NATION

PASSWORD

Why is my password sent in clear text?

Bug reports, general help, ideas for improvements, and questions about how things are meant to work.
Post a reply
User avatar
Afforess
Spokesperson
 
Posts: 176
Founded: Jun 22, 2009
Civil Rights Lovefest

Why is my password sent in clear text?

Postby Afforess » Sat Jun 16, 2012 8:34 pm

I was looking through the source code of an autotelegramer program the other day and noticed it sent the nation name and nation password as clear text in the login. At first I thought they were just a shitty programmer and didn't know better. So I fired up wireshark, logged out, then started capturing packets. Then I logged back in and ended the capture. When I analyzed my login packet, I saw this:

Code: Select all
ny^M"CqE7$@P1LX1PPOST / HTTP/1.1
Host: www.nationstates.net
Connection: keep-alive
Content-Length: 66
Cache-Control: max-age=0
Origin: http://www.nationstates.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nationstates.net/page=login
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [REMOVED SO YOU JOKERS CAN'T LOG IN AS ME]

logging_in=1&nation=Afforess&password=hunter2&autologin=yes


Don't bother with that password, I hope you get the reference though ;)

Point is, logging into the game sends the password in clear text. This means you shouldn't log in anywhere where you don't have complete control of the entire connection up until it reaches your ISP. This means public wifi, universities, libraries, internet cafes, airports, etc could easily have sniffers ready to rob your account.

Is there a reason NS doesn't use SSL or some other encryption/salt for the password? I feel a lot edgier logging into a service with my password in clear text, especially with how easy network sniffing is. I could teach a 12 year old to hack a NS account with McDonalds wifi.
Last edited by Afforess on Sat Jun 16, 2012 8:38 pm, edited 4 times in total.
Former Delegate of the Capitalist Paradise

"A Witty Saying Proves Nothing"
- Voltaire
Top
User avatar
Fischistan
Ambassador
 
Posts: 1384
Founded: Oct 16, 2011
Ex-Nation

Postby Fischistan » Sat Jun 16, 2012 8:54 pm

SSL certificates cost money, you know. Are you asking that NS starts using SSL?
Xavier D'Montagne
Fischistani Ambassador to the WA
Unibot II wrote:It's Carta. He CANNOT Fail. Only successes in reverse.
The Matthew Islands wrote:Knowledge is knowing the Tomato is a fruit. Wisdom is knowing not to put it in a fruit salad.
Anthony Delasanta wrote:its was not genocide it was ethnic cleansing...
Socorra wrote:A religion-free abortion thread is like a meat-free hamburger.
Help is on its Way: UDL
Never forget 11 September.
Never look off the edge of cliff on a segway.

11 September 1973, of course.
Top
User avatar
Afforess
Spokesperson
 
Posts: 176
Founded: Jun 22, 2009
Civil Rights Lovefest

Postby Afforess » Sat Jun 16, 2012 9:03 pm

Fischistan wrote:SSL certificates cost money, you know. Are you asking that NS starts using SSL?


Not that much money. Couple hundred. Maybe a grand. I'd happily pay for a member+ account to get SSL.
Last edited by Afforess on Sat Jun 16, 2012 9:03 pm, edited 1 time in total.
Former Delegate of the Capitalist Paradise

"A Witty Saying Proves Nothing"
- Voltaire
Top
User avatar
Zemnaya Svoboda
Diplomat
 
Posts: 559
Founded: Jan 06, 2004
Left-Leaning College State

Postby Zemnaya Svoboda » Mon Jun 18, 2012 6:21 am

To be honest, I'd happily pay a $5 fee to be able to log into NS over SSL >.>

But I'm realistic in that implementing an SSL login would involve a significant amount of work and wouldn't affect any actually observed security issues. I don't think anyone's NationStates password has ever been stolen out of the aether like that.
Top
User avatar
Tseaby
Civil Servant
 
Posts: 9
Founded: Antiquity
Father Knows Best State

Postby Tseaby » Mon Jun 18, 2012 8:43 am

Someone linked this to me for comments. I wouldn't mind there being a pay-for SSL option, as it might help offset the costs of the site for Max.

One of the points brought up was would this cause more load on the site? Most sites that do full-site SSL find it provides ~1% load increase, which isn't really all that bad.

Second is some people might find a pay-for feature a "slippery slope" direction for the game to take. Not to mention they'd have to then deal with online payments, which would probably be more of an administrative overhead than anything else.

But the site could use a self-signed certificate. This doesn't cost anything and would provide for encryption. However, this usually causes a web browser to throw a warning up when you first access the site. Therefore they could make SSL optional and if someone wants that feature, they can access the site via SSL and go through the steps to manually accept the certificate, and those that don't know or care wouldn't have to deal with it at all.

This isn't exactly the simplest thing to do, but it's a possibility.

.  ("`-''-/").___..--''"`-._
    `o_ o  )   `-.  (     ).`:.__.:)
    (_Y_.):  ._   )  `._ `. ``-:.-'
  _..`--'_..-_/  /--'_.' ,'
 (il),-''  (li),'  ((!.-'
Top
User avatar
Zemnaya Svoboda
Diplomat
 
Posts: 559
Founded: Jan 06, 2004
Left-Leaning College State

Postby Zemnaya Svoboda » Mon Jun 18, 2012 9:29 am

A self-signed certificate, offered for free, with a non-nation-specific cookie that, when set, makes you log in using SSL (and can be applied with a checkbox like the "Remember me" checkbox) seems like a reasonable way to implement it.

Of course, I still wouldn't expect the admins to devote time to what would amount to a vanity feature.
Top
User avatar
Lithatrius
Ambassador
 
Posts: 1121
Founded: Jun 24, 2009
Father Knows Best State

Postby Lithatrius » Mon Jun 18, 2012 4:12 pm

A small addition.

I can't speak for any other nations, but I don't like the concept of a "Member+" account - it just smacks of NS2, where money gave you extra perks. The beauty of this game is that everyone is equal in terms of membership capabilities. Also, the majority of the nations are young users, who likely will not be able to afford/convince their parents to have a paid account.

However, I would also say that having been a forum member for 5 days short of 3 years, I trust [violet] to be able to successfully resolve this without the need for expensive SSL technology.
~ Lithatrius
  • [b]Houston Texans
  • New Jersey Devils
  • New York Mets
  • Memphis Grizzlies
  • Michigan Wolverines
Top
User avatar
[violet]
Site Admin
 
Posts: 5639
Founded: Antiquity

Postby [violet] » Mon Jun 18, 2012 5:06 pm

Afforess wrote:Is there a reason NS doesn't use SSL or some other encryption/salt for the password?

SalusaSecondus is our security guy, but I'll take a stab at this.

Everything you send to NS is in plain text, including your initial login password or autologin cookie, since as Afforess says we don't use SSL (Secure Sockets Layer). This is the case for any website that you connect to via http:// rather than https://.

This means your data is unencrypted as it passes between you and the sites you visit. Ordinarily, that only includes your home router and your ISP, but in a public area on a wireless connection, those data packets can be sniffed by someone sitting nearby. So if you're in a coffee shop, for example, using their wireless to log into NS (or another site not using https://), and someone sitting two tables over is packet-sniffing, they may be able to see your password.

Even when the site's login page is behind https://, if the rest of the site isn't, then someone in the same situation can wait until you're logged in and grab your session ID, which is just as good.

This is probably more of a concern for Facebook users than NS users, but the same principle applies.

The reason we don't use SSL is simply that it's complicated. It used to be expensive, too, but I think that's no longer the case. It's just another thing to set up and maintain, it increases server load, and some people have problems with it. (Edit: Also, of all the ways people's accounts can get compromised, this has to be one of the rarest. To the best of my knowledge, it's never happened to an NS account.) So we haven't done it.

Semi-related note: NationStates does not store passwords in plain text. No web site should do that.
Last edited by [violet] on Mon Jun 18, 2012 5:13 pm, edited 1 time in total.
Top
User avatar
Dilibertar
Political Columnist
 
Posts: 4
Founded: Feb 26, 2012
Inoffensive Centrist Democracy

Postby Dilibertar » Tue Jun 19, 2012 3:08 am

I rather find it unsettling that the AutoTelegram program has to send your password over. I'd much rather a browser implementation that doesn't send it through a third-party. Hashed out or not, it's still a decent security risk.


On a note to [violet], the passwords are hashed with SHA1, right? Anything else isn't very settling, especially normal hash.
Last edited by Dilibertar on Tue Jun 19, 2012 3:14 am, edited 1 time in total.
Top
User avatar
Auralia
Minister
 
Posts: 2169
Founded: Dec 15, 2011
Inoffensive Centrist Democracy

Postby Auralia » Tue Jun 19, 2012 11:24 am

Dilibertar wrote:I rather find it unsettling that the AutoTelegram program has to send your password over. I'd much rather a browser implementation that doesn't send it through a third-party. Hashed out or not, it's still a decent security risk.


What exactly do you mean by a "browser implementation that doesn't send it through a third-party"?
Top
User avatar
[violet]
Site Admin
 
Posts: 5639
Founded: Antiquity

Postby [violet] » Tue Jun 19, 2012 5:04 pm

I should say: all things being equal, plugging your account password into a third-party site/program, like an auto-telegrammer, is a bigger security risk than everything else discussed here. You are trusting the author of that site/program not to steal it. And we've definitely seen several cases of nation-stealing via that method over the years -- not from this particular auto-telegram program, of course, but from other non-official tools & sites.
Top
User avatar
SalusaSecondus
Game Admin
 
Posts: 273
Founded: Jun 12, 2003
Corrupt Dictatorship

Postby SalusaSecondus » Wed Jun 20, 2012 9:33 am

Dons his security hat.

Pretty much everything posted in this thread is correct. Passwords are sent in clear-text over the wire. We could use SSL but would still have all the problems [violet] pointed out including:
  • The rest of the site isn't on SSL, so you'd grab the session cookie which is just about as good.
  • It is a real pain to set up and maintain (I've done it.)
  • I refuse to use a self-signed cert for a publicly facing site (except under very limited circumstances) for numerous philosophical and professional reasons
  • Of all the various ways someone could attack a NS account, this really is near the least of our concerns.

As for other random (related) notes:
  • Yes we hash our passwords, I won't go into the details of how, but it is acceptably secure.
  • You should never use the same password on multiple sites. This is one of the most common ways accounts can be stolen. There have been cases in the past where NS accounts were hacked because someone compromised an off-site forum where players used the same passwords as they used for their nations. (As a sub-note, since NS passwords can be captured with packet-sniffers, you don't want to share the password with other sites just in case they steal your password here.) (As a second sub-note, NS does support OpenId delegation, so you could, theoretically, authenticate against some websites using your Nation.)
  • You should never give anyone else the password to your NS account. They've been stolen this way in the past.
Top
Post a reply

Remove ads

Return to Technical

Who is online

Users browsing this forum: No registered users

Powered by phpBB® Forum Software © phpBB Group

Remove ads