 06, 2016 5:11 pm

a compromised website login in and of itself isn't much of a threat. the danger comes from what one can do with the accessed information. first of all, you're right - it's your email address. people are lazy, so your KVR password may be reused somewhere else. so we take your email address, your KVR password, and try it elsewhere. you may be smart and not reuse the password, but, statistically speaking, someone will be dumb or ignorant enough not to. voila - some other accounts are compromised as well. the bigger the site - the wider the net you can cast.

once you're in those accounts, you can, for example, gather a lot of personal information, which you can use for social engineering (spear-phishing). such attacks, depending on who you compromised, can have devastating consequences - from "The Fappening", to something like this, to identity theft and various other crimes involving duping or impersonating other people (credit card fraud etc.).

it's a big bad world out there. we need all the security we can get. the likelihood of attack is extremely low, until it does happen to you.

chk071 · Post by **chk071** » Sat Feb 06, 2016 5:14 pm

True, good points.

aMUSEd · Post by **aMUSEd** » Sat Feb 06, 2016 5:19 pm

koalaboy wrote: There used to be the certificate cost... this is now irrelevant thanks to https://letsencrypt.org/

So does this mean any scammer can now create a HTTPS site? I thought the whole point of the licensing was to promote trust? One of the things I look for if I think I've been directed to a spoofed site is HTTPS certification.

aciddose · Post by **aciddose** » Sat Feb 06, 2016 5:21 pm

You need to be aware of the costs of SSL before you demand its use.

What actual benefit would it provide here?

It may make sense if product pages were at risk (links could be changed).

The fact your post doesn't comment on the cost vs. benefit and never mentions the cost demonstrates that it is ignorant.

https://blog.nexcess.net/2014/09/03/the ... ssl-https/

Ultimately you are responsible for your own security. Don't use a public bulletin board if you aren't willing to accept the risks.

If you have confidential information you need to exchange, use encrypted email with a secure key exchange, such as a physical key exchange.

KVR Audio

Please provide HTTPS support (mandatory for login, ideally for the whole site).