So, the Heartbleed vulnerability has made me look more closely at how I use passwords, and in doing so, I noticed something about Atheist Nexus.  There is no SSL here to be hacked.  The sign-in page uses a regular  POST method to submit our usernames and passwords straight to http://www.atheistnexus.org/main/authorization/doSignIn?target=http..., with no protection at all so far as I can tell.

Doesn't that mean that anyone who cared to could read our Atheist Nexus passwords anytime we sign in?  If that's the case, shouldn't we be warning people when they sign up?  Is there who knows AN's design who can address this?

Tags: Heartbleed, Network, Passwords, Security

Views: 68

Reply to This

Replies to This Discussion

Mention it to Richard Haynes (a.k.a. "Brother Richard"), the founder of A|N.  Granted, he can't do much about it, but he can let NING know our concerns.  Since NING is responsible for a LOT of other sites in addition to ours, one would think they'd be concerned about this issue.

Here are two test pages, where you can check sites that do use https.

https://www.ssllabs.com/ssltest/  (checks for many problems, in addition to Heartbleed)

http://filippo.io/Heartbleed/

Yes, our passwords are going over the wire unprotected. This can especially be an issue on public Wifi.

It's good advice in general to use different passwords for different sites. (So if one site gets hacked, your password is useless for others.) This means using a better scheme than "sekritAtheistNexus", "sekritGoogle", "sekritHotmail", etc. :-)

It's not a big deal to reuse passwords for a few noncritical sites where you need it only to, say, read articles. But rethink that if someone could leave comments "as you".

I agree with Loren. I became concerned when I learned you can Google any name on here and see the postings in results. At least, you can do that IF you know what you are looking for. I'm not ashamed or disturbed by anything that I have posted, but I changed my name on here so as not to be recognized to everyone. Some theists do not like hiring atheists.

Ouch. Security is never what I'd want it to be.

RSS

Support Atheist Nexus

Donate Today

Donate

 

Help Nexus When You Buy From Amazon

Amazon

AJY

 

© 2014   Atheist Nexus. All rights reserved. Admin: Richard Haynes.

Badges  |  Report an Issue  |  Terms of Service