Suggestion Secure login for PentaxForums

Deedee · 10-11-2013, 04:45 AM

Hi,

I login from an open IP address. That means there are no firewalls or IDS devices protecting this network.

I have my sincerest request to please create a https login page. So that my username and password don't get distributed worldwide.

If https / SSL certificates is not a feasible option, it is my sincerest request to please add an OPENID login for the forum. It would be of great help as you would not have to manage the usernames or the passwords.

Please please please

Cheers!

vonBaloney · 10-11-2013, 09:31 AM

Originally posted by Deedee

Hi,

I login from an open IP address. That means there are no firewalls or IDS devices protecting this network.

I have my sincerest request to please create a https login page. So that my username and password don't get distributed worldwide.

If https / SSL certificates is not a feasible option, it is my sincerest request to please add an OPENID login for the forum. It would be of great help as you would not have to manage the usernames or the passwords.

Please please please

Cheers!

Not a bad idea, but it sounds like you should encrypt your entire connection so that you are protected from prying eyes no matter what the site. There are various ways of doing that (not hard, generally) depending on your access situation and set-up...

stevebrot · 10-11-2013, 09:40 AM

Good question.

IIRC, PentaxForums.com used to use https, but on examination, this appears to no longer be the case. A quick glance at the HTML source indicates that an MD5 hash of the authentication tokens are submitted instead of the values you type in. The request is still submitted as clear text, but the tokens themselves are based on munged values and not recognizable as the values you typed in (Google "MD5").

Unfortunately, this may still allow a "sniffed" intercept of the login request to authenticate as you since the hash is as good as the original text as far as the Web server is concerned.

Adam...tell me this isn't so.

Steve

vonBaloney · 10-11-2013, 09:43 AM

Oh yeah, forgot about that -- I used https for a while but it often conflicted with user photos, etc that wouldn't show up...

stevebrot · 10-11-2013, 09:55 AM

Originally posted by vonBaloney

Oh yeah, forgot about that -- I used https for a while but it often conflicted with user photos, etc that wouldn't show up...

Well, there is a good idea. Login using https and then switch to http to avoid mixed secure/insecure content. Somebody could still spoof the session cookie for access, I guess.

Steve

Deedee · 10-11-2013, 10:28 AM

Originally posted by stevebrot

Login using https and then switch to http to avoid mixed secure/insecure content.

Actually there is no way to signin secure here, thereby the question. How do I reach a signing page? If you can share the link, I will book mark it.

Originally posted by vonBaloney

you should encrypt your entire connection so that you are protected from prying eyes no matter what the site.

Actually I don't control the network, its more out of necessity rather what I actually want. So I end up ensuring I use https most of the times.

Even if we can have something at the bottom of THIS VERY PAGE called the NikonForums would be nice to have:
Sign In - NikonForums.com

It says login with twitter or Facebook. If we can do that there, why not here.

Sincerest thanks gentlemen for all the attention.

Cheers!

Adam · 10-11-2013, 10:47 AM

Originally posted by Deedee

Hi,

I login from an open IP address. That means there are no firewalls or IDS devices protecting this network.

I have my sincerest request to please create a https login page. So that my username and password don't get distributed worldwide.

If https / SSL certificates is not a feasible option, it is my sincerest request to please add an OPENID login for the forum. It would be of great help as you would not have to manage the usernames or the passwords.

Please please please

Cheers!

We have a valid SSL certificate, so just add https to the URL and you'll be good to go. As others have mentioned, using https will prevent you from viewing any content that cannot be served securely, such as embedded photos on domains that don't support SSL. You can still view and photos attached locally or any photos that can be served securely.

There are currently no reliable facebook integration options for our software, but once we migrate to a different platform we'll definitely add such functionality.

Adam
PentaxForums.com Webmaster (Site Usage Guide | Site Help | My Photography)

PentaxForums.com server and development costs are user-supported. You can help cover these costs by donating or purchasing one of our Pentax eBooks. Or, buy your photo gear from our affiliates, Adorama, B&H Photo, KEH, or Topaz Labs, and get FREE Marketplace access - click here to see how! Trusted Pentax retailers:

Deedee · 10-11-2013, 10:52 AM

Originally posted by Adam

We have a valid SSL certificate, so just add https to the URL and you'll be good to go

Cheers Adam thanks a lot buddy!

stevebrot · 10-11-2013, 10:55 AM

Originally posted by Deedee

Actually there is no way to signin secure here, thereby the question. How do I reach a signing page? If you can share the link, I will book mark it.

https://www.pentaxforums.com

Click the login button at the top right to login securely.

Steve

vonBaloney · 10-11-2013, 11:08 AM

Originally posted by Deedee

Actually I don't control the network, its more out of necessity rather what I actually want. So I end up ensuring I use https most of the times.

I realize you don't control the network, but you can still secure yourself on the network. For instance, there are services that are usually used for those using wireless access at random hotspots to protect them wherever they go -- services like Hotspot Shield and similar. It essentially it involves using a secure proxy for your entire connection so even if someone on the network sniffs your traffic it will do them no good. You can also setup your own secure proxy on a remote server for a few bucks a month if you don't want to trust a third-party. (Or want better speed, sometimes those services are a bit laggy.)

Deedee · 10-11-2013, 11:16 AM

Cheers all!

Originally posted by vonBaloney

I realize you don't control the network,

Cheers bud its all good. Thanks for the advise, I will take that into consideration.

Originally posted by stevebrot

Click the login button at the top right to login securely.

Thanks a lot bud.

Deedee · 02-12-2014, 03:37 PM

Hi,

Recently https link (Which I have Favorited & Speed-Dialed) is redirecting on its own to http link.

Please help.

Cheers!
P.S. Speed-DIal reminds me of the Sienfeld episode

Adam · 02-12-2014, 03:51 PM

Originally posted by Deedee

Hi,

Recently https link (Which I have Favorited & Speed-Dialed) is redirecting on its own to http link.

Please help.

Cheers!
P.S. Speed-DIal reminds me of the Sienfeld episode

We've disabled HTTPS support for all but the login page, usercp, and PM system as it was causing more harm than good. If you still want to log in securely, start at https://www.pentaxforums.com/forums/usercp.php or private.php.

Deedee · 02-12-2014, 04:03 PM

Thank you I will use this link.

Cheers!

10-11-2013, 04:45 AM	#1
Deedee Veteran Member Join Date: May 2013 Posts: 307	Secure login for PentaxForums Hi, I login from an open IP address. That means there are no firewalls or IDS devices protecting this network. I have my sincerest request to please create a https login page. So that my username and password don't get distributed worldwide. If https / SSL certificates is not a feasible option, it is my sincerest request to please add an OPENID login for the forum. It would be of great help as you would not have to manage the usernames or the passwords. Please please please Cheers!

02-12-2014, 03:51 PM	#13
Adam Administrator Site Webmaster Join Date: Sep 2006 Location: Arizona Photos: Gallery \| Albums Posts: 51,597	Originally posted by Deedee Hi, Recently https link (Which I have Favorited & Speed-Dialed) is redirecting on its own to http link. Please help. Cheers! P.S. Speed-DIal reminds me of the Sienfeld episode We've disabled HTTPS support for all but the login page, usercp, and PM system as it was causing more harm than good. If you still want to log in securely, start at https://www.pentaxforums.com/forums/usercp.php or private.php. Adam PentaxForums.com Webmaster (Site Usage Guide \| Site Help \| My Photography) PentaxForums.com server and development costs are user-supported. You can help cover these costs by donating or purchasing one of our Pentax eBooks. Or, buy your photo gear from our affiliates, Adorama, B&H Photo, KEH, or Topaz Labs, and get FREE Marketplace access - click here to see how! Trusted Pentax retailers:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
secure testing new lenses / adapters	romansolar	Troubleshooting and Beginner Help	2	11-18-2012 12:59 PM
Cityscape Secure transmission	Symbio	Post Your Photos!	2	11-08-2012 05:21 AM
Error Short Cycle LogIn	monochrome	Site Suggestions and Help	2	09-09-2012 10:44 AM
Error "Remember Me" Required for login?	A Modest Mouse	Site Suggestions and Help	4	02-01-2009 04:47 AM

10-11-2013, 09:31 AM	#2
vonBaloney Pentaxian Join Date: Oct 2011 Location: Albuquerque, NM Posts: 6,029	Originally posted by Deedee Hi, I login from an open IP address. That means there are no firewalls or IDS devices protecting this network. I have my sincerest request to please create a https login page. So that my username and password don't get distributed worldwide. If https / SSL certificates is not a feasible option, it is my sincerest request to please add an OPENID login for the forum. It would be of great help as you would not have to manage the usernames or the passwords. Please please please Cheers! Not a bad idea, but it sounds like you should encrypt your entire connection so that you are protected from prying eyes no matter what the site. There are various ways of doing that (not hard, generally) depending on your access situation and set-up...

10-11-2013, 09:40 AM	#3
stevebrot Otis Memorial Pentaxian Join Date: Mar 2007 Location: Vancouver (USA) Photos: Gallery \| Albums Posts: 42,007	Good question. IIRC, PentaxForums.com used to use https, but on examination, this appears to no longer be the case. A quick glance at the HTML source indicates that an MD5 hash of the authentication tokens are submitted instead of the values you type in. The request is still submitted as clear text, but the tokens themselves are based on munged values and not recognizable as the values you typed in (Google "MD5"). Unfortunately, this may still allow a "sniffed" intercept of the login request to authenticate as you since the hash is as good as the original text as far as the Web server is concerned. Adam...tell me this isn't so. Steve

10-11-2013, 09:43 AM	#4
vonBaloney Pentaxian Join Date: Oct 2011 Location: Albuquerque, NM Posts: 6,029	Oh yeah, forgot about that -- I used https for a while but it often conflicted with user photos, etc that wouldn't show up...

10-11-2013, 09:55 AM	#5
stevebrot Otis Memorial Pentaxian Join Date: Mar 2007 Location: Vancouver (USA) Photos: Gallery \| Albums Posts: 42,007	Originally posted by vonBaloney Oh yeah, forgot about that -- I used https for a while but it often conflicted with user photos, etc that wouldn't show up... Well, there is a good idea. Login using https and then switch to http to avoid mixed secure/insecure content. Somebody could still spoof the session cookie for access, I guess. Steve

10-11-2013, 10:28 AM	#6
Deedee Veteran Member Join Date: May 2013 Posts: 307 Original Poster	Originally posted by stevebrot Login using https and then switch to http to avoid mixed secure/insecure content. Actually there is no way to signin secure here, thereby the question. How do I reach a signing page? If you can share the link, I will book mark it. Originally posted by vonBaloney you should encrypt your entire connection so that you are protected from prying eyes no matter what the site. Actually I don't control the network, its more out of necessity rather what I actually want. So I end up ensuring I use https most of the times. Even if we can have something at the bottom of THIS VERY PAGE called the NikonForums would be nice to have: Sign In - NikonForums.com It says login with twitter or Facebook. If we can do that there, why not here. Sincerest thanks gentlemen for all the attention. Cheers!

10-11-2013, 10:47 AM	#7
Adam Administrator Site Webmaster Join Date: Sep 2006 Location: Arizona Photos: Gallery \| Albums Posts: 51,597	Originally posted by Deedee Hi, I login from an open IP address. That means there are no firewalls or IDS devices protecting this network. I have my sincerest request to please create a https login page. So that my username and password don't get distributed worldwide. If https / SSL certificates is not a feasible option, it is my sincerest request to please add an OPENID login for the forum. It would be of great help as you would not have to manage the usernames or the passwords. Please please please Cheers! We have a valid SSL certificate, so just add https to the URL and you'll be good to go. As others have mentioned, using https will prevent you from viewing any content that cannot be served securely, such as embedded photos on domains that don't support SSL. You can still view and photos attached locally or any photos that can be served securely. There are currently no reliable facebook integration options for our software, but once we migrate to a different platform we'll definitely add such functionality. Adam PentaxForums.com Webmaster (Site Usage Guide \| Site Help \| My Photography) PentaxForums.com server and development costs are user-supported. You can help cover these costs by donating or purchasing one of our Pentax eBooks. Or, buy your photo gear from our affiliates, Adorama, B&H Photo, KEH, or Topaz Labs, and get FREE Marketplace access - click here to see how! Trusted Pentax retailers:

10-11-2013, 10:52 AM	#8
Deedee Veteran Member Join Date: May 2013 Posts: 307 Original Poster	Originally posted by Adam We have a valid SSL certificate, so just add https to the URL and you'll be good to go Cheers Adam thanks a lot buddy!

10-11-2013, 10:55 AM	#9
stevebrot Otis Memorial Pentaxian Join Date: Mar 2007 Location: Vancouver (USA) Photos: Gallery \| Albums Posts: 42,007	Originally posted by Deedee Actually there is no way to signin secure here, thereby the question. How do I reach a signing page? If you can share the link, I will book mark it. https://www.pentaxforums.com Click the login button at the top right to login securely. Steve

10-11-2013, 11:08 AM	#10
vonBaloney Pentaxian Join Date: Oct 2011 Location: Albuquerque, NM Posts: 6,029	Originally posted by Deedee Actually I don't control the network, its more out of necessity rather what I actually want. So I end up ensuring I use https most of the times. I realize you don't control the network, but you can still secure yourself on the network. For instance, there are services that are usually used for those using wireless access at random hotspots to protect them wherever they go -- services like Hotspot Shield and similar. It essentially it involves using a secure proxy for your entire connection so even if someone on the network sniffs your traffic it will do them no good. You can also setup your own secure proxy on a remote server for a few bucks a month if you don't want to trust a third-party. (Or want better speed, sometimes those services are a bit laggy.)

10-11-2013, 11:16 AM	#11
Deedee Veteran Member Join Date: May 2013 Posts: 307 Original Poster	Cheers all! Originally posted by vonBaloney I realize you don't control the network, Cheers bud its all good. Thanks for the advise, I will take that into consideration. Originally posted by stevebrot Click the login button at the top right to login securely. Thanks a lot bud.

02-12-2014, 03:37 PM	#12
Deedee Veteran Member Join Date: May 2013 Posts: 307 Original Poster	Hi, Recently https link (Which I have Favorited & Speed-Dialed) is redirecting on its own to http link. Please help. Cheers! P.S. Speed-DIal reminds me of the Sienfeld episode

02-12-2014, 04:03 PM	#14
Deedee Veteran Member Join Date: May 2013 Posts: 307 Original Poster	Thank you I will use this link. Cheers!