HTTPS on NationStates

[[violet]]

I was looking through the source code of an autotelegramer program the other day and noticed it sent the nation name and nation password as clear text in the login. At first I thought they were just a shitty programmer and didn't know better. So I fired up wireshark, logged out, then started capturing packets. Then I logged back in and ended the capture. When I analyzed my login packet, I saw this:

Code: Select all

ny^M"CqE7$@P1LX1PPOST / HTTP/1.1
Host: www.nationstates.net
Connection: keep-alive
Content-Length: 66
Cache-Control: max-age=0
Origin: http://www.nationstates.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nationstates.net/page=login
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [REMOVED SO YOU JOKERS CAN'T LOG IN AS ME]

logging_in=1&nation=Afforess&password=hunter2&autologin=yes


Don't bother with that password, I hope you get the reference though

Point is, logging into the game sends the password in clear text. This means you shouldn't log in anywhere where you don't have complete control of the entire connection up until it reaches your ISP. This means public wifi, universities, libraries, internet cafes, airports, etc could easily have sniffers ready to rob your account.

Is there a reason NS doesn't use SSL or some other encryption/salt for the password? I feel a lot edgier logging into a service with my password in clear text, especially with how easy network sniffing is. I could teach a 12 year old to hack a NS account with McDonalds wifi.

[Fischistan]

SSL certificates cost money, you know. Are you asking that NS starts using SSL?

[Afforess]

SSL certificates cost money, you know. Are you asking that NS starts using SSL?

Not that much money. Couple hundred. Maybe a grand. I'd happily pay for a member+ account to get SSL.

[Zemnaya Svoboda]

To be honest, I'd happily pay a $5 fee to be able to log into NS over SSL >.>

But I'm realistic in that implementing an SSL login would involve a significant amount of work and wouldn't affect any actually observed security issues. I don't think anyone's NationStates password has ever been stolen out of the aether like that.

[Tseaby]

Someone linked this to me for comments. I wouldn't mind there being a pay-for SSL option, as it might help offset the costs of the site for Max.

One of the points brought up was would this cause more load on the site? Most sites that do full-site SSL find it provides ~1% load increase, which isn't really all that bad.

Second is some people might find a pay-for feature a "slippery slope" direction for the game to take. Not to mention they'd have to then deal with online payments, which would probably be more of an administrative overhead than anything else.

But the site could use a self-signed certificate. This doesn't cost anything and would provide for encryption. However, this usually causes a web browser to throw a warning up when you first access the site. Therefore they could make SSL optional and if someone wants that feature, they can access the site via SSL and go through the steps to manually accept the certificate, and those that don't know or care wouldn't have to deal with it at all.

This isn't exactly the simplest thing to do, but it's a possibility.

[Zemnaya Svoboda]

A self-signed certificate, offered for free, with a non-nation-specific cookie that, when set, makes you log in using SSL (and can be applied with a checkbox like the "Remember me" checkbox) seems like a reasonable way to implement it.

Of course, I still wouldn't expect the admins to devote time to what would amount to a vanity feature.

[Lithatrius]

A small addition.

I can't speak for any other nations, but I don't like the concept of a "Member+" account - it just smacks of NS2, where money gave you extra perks. The beauty of this game is that everyone is equal in terms of membership capabilities. Also, the majority of the nations are young users, who likely will not be able to afford/convince their parents to have a paid account.

However, I would also say that having been a forum member for 5 days short of 3 years, I trust [violet] to be able to successfully resolve this without the need for expensive SSL technology.

[[violet]]

Is there a reason NS doesn't use SSL or some other encryption/salt for the password?

SalusaSecondus is our security guy, but I'll take a stab at this.

Everything you send to NS is in plain text, including your initial login password or autologin cookie, since as Afforess says we don't use SSL (Secure Sockets Layer). This is the case for any website that you connect to via http:// rather than https://.

This means your data is unencrypted as it passes between you and the sites you visit. Ordinarily, that only includes your home router and your ISP, but in a public area on a wireless connection, those data packets can be sniffed by someone sitting nearby. So if you're in a coffee shop, for example, using their wireless to log into NS (or another site not using https://), and someone sitting two tables over is packet-sniffing, they may be able to see your password.

Even when the site's login page is behind https://, if the rest of the site isn't, then someone in the same situation can wait until you're logged in and grab your session ID, which is just as good.

This is probably more of a concern for Facebook users than NS users, but the same principle applies.

The reason we don't use SSL is simply that it's complicated. It used to be expensive, too, but I think that's no longer the case. It's just another thing to set up and maintain, it increases server load, and some people have problems with it. (Edit: Also, of all the ways people's accounts can get compromised, this has to be one of the rarest. To the best of my knowledge, it's never happened to an NS account.) So we haven't done it.

Semi-related note: NationStates does not store passwords in plain text. No web site should do that.

[Dilibertar]

I rather find it unsettling that the AutoTelegram program has to send your password over. I'd much rather a browser implementation that doesn't send it through a third-party. Hashed out or not, it's still a decent security risk.


On a note to [violet], the passwords are hashed with SHA1, right? Anything else isn't very settling, especially normal hash.

[Auralia]

I rather find it unsettling that the AutoTelegram program has to send your password over. I'd much rather a browser implementation that doesn't send it through a third-party. Hashed out or not, it's still a decent security risk.

What exactly do you mean by a "browser implementation that doesn't send it through a third-party"?

[[violet]]

I should say: all things being equal, plugging your account password into a third-party site/program, like an auto-telegrammer, is a bigger security risk than everything else discussed here. You are trusting the author of that site/program not to steal it. And we've definitely seen several cases of nation-stealing via that method over the years -- not from this particular auto-telegram program, of course, but from other non-official tools & sites.

[SalusaSecondus]

Dons his security hat.

Pretty much everything posted in this thread is correct. Passwords are sent in clear-text over the wire. We could use SSL but would still have all the problems [violet] pointed out including:

• The rest of the site isn't on SSL, so you'd grab the session cookie which is just about as good.
• It is a real pain to set up and maintain (I've done it.)
• I refuse to use a self-signed cert for a publicly facing site (except under very limited circumstances) for numerous philosophical and professional reasons
• Of all the various ways someone could attack a NS account, this really is near the least of our concerns.

As for other random (related) notes:

• Yes we hash our passwords, I won't go into the details of how, but it is acceptably secure.
• You should never use the same password on multiple sites. This is one of the most common ways accounts can be stolen. There have been cases in the past where NS accounts were hacked because someone compromised an off-site forum where players used the same passwords as they used for their nations. (As a sub-note, since NS passwords can be captured with packet-sniffers, you don't want to share the password with other sites just in case they steal your password here.) (As a second sub-note, NS does support OpenId delegation, so you could, theoretically, authenticate against some websites using your Nation.)
• You should never give anyone else the password to your NS account. They've been stolen this way in the past.

[[violet]]

*gravedigs*

I'm now trialing SSL encryption. You can have a play here:

https://www.nationstates.net/

Currently it's only supported on the main domain, not on m.nationstates.net or dark.nationstates.net or any other subdomain.

Please report any issues!

[Shadow Afforess]

Awesome. Now I have a legitimate reason to upgrade to SSL too. I didn't bother before, since it hardly matters if NS++ is in clear text, when your NS password is too.

Edit: Look into a wildcard ssl cert. It should cover all subdomains.

[Shadow Afforess]

*gravedigs*

I'm now trialing SSL encryption. You can have a play here:

https://www.nationstates.net/

Currently it's only supported on the main domain, not on m.nationstates.net or dark.nationstates.net or any other subdomain.

Please report any issues!

Ok, been toying around with it. It works! I look forward to it being on the forums and sub-domains as well.

Any chance of enabling SPDY support? https://code.google.com/p/mod-spdy/

http://en.wikipedia.org/wiki/SPDY

Also will there be any harm if I migrate my API usage to use the https urls? It seems to work, from my cursory testing.

Edit: Additional question. How has your experience with PositiveSSL been? Would you recommend them? Why/Why not?

[[violet]]

Any chance of enabling SPDY support? https://code.google.com/p/mod-spdy/

Done!

Also will there be any harm if I migrate my API usage to use the https urls? It seems to work, from my cursory testing.

Hold off on that, if you wouldn't mind. That is a bit more of a stress test than I'm ready for.

How has your experience with PositiveSSL been?

I don't know who that is. I guess they had something to do with our certificate? I'm just using a cheap one from our host at the moment.

[Shadow Afforess]

I don't know who that is. I guess they had something to do with our certificate? I'm just using a cheap one from our host at the moment.

PositiveSSL is your Certificate Authority. In chrome, if you click the lock icon, you can see the details.

Appreciate the SPDY support.

[Shadow Afforess]

Suggestion: when clicking to the forums from the https site, load the left panel iframe as https. Otherwise if I visit the forums and click on my nation in the panel I am sent back to the regular site.

More ideal would be to enable https for the forum as well.

[[violet]]

*gravedigs*

I'm now trialing SSL encryption. You can have a play here:

https://www.nationstates.net/

Currently it's only supported on the main domain, not on m.nationstates.net or dark.nationstates.net or any other subdomain.

Please report any issues!

The SSL trial now extends to the forum and all subdomains (such as https://dark.nationstates.net/). So you should be able to log in securely at https://www.nationstates.net/ and stay within an encrypted session wherever you go. Please check it out and report any problems!

Known issue: Pages that have user-embedded images from other sites can trigger a "Mixed content" warning in your browser, since while the page you're viewing is encrypted, the embedded images are not.

[Aksun]

Thanks Violet! I am trying it out on mobile version now and so far it is working.

Edit: viewtopic.php?f=15&t=185805&p=18828272#p18828272

Is the forum secured or is it still unsecured?

[The Republic of Lanos]

*gravedigs*

I'm now trialing SSL encryption. You can have a play here:

https://www.nationstates.net/

Currently it's only supported on the main domain, not on m.nationstates.net or dark.nationstates.net or any other subdomain.

Please report any issues!

The SSL trial now extends to the forum and all subdomains (such as https://dark.nationstates.net/). So you should be able to log in securely at https://www.nationstates.net/ and stay within an encrypted session wherever you go. Please check it out and report any problems!

Known issue: Pages that have user-embedded images from other sites can trigger a "Mixed content" warning in your browser, since while the page you're viewing is encrypted, the embedded images are not.

Is there a way to enable secure browsing on login via settings or do I have to manually bookmark the https site?

[[violet]]

Is the forum secured or is it still unsecured?

Both; it depends on whether you access it via http:// or https://.

Is there a way to enable secure browsing on login via settings or do I have to manually bookmark the https site?

The latter. If all goes well in the trial, we'll turn it on by default.

[The Republic of Lanos]

Is the forum secured or is it still unsecured?

Both; it depends on whether you access it via http:// or https://.

Is there a way to enable secure browsing on login via settings or do I have to manually bookmark the https site?

The latter. If all goes well in the trial, we'll turn it on by default.

Awesome. It works well on the forums.

[Shadow Afforess]

[violet] I noticed the password reset email still uses the http url. Now that the https site is fully operational, it seems prudent to update this.

Edit: Also the "share your nation" link at the bottom of nation pages is hardcoded to the http link.
Protocol independant urls would fix that.

[Percvania]

I'm guessing it's something to do with your computer or its settings?