Jump to content

A Suggestion


cficare
 Share

Recommended Posts

To fellow and fellowette TAA members that may have participated on another forum....and who may have had a falling out....change your passwords...

 

I'm experiencing major interference with aviation related sites at the moment...

 

Sorry to mention the other place again Mods...just want to warn others.

 

 

Link to comment
Share on other sites

As i may have said once before CFI, that is good advice for all websites. Through the use of cookies, site operators can capture information on other sites that you visit. As you have suggested, in theory they could use the information from their site to log in as you on other sites that you visit. Apparently even Facebook collects this type of information.

 

Another warning about some websites is that private messages are NOT private like you may think (not talking about this site here as I've had no issue whatsoever). On some sites if you check the terms and conditions you will find that it says that PM's are moderated for content, so do be careful what information you provide or share about yourself or others and make sure that anything private is done by phone or email as necessary!

 

 

Link to comment
Share on other sites

Guest Michael Coates

so if I understand correctly what you are saying...... if you were a member of some other site; as an example "Aviation Antarctica" and you had an identical password that you used on several aviation websites that somebody who was a moderator of Aviation Antarctica who would know your password could use your username and password to login to this site if you used the same identical password..... ?

 

 

Link to comment
Share on other sites

Nice to know that even if I was being paranoid, I'm not alone!:confused: I noticed a few minor discrepancies several years ago, shortly after a disagreement elsewhere and changed passwords on not only several sites, but also the email address linked to the problem one. Probably a timely wake up call if nothing else.

 

 

Link to comment
Share on other sites

Guest DavidH10

As a matter of course, you should use a different password on every different "security domain". So for instance, while it may be fine to have the same password on all your computers at home or all the servers at work, every web site you visit that belongs to a different company should have its own unique password.

 

The password should be, ideally, completely random, but at least not a dictionary word, proper noun or data about yourself like birthday etc., and should contain a mixture of upper case and lower case alphabetic characters, numbers and if the site allows, symbols (referred to as "complex").

 

While some systems store "plain text" passwords in the database, others do encrypt the password using one way encryption. To authenticate a login, the password typed in is encrypted in the same way and the result compared to the encrypted value stored in the user account. A match means the password was correct. Regardless of whether the stored password is encrypted, in HTTP (non-secure-web) transactions, the password is carried over the network in plain text and then encrypted at the server, so anyone who can "sniff" the traffic (either on the network or in the server before it is consumed by the web application) can see the plain text passwords. That is easy to do if you have administrative access to the Server.

 

As the algorithm to encrypt the passwords is well known, there is another part to this solution. The server adds a "Salt" to the encryption process, which is constant for the server. If the administrator of a site was to use the default "Salt" value(s) in the software, then it is possible to use what are called "Rainbow Tables" to look up the password based on the encrypted value. A good admin will randomise the Salt values when setting up a new server, so that use of the same approach would require trial and error with every possible "Salt" value.

 

The statement made about "Cookies" is incorrect. The content of Cookies may only be sent to servers in the "Domain" specified in the Cookie. Thus one site cannot read the content of Cookies created by another site, unless it matches the Domain written into the Cookie at creation.

 

Because there is no concept of a "Session" with a web site (every request and response stands alone as an atomic transaction), the user has to authenticate with the web site for every transaction. To make this easy, upon authenticating with a password, a Cookie is created with a random Token in it that is known to the Server. By presenting that Token to the server in every Transaction, the server knows who the user is and that they have previously authenticated with a correct password. If the Cookie created is a Temporary Cookie, then it is only held in memory and lost when the browser is closed (all windows of the browser). For a site to "remember me", it stores the Cookie as a "Persistent Cookie". ie. it is stored on the hard disk or non-volatile memory, depending on the user's device. If someone else were to obtain a copy of the Cookie, then they can impersonate you, but still cannot determine the password, as the "Token" has no relationship to the password.

 

I hope this sheds some more light on the subject.

 

 

Link to comment
Share on other sites

I had a situation recently where every time I visited a certain aviation website I was unable to open Pprune after. As soon as I cleared the cookies from he previous website, I could get back into Pprune. It was when making comments about the first website that this came about.

 

Good to hear thanks Glenn.

 

I've been a member of a certain website were I rang the moderator as I forgot my password and they confirmed what it was so perhaps some websites aren't as secure as this one.

 

I absolutely detest the fact that my private messages could be read, let alone moderated... It's simply not something that you would ever expect.

 

 

Link to comment
Share on other sites

David - Facebook were recently busted by the media etc for using cookies technology to gather information about websites that users visit and then reporting back to their database and storing it for later use.

 

 

Link to comment
Share on other sites

Guest DavidH10
David - Facebook were recently busted by the media etc for using cookies technology to gather information about websites that users visit and then reporting back to their database and storing it for later use.

This does not invalidate what I have said. The tracking that is occurring is only when the user runs code on the FaceBook site. What many users may not be aware of is that the "FaceBook Like" buttons are associated with FaceBook code, so it can access the faceBook Cookies and store the site that you "FaceBook Liked". When you next loginto FaceBook, they can harvest that data from their Cookie.

So, as you can see, it is not the "Cookies Technology" that is at fault, it is the Users who actively press the FaceBook Like button on other sites and then for some inexplicable reason don't expect that FaceBook will find out about it!

 

The reason I don't have an account with FaceBook is that I don't like their practises in relation to privacy and security. While they do disclose everything, it is not easy for the common user to understand, and most users never read the fine print anyway, so what do they expect!

 

 

Link to comment
Share on other sites

Because there is no concept of a "Session" with a web site (every request and response stands alone as an atomic transaction), the user has to authenticate with the web site for every transaction. To make this easy, upon authenticating with a password, a Cookie is created with a random Token in it that is known to the Server. By presenting that Token to the server in every Transaction, the server knows who the user is and that they have previously authenticated with a correct password. If the Cookie created is a Temporary Cookie, then it is only held in memory and lost when the browser is closed (all windows of the browser). For a site to "remember me", it stores the Cookie as a "Persistent Cookie". ie. it is stored on the hard disk or non-volatile memory, depending on the user's device. If someone else were to obtain a copy of the Cookie, then they can impersonate you, but still cannot determine the password, as the "Token" has no relationship to the password.I hope this sheds some more light on the subject.

Thanks David for sharing your insight on this topic, well put and great information!

 

Cheers John

 

 

Link to comment
Share on other sites

Ok, before we all get blinded by science then, short story is that our movements through cyberspace are a long way from private and unseen. Whatsmore there are opportunities for the unscrupulous to harvest passwords and potentially create havoc in the rest of your cyber life. I remember reading somewhere in a particular friend's rants that he was able track those departed members who chose to frequent his site without logging in and kept an eye on what they were up to elsewhere - bit of a lightbulb moment.

 

Back to our sidestep into the world of facebook, I wouldn't pretend to know how it is done, but there is some mighty clever code at work there, mostly concerned with refining the advertising that is directed to individual users. I guess that's why the site's $ value is so high. I purposely obscured my interests etc however, over time it has obviously built up a rough profile and I get a lot of aviation based ads, along with photography and sailing stuff. I can only put it down to keywords in my occasional comments to others and theirs to me, although I am a little baffled at the sudden focus on lingerie - unless it figures that men in their 40's are all likely to pay that some attention before Christmas? Otherwise there is merit in the theory that facebook is able to follow what sites you browse, because I did spend a bit of time on Victoria's Secret immediately before.

 

 

Link to comment
Share on other sites

Guest Michael Coates

I did spend a bit of time on Victoria's Secret immediately before.

 

What you too ?? It must be something common with aviation, something about smooth aerodynamic lines, rivets only where needed, retractable undercarriage..... Ahh i digress

 

 

Link to comment
Share on other sites

Ahhh, dodgy bunch we have here, my visits were purely in the name of retail research; necessitated by the impending festivities and the social convention which demands that I provide my beloved with frilly bits n bobs. Although I must admit that I did admire the lines on some of the demonstration models, I'm particularly partial to a nicely crafted undercarriage....., with or without black lace and flush rivetting

 

 

Link to comment
Share on other sites

What's this Victoria's Secret? Now I'm curious. I hope you guys aren't leading me astray!

If you google "Victoria's secret" you'll find the "secret"... The women in my family over in the Mid West used to insist us menfolk wear boxing gloves when handling the catalogue... Talk about toys for boys...

 

024_cool.gif.7a88a3168ebd868f5549631161e2b369.gif111_oops.gif.41a64bb245dc25cbc7efb50b743e8a29.gif;)

 

 

  • Like 1
Link to comment
Share on other sites

As far as I know passwords are encrypted in the database and cannot be seen

Not encrypted but hashed; there is no key to return them to what they were.

That sounds very safe until you go into "login.php" and put an extra line of code in there that logs passwords before they are hashed, if you were so inclined.

 

So CFI is right, if you use a password on one site, staff there could certainly find out what it is and log in as you on other sites.

 

And then there is Cross-Site-Scripting (XSS) where hidden code in a website can do requests to another website that you are also logged in on, retrieving any session IDs, the attacker setting that as their own cookie and go browse as you. No password required! A reason many websites requiring greater security (your bank, Amazon, etc.) will bind a session to an IP (range) and if the same session ID is used from elsewhere, they will not allow it ask for the password again.

 

Is this a reason to be worried? Not really. It's only a small number of sites that are problematic and it is no more a threat to you than the gas station clerk that copies credit card numbers to sell on: if it happens to you, it can be quite bad, but the chance of it happening is extremely remote. (Unless you frequent many dodgy sites with too-good-to-be-true deals, etc.)

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...