NATION

PASSWORD

HTTPS on NationStates

Bug reports, general help, ideas for improvements, and questions about how things are meant to work.
User avatar
Afforess
Ambassador
 
Posts: 1105
Founded: Jun 22, 2009
Ex-Nation

HTTPS on NationStates

Postby Afforess » Sat Jun 16, 2012 8:34 pm

I was looking through the source code of an autotelegramer program the other day and noticed it sent the nation name and nation password as clear text in the login. At first I thought they were just a shitty programmer and didn't know better. So I fired up wireshark, logged out, then started capturing packets. Then I logged back in and ended the capture. When I analyzed my login packet, I saw this:

Code: Select all
ny^M"CqE7$@P1LX1PPOST / HTTP/1.1
Host: www.nationstates.net
Connection: keep-alive
Content-Length: 66
Cache-Control: max-age=0
Origin: http://www.nationstates.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nationstates.net/page=login
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [REMOVED SO YOU JOKERS CAN'T LOG IN AS ME]

logging_in=1&nation=Afforess&password=hunter2&autologin=yes


Don't bother with that password, I hope you get the reference though ;)

Point is, logging into the game sends the password in clear text. This means you shouldn't log in anywhere where you don't have complete control of the entire connection up until it reaches your ISP. This means public wifi, universities, libraries, internet cafes, airports, etc could easily have sniffers ready to rob your account.

Is there a reason NS doesn't use SSL or some other encryption/salt for the password? I feel a lot edgier logging into a service with my password in clear text, especially with how easy network sniffing is. I could teach a 12 year old to hack a NS account with McDonalds wifi.
Last edited by [violet] on Wed Feb 26, 2014 7:36 pm, edited 5 times in total.
Reason: Edited title since this has become a general HTTPS thread. Was: "Why is my password being sent in clear text?"
Minister of the Interior, Capitalist Paradise

The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.

User avatar
Fischistan
Ambassador
 
Posts: 1384
Founded: Oct 16, 2011
New York Times Democracy

Postby Fischistan » Sat Jun 16, 2012 8:54 pm

SSL certificates cost money, you know. Are you asking that NS starts using SSL?
Xavier D'Montagne
Fischistani Ambassador to the WA
Unibot II wrote:It's Carta. He CANNOT Fail. Only successes in reverse.
The Matthew Islands wrote:Knowledge is knowing the Tomato is a fruit. Wisdom is knowing not to put it in a fruit salad.
Anthony Delasanta wrote:its was not genocide it was ethnic cleansing...
Socorra wrote:A religion-free abortion thread is like a meat-free hamburger.
Help is on its Way: UDL
Never forget 11 September.
Never look off the edge of cliff on a segway.

11 September 1973, of course.

User avatar
Afforess
Ambassador
 
Posts: 1105
Founded: Jun 22, 2009
Ex-Nation

Postby Afforess » Sat Jun 16, 2012 9:03 pm

Fischistan wrote:SSL certificates cost money, you know. Are you asking that NS starts using SSL?


Not that much money. Couple hundred. Maybe a grand. I'd happily pay for a member+ account to get SSL.
Last edited by Afforess on Sat Jun 16, 2012 9:03 pm, edited 1 time in total.
Minister of the Interior, Capitalist Paradise

The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.

User avatar
Zemnaya Svoboda
Diplomat
 
Posts: 600
Founded: Jan 06, 2004
New York Times Democracy

Postby Zemnaya Svoboda » Mon Jun 18, 2012 6:21 am

To be honest, I'd happily pay a $5 fee to be able to log into NS over SSL >.>

But I'm realistic in that implementing an SSL login would involve a significant amount of work and wouldn't affect any actually observed security issues. I don't think anyone's NationStates password has ever been stolen out of the aether like that.

User avatar
Tseaby
Lobbyist
 
Posts: 17
Founded: Antiquity
Libertarian Police State

Postby Tseaby » Mon Jun 18, 2012 8:43 am

Someone linked this to me for comments. I wouldn't mind there being a pay-for SSL option, as it might help offset the costs of the site for Max.

One of the points brought up was would this cause more load on the site? Most sites that do full-site SSL find it provides ~1% load increase, which isn't really all that bad.

Second is some people might find a pay-for feature a "slippery slope" direction for the game to take. Not to mention they'd have to then deal with online payments, which would probably be more of an administrative overhead than anything else.

But the site could use a self-signed certificate. This doesn't cost anything and would provide for encryption. However, this usually causes a web browser to throw a warning up when you first access the site. Therefore they could make SSL optional and if someone wants that feature, they can access the site via SSL and go through the steps to manually accept the certificate, and those that don't know or care wouldn't have to deal with it at all.

This isn't exactly the simplest thing to do, but it's a possibility.

.  ("`-''-/").___..--''"`-._
`o_ o ) `-. ( ).`:.__.:)
(_Y_.): ._ ) `._ `. ``-:.-'
_..`--'_..-_/ /--'_.' ,'
(il),-'' (li),' ((!.-'

User avatar
Zemnaya Svoboda
Diplomat
 
Posts: 600
Founded: Jan 06, 2004
New York Times Democracy

Postby Zemnaya Svoboda » Mon Jun 18, 2012 9:29 am

A self-signed certificate, offered for free, with a non-nation-specific cookie that, when set, makes you log in using SSL (and can be applied with a checkbox like the "Remember me" checkbox) seems like a reasonable way to implement it.

Of course, I still wouldn't expect the admins to devote time to what would amount to a vanity feature.

User avatar
Lithatrius
Ambassador
 
Posts: 1132
Founded: Jun 24, 2009
Father Knows Best State

Postby Lithatrius » Mon Jun 18, 2012 4:12 pm

A small addition.

I can't speak for any other nations, but I don't like the concept of a "Member+" account - it just smacks of NS2, where money gave you extra perks. The beauty of this game is that everyone is equal in terms of membership capabilities. Also, the majority of the nations are young users, who likely will not be able to afford/convince their parents to have a paid account.

However, I would also say that having been a forum member for 5 days short of 3 years, I trust [violet] to be able to successfully resolve this without the need for expensive SSL technology.
~ Lithatrius



  • Houston Texans
  • New Jersey Devils
  • New York Mets
  • Memphis Grizzlies
  • Michigan Wolverines

User avatar
[violet]
Site Admin
 
Posts: 7667
Founded: Antiquity

Postby [violet] » Mon Jun 18, 2012 5:06 pm

Afforess wrote:Is there a reason NS doesn't use SSL or some other encryption/salt for the password?

SalusaSecondus is our security guy, but I'll take a stab at this.

Everything you send to NS is in plain text, including your initial login password or autologin cookie, since as Afforess says we don't use SSL (Secure Sockets Layer). This is the case for any website that you connect to via http:// rather than https://.

This means your data is unencrypted as it passes between you and the sites you visit. Ordinarily, that only includes your home router and your ISP, but in a public area on a wireless connection, those data packets can be sniffed by someone sitting nearby. So if you're in a coffee shop, for example, using their wireless to log into NS (or another site not using https://), and someone sitting two tables over is packet-sniffing, they may be able to see your password.

Even when the site's login page is behind https://, if the rest of the site isn't, then someone in the same situation can wait until you're logged in and grab your session ID, which is just as good.

This is probably more of a concern for Facebook users than NS users, but the same principle applies.

The reason we don't use SSL is simply that it's complicated. It used to be expensive, too, but I think that's no longer the case. It's just another thing to set up and maintain, it increases server load, and some people have problems with it. (Edit: Also, of all the ways people's accounts can get compromised, this has to be one of the rarest. To the best of my knowledge, it's never happened to an NS account.) So we haven't done it.

Semi-related note: NationStates does not store passwords in plain text. No web site should do that.
Last edited by [violet] on Mon Jun 18, 2012 5:13 pm, edited 1 time in total.

User avatar
Dilibertar
Political Columnist
 
Posts: 4
Founded: Feb 26, 2012
Ex-Nation

Postby Dilibertar » Tue Jun 19, 2012 3:08 am

I rather find it unsettling that the AutoTelegram program has to send your password over. I'd much rather a browser implementation that doesn't send it through a third-party. Hashed out or not, it's still a decent security risk.


On a note to [violet], the passwords are hashed with SHA1, right? Anything else isn't very settling, especially normal hash.
Last edited by Dilibertar on Tue Jun 19, 2012 3:14 am, edited 1 time in total.

User avatar
Auralia
Senator
 
Posts: 4010
Founded: Dec 15, 2011
Ex-Nation

Postby Auralia » Tue Jun 19, 2012 11:24 am

Dilibertar wrote:I rather find it unsettling that the AutoTelegram program has to send your password over. I'd much rather a browser implementation that doesn't send it through a third-party. Hashed out or not, it's still a decent security risk.


What exactly do you mean by a "browser implementation that doesn't send it through a third-party"?
Martin Russell
Federation of Auralia

Chief Ambassador, Auralian Mission to the World Assembly
Iustitia omni auro carior.


User avatar
[violet]
Site Admin
 
Posts: 7667
Founded: Antiquity

Postby [violet] » Tue Jun 19, 2012 5:04 pm

I should say: all things being equal, plugging your account password into a third-party site/program, like an auto-telegrammer, is a bigger security risk than everything else discussed here. You are trusting the author of that site/program not to steal it. And we've definitely seen several cases of nation-stealing via that method over the years -- not from this particular auto-telegram program, of course, but from other non-official tools & sites.

User avatar
SalusaSecondus
Game Admin
 
Posts: 296
Founded: Jun 12, 2003
Corrupt Dictatorship

Postby SalusaSecondus » Wed Jun 20, 2012 9:33 am

Dons his security hat.

Pretty much everything posted in this thread is correct. Passwords are sent in clear-text over the wire. We could use SSL but would still have all the problems [violet] pointed out including:
  • The rest of the site isn't on SSL, so you'd grab the session cookie which is just about as good.
  • It is a real pain to set up and maintain (I've done it.)
  • I refuse to use a self-signed cert for a publicly facing site (except under very limited circumstances) for numerous philosophical and professional reasons
  • Of all the various ways someone could attack a NS account, this really is near the least of our concerns.

As for other random (related) notes:
  • Yes we hash our passwords, I won't go into the details of how, but it is acceptably secure.
  • You should never use the same password on multiple sites. This is one of the most common ways accounts can be stolen. There have been cases in the past where NS accounts were hacked because someone compromised an off-site forum where players used the same passwords as they used for their nations. (As a sub-note, since NS passwords can be captured with packet-sniffers, you don't want to share the password with other sites just in case they steal your password here.) (As a second sub-note, NS does support OpenId delegation, so you could, theoretically, authenticate against some websites using your Nation.)
  • You should never give anyone else the password to your NS account. They've been stolen this way in the past.

User avatar
[violet]
Site Admin
 
Posts: 7667
Founded: Antiquity

Postby [violet] » Sat Feb 01, 2014 10:53 pm

*gravedigs*

I'm now trialing SSL encryption. You can have a play here:

https://www.nationstates.net/

Currently it's only supported on the main domain, not on m.nationstates.net or dark.nationstates.net or any other subdomain.

Please report any issues!

User avatar
Shadow Afforess
Ambassador
 
Posts: 1271
Founded: Nov 06, 2013
Ex-Nation

Postby Shadow Afforess » Sun Feb 02, 2014 1:59 pm

Awesome. Now I have a legitimate reason to upgrade to SSL too. I didn't bother before, since it hardly matters if NS++ is in clear text, when your NS password is too.

Edit: Look into a wildcard ssl cert. It should cover all subdomains.
Last edited by Shadow Afforess on Sun Feb 02, 2014 2:03 pm, edited 1 time in total.
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move.

User avatar
Shadow Afforess
Ambassador
 
Posts: 1271
Founded: Nov 06, 2013
Ex-Nation

Postby Shadow Afforess » Thu Feb 06, 2014 3:27 pm

[violet] wrote:*gravedigs*

I'm now trialing SSL encryption. You can have a play here:

https://www.nationstates.net/

Currently it's only supported on the main domain, not on m.nationstates.net or dark.nationstates.net or any other subdomain.

Please report any issues!


Ok, been toying around with it. It works! I look forward to it being on the forums and sub-domains as well.

Any chance of enabling SPDY support? https://code.google.com/p/mod-spdy/

http://en.wikipedia.org/wiki/SPDY

Also will there be any harm if I migrate my API usage to use the https urls? It seems to work, from my cursory testing.

Edit: Additional question. How has your experience with PositiveSSL been? Would you recommend them? Why/Why not?
Last edited by Shadow Afforess on Thu Feb 06, 2014 3:32 pm, edited 2 times in total.
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move.

User avatar
[violet]
Site Admin
 
Posts: 7667
Founded: Antiquity

Postby [violet] » Thu Feb 06, 2014 10:13 pm

Shadow Afforess wrote:Any chance of enabling SPDY support? https://code.google.com/p/mod-spdy/

Done!

Also will there be any harm if I migrate my API usage to use the https urls? It seems to work, from my cursory testing.

Hold off on that, if you wouldn't mind. That is a bit more of a stress test than I'm ready for.

How has your experience with PositiveSSL been?

I don't know who that is. I guess they had something to do with our certificate? I'm just using a cheap one from our host at the moment.

User avatar
Shadow Afforess
Ambassador
 
Posts: 1271
Founded: Nov 06, 2013
Ex-Nation

Postby Shadow Afforess » Thu Feb 06, 2014 10:37 pm

[violet] wrote:I don't know who that is. I guess they had something to do with our certificate? I'm just using a cheap one from our host at the moment.


PositiveSSL is your Certificate Authority. In chrome, if you click the lock icon, you can see the details. :)

Appreciate the SPDY support.
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move.

User avatar
Shadow Afforess
Ambassador
 
Posts: 1271
Founded: Nov 06, 2013
Ex-Nation

Postby Shadow Afforess » Mon Feb 10, 2014 11:23 pm

Suggestion: when clicking to the forums from the https site, load the left panel iframe as https. Otherwise if I visit the forums and click on my nation in the panel I am sent back to the regular site.

More ideal would be to enable https for the forum as well.
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move.

User avatar
[violet]
Site Admin
 
Posts: 7667
Founded: Antiquity

Postby [violet] » Wed Feb 12, 2014 5:09 pm

[violet] wrote:*gravedigs*

I'm now trialing SSL encryption. You can have a play here:

https://www.nationstates.net/

Currently it's only supported on the main domain, not on m.nationstates.net or dark.nationstates.net or any other subdomain.

Please report any issues!

The SSL trial now extends to the forum and all subdomains (such as https://dark.nationstates.net/). So you should be able to log in securely at https://www.nationstates.net/ and stay within an encrypted session wherever you go. Please check it out and report any problems!

Known issue: Pages that have user-embedded images from other sites can trigger a "Mixed content" warning in your browser, since while the page you're viewing is encrypted, the embedded images are not.

User avatar
Aksun
Diplomat
 
Posts: 699
Founded: Sep 07, 2010
New York Times Democracy

Postby Aksun » Wed Feb 12, 2014 6:05 pm

Thanks Violet! I am trying it out on mobile version now and so far it is working.

Edit: viewtopic.php?f=15&t=185805&p=18828272#p18828272

Is the forum secured or is it still unsecured?
Last edited by Aksun on Wed Feb 12, 2014 6:06 pm, edited 1 time in total.
Def Con
1 2 3 4 5
At Peace
Mod Quotes: "I was there man, I saw it. Neck-deep in the blood of dead griefers!" - Reppy.

User avatar
The Republic of Lanos
Post Marshal
 
Posts: 17078
Founded: Apr 17, 2009
Civil Rights Lovefest

Postby The Republic of Lanos » Wed Feb 12, 2014 6:46 pm

[violet] wrote:
[violet] wrote:*gravedigs*

I'm now trialing SSL encryption. You can have a play here:

https://www.nationstates.net/

Currently it's only supported on the main domain, not on m.nationstates.net or dark.nationstates.net or any other subdomain.

Please report any issues!

The SSL trial now extends to the forum and all subdomains (such as https://dark.nationstates.net/). So you should be able to log in securely at https://www.nationstates.net/ and stay within an encrypted session wherever you go. Please check it out and report any problems!

Known issue: Pages that have user-embedded images from other sites can trigger a "Mixed content" warning in your browser, since while the page you're viewing is encrypted, the embedded images are not.

Is there a way to enable secure browsing on login via settings or do I have to manually bookmark the https site?

User avatar
[violet]
Site Admin
 
Posts: 7667
Founded: Antiquity

Postby [violet] » Wed Feb 12, 2014 7:10 pm

Aksun wrote:Is the forum secured or is it still unsecured?

Both; it depends on whether you access it via http:// or https://.

The Republic of Lanos wrote:Is there a way to enable secure browsing on login via settings or do I have to manually bookmark the https site?

The latter. If all goes well in the trial, we'll turn it on by default.

User avatar
The Republic of Lanos
Post Marshal
 
Posts: 17078
Founded: Apr 17, 2009
Civil Rights Lovefest

Postby The Republic of Lanos » Wed Feb 12, 2014 7:13 pm

[violet] wrote:
Aksun wrote:Is the forum secured or is it still unsecured?

Both; it depends on whether you access it via http:// or https://.

The Republic of Lanos wrote:Is there a way to enable secure browsing on login via settings or do I have to manually bookmark the https site?

The latter. If all goes well in the trial, we'll turn it on by default.

Awesome. :) It works well on the forums.

User avatar
Shadow Afforess
Ambassador
 
Posts: 1271
Founded: Nov 06, 2013
Ex-Nation

Postby Shadow Afforess » Fri Feb 21, 2014 7:11 pm

[violet] I noticed the password reset email still uses the http url. Now that the https site is fully operational, it seems prudent to update this.

Edit: Also the "share your nation" link at the bottom of nation pages is hardcoded to the http link. :(
Protocol independant urls would fix that. :)
Last edited by Shadow Afforess on Sat Feb 22, 2014 12:40 am, edited 2 times in total.
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move.

User avatar
Percvania
Bureaucrat
 
Posts: 65
Founded: Feb 27, 2013
Civil Rights Lovefest

Postby Percvania » Mon Feb 24, 2014 4:14 am

I'm guessing it's something to do with your computer or its settings?

Next

Remove ads

Return to Technical

Who is online

Users browsing this forum: Misley

Remove ads