mersenneforum.org  

Go Back   mersenneforum.org > Great Internet Mersenne Prime Search > PrimeNet

Reply
 
Thread Tools
Old 2012-02-09, 14:55   #1
KyleAskine
 
KyleAskine's Avatar
 
Oct 2011
Maryland

2×5×29 Posts
Default Minor Issue with Primenet

There is just a small issue that has always bugged me. When you first log in your username and password are passed as variables in the URL. This means that anyone that can view my history immediately knows my password, and can log in simply by passing it back in. This seems insecure.
KyleAskine is offline   Reply With Quote
Old 2012-02-09, 20:50   #2
Dubslow
Basketry That Evening!
 
Dubslow's Avatar
 
"Bunslow the Bold"
Jun 2011
40<A<43 -89<O<-88

3·29·83 Posts
Default

Lol I noticed that a while ago and immediately changed my password to something I don't use (and would never use) anywhere else. On the other hand, logging in for me is now no harder than going to a bookmark.
Dubslow is offline   Reply With Quote
Old 2012-02-09, 23:04   #3
Mini-Geek
Account Deleted
 
Mini-Geek's Avatar
 
"Tim Sorbera"
Aug 2006
San Antonio, TX USA

427710 Posts
Default

Yes, this is insecure, but so are many other login systems. The major difference is that this lets you know how insecure it is. If someone has access to your browsing history, they could probably just as easily install a keylogger and get your password no matter how it's transmitted. If someone is listening to your network traffic, they could also snoop any login system that doesn't use, at minimum, salted hashing and/or encryption. The only sort of attacker you have to worry about is the ones over your shoulder that might see it. This kind is unlikely (IMHO) to care.
Mini-Geek is offline   Reply With Quote
Old 2012-02-09, 23:17   #4
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

2·5,227 Posts
Default

Quote:
Originally Posted by Mini-Geek View Post
If someone has access to your browsing history, they could probably just as easily install a keylogger and get your password no matter how it's transmitted.
Agree. IMHO, if someone has access to your browsing history, you're already fscked.
chalsall is offline   Reply With Quote
Old 2012-02-10, 02:13   #5
LaurV
Romulan Interpreter
 
LaurV's Avatar
 
"name field"
Jun 2011
Thailand

2×17×293 Posts
Default

Quote:
Originally Posted by Dubslow View Post
Lol I noticed that a while ago and immediately changed my password to something I don't use (and would never use) anywhere else. On the other hand, logging in for me is now no harder than going to a bookmark.
That is known long ago, I complained to George in a private mail (could be more then 7 years) which he ignored. That time I set a proxy for the same house I work now, and I was surprised to see all the usernames and passwords in the blind http links passing through it, in clear.
Code:
http://www.mersenne.org/account/?user_login=LaurV&user_password=blablablabla1&B1=GO
http://www.mersenne.org/account/?user_login=Dubslow*&user_password=blablablabla2&B1=GO
etc.
for all the people in my network (which was only me, from 30 computers :D)

*this is just an example
LaurV is offline   Reply With Quote
Old 2012-02-10, 02:58   #6
Dubslow
Basketry That Evening!
 
Dubslow's Avatar
 
"Bunslow the Bold"
Jun 2011
40<A<43 -89<O<-88

3×29×83 Posts
Default

I hope that's not actually your password
Dubslow is offline   Reply With Quote
Old 2012-02-10, 03:59   #7
KyleAskine
 
KyleAskine's Avatar
 
Oct 2011
Maryland

2×5×29 Posts
Default

Quote:
Originally Posted by chalsall View Post
Agree. IMHO, if someone has access to your browsing history, you're already fscked.
The only reason I thought about it was because I log in at work on the work PC.
KyleAskine is offline   Reply With Quote
Old 2012-02-10, 06:19   #8
LaurV
Romulan Interpreter
 
LaurV's Avatar
 
"name field"
Jun 2011
Thailand

2·17·293 Posts
Default

One primenet "real" issue (but still minor) could be the fact that the customized team report does not seem to work... Or... is it only my case? (I can't see no result if I click customize, and select teams flag to 1). Did that ever worked?
LaurV is offline   Reply With Quote
Old 2012-02-11, 17:03   #9
chris2be8
 
chris2be8's Avatar
 
Sep 2009

13×179 Posts
Default

Don't forget that browsing history could be read if your computer was stolen (or sold without wiping the hard disk).

Primenet should use SSL (AKA https) for logging in, even if the rest of the traffic is http.The same could be said of mersenneforum.org. And it would be nice if reading and writing private messages on here was encrypted.

It's recommended to have 1 password for each important site (banking etc) and another for sites don't really matter. And a third for sites that don't use https to logon.

Chris
chris2be8 is offline   Reply With Quote
Old 2012-02-11, 17:58   #10
KyleAskine
 
KyleAskine's Avatar
 
Oct 2011
Maryland

4428 Posts
Default

Quote:
Originally Posted by chris2be8 View Post
Primenet should use SSL (AKA https) for logging in, even if the rest of the traffic is http.
I agree.

If I didn't have a math degree, and were randomly looking for a distributed computing project to join, the login to primenet would be a major turnoff for me. Probably enough so to convince me to look for a different project.
KyleAskine is offline   Reply With Quote
Old 2012-02-12, 00:57   #11
Xyzzy
 
Xyzzy's Avatar
 
Aug 2002

204108 Posts
Default

Quote:
The same could be said of mersenneforum.org. And it would be nice if reading and writing private messages on here was encrypted.
Show us how to implement encrypted browsing and we will try to make it happen.

Xyzzy is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
A minor typo Chuck GPU to 72 1 2011-12-12 13:36
Minor changes to a lot of sequences Greebley Aliquot Sequences 18 2010-08-21 13:52
Minor GMP-ECM bug jasonp GMP-ECM 2 2007-11-25 18:40
Minor bug PhilF Software 1 2006-03-22 01:04
A minor bug in PRP-24.14 Kosmaj 15k Search 3 2005-08-29 20:28

All times are UTC. The time now is 12:13.


Mon May 23 12:13:05 UTC 2022 up 39 days, 10:14, 0 users, load averages: 1.26, 1.47, 1.49

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.

≠ ± ∓ ÷ × · − √ ‰ ⊗ ⊕ ⊖ ⊘ ⊙ ≤ ≥ ≦ ≧ ≨ ≩ ≺ ≻ ≼ ≽ ⊏ ⊐ ⊑ ⊒ ² ³ °
∠ ∟ ° ≅ ~ ‖ ⟂ ⫛
≡ ≜ ≈ ∝ ∞ ≪ ≫ ⌊⌋ ⌈⌉ ∘ ∏ ∐ ∑ ∧ ∨ ∩ ∪ ⨀ ⊕ ⊗ 𝖕 𝖖 𝖗 ⊲ ⊳
∅ ∖ ∁ ↦ ↣ ∩ ∪ ⊆ ⊂ ⊄ ⊊ ⊇ ⊃ ⊅ ⊋ ⊖ ∈ ∉ ∋ ∌ ℕ ℤ ℚ ℝ ℂ ℵ ℶ ℷ ℸ 𝓟
¬ ∨ ∧ ⊕ → ← ⇒ ⇐ ⇔ ∀ ∃ ∄ ∴ ∵ ⊤ ⊥ ⊢ ⊨ ⫤ ⊣ … ⋯ ⋮ ⋰ ⋱
∫ ∬ ∭ ∮ ∯ ∰ ∇ ∆ δ ∂ ℱ ℒ ℓ
𝛢𝛼 𝛣𝛽 𝛤𝛾 𝛥𝛿 𝛦𝜀𝜖 𝛧𝜁 𝛨𝜂 𝛩𝜃𝜗 𝛪𝜄 𝛫𝜅 𝛬𝜆 𝛭𝜇 𝛮𝜈 𝛯𝜉 𝛰𝜊 𝛱𝜋 𝛲𝜌 𝛴𝜎𝜍 𝛵𝜏 𝛶𝜐 𝛷𝜙𝜑 𝛸𝜒 𝛹𝜓 𝛺𝜔