dlevens Posted June 14, 2004 Share Posted June 14, 2004 Hello everyone, I am sure someone may have asked this question before but I was not able to find anything on it. I submitted my first help ticket and noticed there was a section asking for my cpanel username and my cpanel password. This seems to be security risk, especially since I noticed that the form is not secured with ssl. Is this necessary? I don't like having my cpanel password exposed like that. Dennis Levens Quote Link to comment Share on other sites More sharing options...
MikeJ Posted June 14, 2004 Share Posted June 14, 2004 Use the SSL link (available from the main website): https://ssl.totalchoicehosting.com/supportdesk/ I know the forums link to the nonsecure version of the page, which we should probably change. Quote Link to comment Share on other sites More sharing options...
youneverknow Posted June 15, 2004 Share Posted June 15, 2004 Yes you REALLY should make that change!!! youneverknow Quote Link to comment Share on other sites More sharing options...
TCH-Dick Posted June 15, 2004 Share Posted June 15, 2004 it was changed about 3 hours ago Quote Link to comment Share on other sites More sharing options...
youneverknow Posted June 15, 2004 Share Posted June 15, 2004 Thanks!!! Rock Sign Quote Link to comment Share on other sites More sharing options...
dlevens Posted June 15, 2004 Author Share Posted June 15, 2004 WOW, you guys really are on top of things. Thanks for making this change. Dennis Quote Link to comment Share on other sites More sharing options...
Deverill Posted June 15, 2004 Share Posted June 15, 2004 Has anyone ever heard of someone sniffing and reconstructing packets that weren't sent over https? I'm just wondering because a lot of folks worry about it but I've never heard of it myself. Quote Link to comment Share on other sites More sharing options...
TCH-Rob Posted June 15, 2004 Share Posted June 15, 2004 Jim, Can it happen? Yes. How often? I will let you know after two more lightning strikes and a shark attack. Quote Link to comment Share on other sites More sharing options...
MikeJ Posted June 15, 2004 Share Posted June 15, 2004 Has anyone ever heard of someone sniffing and reconstructing packets that weren't sent over https? I'm just wondering because a lot of folks worry about it but I've never heard of it myself. Yes. Quote Link to comment Share on other sites More sharing options...
Head Guru Posted June 15, 2004 Share Posted June 15, 2004 Yes? Over 128bit SSL? Quote Link to comment Share on other sites More sharing options...
MikeJ Posted June 15, 2004 Share Posted June 15, 2004 Yes? Over 128bit SSL? He said weren't. Quote Link to comment Share on other sites More sharing options...
Deverill Posted June 16, 2004 Share Posted June 16, 2004 Yes, unencrypted. Honestly I don't worry about things, even passwords, sent over the internet because: 1. the packet nature of things makes it a jumble to start with. 2. there's much more chance the guy fulfilling my order will steal my passwords. 3. the #1 cryptographer rule: Any security method is sufficiently safeguarded if the pain of getting the information is greater than the value of the information itself. Basically, 99% of my stuff is not important enough for anyone to bother with #1 and the pain it takes to sniff and reconstruct. If it were locations or codes of nukes or the details of that new patent I'm applying for dealing with "events being announced by sounds stored in small sound files which are played when the event occurs" it would be different. I was just wondering how "real" the threat is for the average Internet user. Quote Link to comment Share on other sites More sharing options...
MikeJ Posted June 16, 2004 Share Posted June 16, 2004 Well, I don't want to scare anyone, because in the majority of cases, you aren't going to have a problem, but I do want to clarify a couple things. Pulling traffic off a network and making sense of it is extremely easy. It's not as mumbo jumbo as you may think, and there are many tools that will make sense of it for you. Getting onto the network in the first place is the harder part. That would require them to either already be on your network, or gain access to a machine on it. I have seen many cases were this has happened, though. One of the worse is when a company hired me a couple years ago to do some work one weekend. I went on their firewall to change a ruleset, and found that the firewall had been compromised, a sniffer was installed to look for specific data (accounts, passwords, etc...), and the captures were being emailed offsite on a periodic basis so the culprit could parse the data at their leisure. Everything else they left alone so as not to raise any flags. The thing is, in many cases they don't want your account for what's in it... they want your account for what they can do with it (DOS attacks, spamming, anonymous hacking, etc....). So in that sense, your account login *is* valuable to them. Quote Link to comment Share on other sites More sharing options...
Deverill Posted June 16, 2004 Share Posted June 16, 2004 Then I guess it's a good thing we have the https: address and the link was changed to it so quickly, eh? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.