HTTPS for passwords in the year 2013

Hi, why does Nabble not have HTTPS for logins in the year 2013? I really hate sending out passwords for someone to gather abuse. Is it too much to ask for EVERYTHING to be HTTPS? I don't like people spying on what I'm reading, either.

I don't understand your rant.

As a forum administrator you don't have to send out passwords. Nabble issues passwords directly to the user - and you will never know what they are, making them pretty secure. You can make any area of your forum private and require password access for it. All this is handled by Nabble. You do not need to become involved with the issue of passwords.

The Internet is much like snail mail and telephones. Ultimately, just about everything can be opened, listened to, copied or recorded for later analysis. If you are involved in some activity that is so sensitive that no one should even have the possibility of decrypting it, then you probably shouldn't be using the Internet.

Please explain your concerns in more detail.

Nabble's login form does not use SSL. So, anyone who logs in to Nabble has almost certainly had their login credentials logged by someone malicious. They will use those credentials to try to login to other websites (email accounts, bank accounts, etc), because many people reuse the same passwords, or trivial variations of them that can be brute-forced. Very often, those credentials are used to commit crimes. The trail ends at the victimized Nabble user, so the real criminal gets away with it. Maybe some people are comfortable with that. I'm not.

I'm not an administrator, I'm a regular user. My message had a missing word that caused this confusion. I don't know how that happened, but with no security, someone could have altered my message in a man-in-the-middle attack. I think my PC just ate the word, like if I was typing it at the same moment a popup got in the way, and I resumed typing after dismissing the popup without realizing something got lost. However, there's no way to know, because Nabble has no modern security features. I don't know who is using my account right now, and I don't know who is reading my messages, or trying to strip away my anonymity and privacy.

These problems were solved 20 years ago, but Nabble has been left behind. If you want to learn more about some of the most important basic security concepts in the context of web browsers, you can start with the Wikipedia article about SSL (just do a search for it). Then, you might want to skip over to finding information about "man in the middle" attacks (variously abbreviated as MITM, and MITMA), which should give you an idea of how HTTPS can work to thwart them. Once you have a good idea of why browser security is important, I recommend using the Perspectives add-on/extension for FireFox. It defeats most of the weaknesses in current security protocols (certificate signing authorities), which can allow some of the most potent forms of man in the middle attacks.

badon wrote

Nabble's login form does not use SSL. So, anyone who logs in to Nabble has almost certainly had their login credentials logged by someone malicious.

That can only occur if a computer's security is already compromised. It is relatively easy to take steps to ensure this doesn't happen.

The trail ends at the victimized Nabble user

There is no victimised Nabble user. If they are a victim at all, it is because of their own security failings that originated before logging into a Nabble server.

Maybe some people are comfortable with that. I'm not.

Your lack of comfort is misplaced and stems from a misunderstanding.

I'm not an administrator, I'm a regular user. My message had a missing word that caused this confusion.

You don't mention the missing word so I am not sure that I know what you really intended to say.

I don't know how that happened, but with no security, someone could have altered my message in a man-in-the-middle attack. I think my PC just ate the word, like if I was typing it at the same moment a popup got in the way, and I resumed typing after dismissing the popup without realizing something got lost. However, there's no way to know, because Nabble has no modern security features. I don't know who is using my account right now, and I don't know who is reading my messages, or trying to strip away my anonymity and privacy.

I'm afraid these worries are all based on misunderstandings.

Yes, "man in the middle attacks" can occur. I pointed out in my previous post that most Internet traffic is no more secure that snail mail or telephone calls, so It is possible for people intercept and make copies of traffic passing through a server. And yes, SSL will make it practically impossible for intercepted traffic to be misused.

However, your initial fear (misplaced, in my view) suggested that key-logging was taking place on most people's computers. You then suggest that the solution to that problem is for Nabble to use SSL connections. That is like saying your car keys have been stolen but now you refuse to call your garage to order a replacement in case the thief is tapping your telephone.

I appreciate your help, but I'm sure you have much more important things to do than to waste time on someone like me that misunderstands everything. There's no need for you to pay any more attention to this issue. Thank you for your efforts.

No problem!