INTERNET security

5 replies [Last post]
prwales
prwales's picture
Offline
Joined: 30.05.2007
Location: West Glamorgan
GWOA Groups: Members

My internet security provider always marks the GWOA site as 'NotSecure' beside a red triangle. Please be careful about what you post on this site.

jdring
jdring's picture
Offline
Joined: 12.04.2004
Location: South of Oxford, UK
GWOA Groups: Members
Re: INTERNET security

OK, its not that big a deal.

To clarify, this is about GWOA not supporting a secured HTTPS connection with your browser, only plain HTTP.

(basically, HTTPS means the data from your browser to the site is encrypted automatically and safe from interception)

https://www.quora.com/What-are-the-benefits-of-HTTPS-over-HTTP 

Anything you write on the site is visible to anyone else who accesses the site, whether by HTTP or HTTPS.  So that's not really an issue.

However, I was wondering about the entering of the GWOA member password, because this must be going out in the clear.

For that reason, I don't use a password on GWOA that I have elsewhere. If someone somehow can sniff the internet traffic, or if you log on to GWOA on a public Wifi where there could be somone sniffing that, then they get your password.  With GWOA, since there is no commerce associated with it so not much anyone can do.  But use a dedicated password.

 

jdring
jdring's picture
Offline
Joined: 12.04.2004
Location: South of Oxford, UK
GWOA Groups: Members
Re: INTERNET security

duplicate...

jdring
jdring's picture
Offline
Joined: 12.04.2004
Location: South of Oxford, UK
GWOA Groups: Members
Re: INTERNET security

OK, it was bugging me about the password being sent in plain view... so I traced the session (using Fiddler, its nice, try it).

And I am no developer so trying to figure out what is happening... looks like the password is not sent at all, but a Cookie is set/created in the browser session... I assume including a hash of the password+username, which is then attached to the header in subsequent requests to the server (gwoa.co.uk).

So the password is never sent, only a non-reversible hash version of it, which is checked at the server side by repeating the hash exercise to make sure it matches (and if it does, you provided the right password).

So it is perfectly secure, as far as I can see.

This is the trace:

HTTP/1.1 302 Moved Temporarily
Date: Sat, 08 Dec 2018 21:51:34 GMT
Server: Apache
X-Powered-By: PHP/5.4.45
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSbd224d6c0a437efaaadec8ea92a6637a=a4d973aaafffee1c8025c138d7a0ab85; expires=Tue, 01-Jan-2019 01:24:55 GMT; path=/; domain=gwoa.co.uk
Set-Cookie: DRUPAL_UID=178; expires=Tue, 01-Jan-2019 01:24:54 GMT; path=/; domain=gwoa.co.uk
Last-Modified: Sat, 08 Dec 2018 21:51:34 GMT
Location: http://gwoa.co.uk/node
Content-Length: 0
Keep-Alive: timeout=2, max=200
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

 

 

 

prwales
prwales's picture
Offline
Joined: 30.05.2007
Location: West Glamorgan
GWOA Groups: Members
Re: INTERNET security

thanks, I don't understand but your confidence reassures me

George
George's picture
Offline
Joined: 09.12.2018
GWOA Groups: Members
Re: INTERNET security

I'll second that.