Minor Issue with Primenet
 

There is just a small issue that has always bugged me. When you first log in your username and password are passed as variables in the URL. This means that anyone that can view my history immediately knows my password, and can log in simply by passing it back in. This seems insecure.

Lol I noticed that a while ago and immediately changed my password to something I don't use (and would never use) anywhere else. On the other hand, logging in for me is now no harder than going to a bookmark.

Yes, this is insecure, but so are many other login systems. The major difference is that this lets you know how insecure it is. If someone has access to your browsing history, they could probably just as easily install a keylogger and get your password no matter how it's transmitted. If someone is listening to your network traffic, they could also snoop any login system that doesn't use, at minimum, salted hashing and/or encryption. The only sort of attacker you have to worry about is the ones over your shoulder that might see it. This kind is unlikely (IMHO) to care.

[QUOTE=Mini-Geek;288821]If someone has access to your browsing history, they could probably just as easily install a keylogger and get your password no matter how it's transmitted.[/QUOTE]

Agree. IMHO, if someone has access to your browsing history, you're already fscked.

[QUOTE=Dubslow;288805]Lol I noticed that a while ago and immediately changed my password to something I don't use (and would never use) anywhere else. On the other hand, logging in for me is now no harder than going to a bookmark.[/QUOTE]
That is known long ago, I complained to George in a private mail (could be more then 7 years) which he ignored. That time I set a proxy for the same house I work now, and I was surprised to see all the usernames and passwords in the blind http links passing through it, in clear.
[CODE]
http://www.mersenne.org/account/?user_login=LaurV&user_password=blablablabla1&B1=GO
http://www.mersenne.org/account/?user_login=Dubslow*&user_password=blablablabla2&B1=GO
etc.[/CODE]

for all the people in my network (which was only me, from 30 computers :D)

*this is just an example

I hope that's not actually your password :smile:

[QUOTE=chalsall;288823]Agree. IMHO, if someone has access to your browsing history, you're already fscked.[/QUOTE]

The only reason I thought about it was because I log in at work on the work PC.

One primenet "real" issue (but still minor) could be the fact that the customized team report does not seem to work... Or... is it only my case? (I can't see no result if I click customize, and select teams flag to 1). Did that ever worked?

Don't forget that browsing history could be read if your computer was stolen (or sold without wiping the hard disk).

Primenet should use SSL (AKA https) for logging in, even if the rest of the traffic is http.The same could be said of mersenneforum.org. And it would be nice if reading and writing private messages on here was encrypted.

It's recommended to have 1 password for each important site (banking etc) and another for sites don't really matter. And a third for sites that don't use https to logon.

Chris

[QUOTE=chris2be8;289052]
Primenet should use SSL (AKA https) for logging in, even if the rest of the traffic is http.
[/QUOTE]

I agree.

If I didn't have a math degree, and were randomly looking for a distributed computing project to join, the login to primenet would be a major turnoff for me. Probably enough so to convince me to look for a different project.

[QUOTE]The same could be said of mersenneforum.org. And it would be nice if reading and writing private messages on here was encrypted.[/QUOTE]Show us how to implement encrypted browsing and we will try to make it happen.

:smile: