|
2012-02-09, 14:55
|
#1 |
Oct 2011
Maryland
2·5·29 Posts |
Minor Issue with Primenet
There is just a small issue that has always bugged me. When you first log in your username and password are passed as variables in the URL. This means that anyone that can view my history immediately knows my password, and can log in simply by passing it back in. This seems insecure.
|
|
|
|
2012-02-09, 20:50
|
#2 |
|
Basketry That Evening!
"Bunslow the Bold"
Jun 2011
40<A<43 -89<O<-88
3×29×83 Posts |
Lol I noticed that a while ago and immediately changed my password to something I don't use (and would never use) anywhere else. On the other hand, logging in for me is now no harder than going to a bookmark.
|
|
|
|
|
2012-02-09, 23:04
|
#3 |
|
Account Deleted
"Tim Sorbera"
Aug 2006
San Antonio, TX USA
10B716 Posts |
Yes, this is insecure, but so are many other login systems. The major difference is that this lets you know how insecure it is. If someone has access to your browsing history, they could probably just as easily install a keylogger and get your password no matter how it's transmitted. If someone is listening to your network traffic, they could also snoop any login system that doesn't use, at minimum, salted hashing and/or encryption. The only sort of attacker you have to worry about is the ones over your shoulder that might see it. This kind is unlikely (IMHO) to care.
|
|
|
|
|
2012-02-09, 23:17
|
#4 | |
|
If I May
"Chris Halsall"
Sep 2002
Barbados
32×1,231 Posts |
Quote:
|
|
|
|
|
|
2012-02-10, 02:13
|
#5 | |
|
Romulan Interpreter
"name field"
Jun 2011
Thailand
19×541 Posts |
Quote:
Code:
http://www.mersenne.org/account/?user_login=LaurV&user_password=blablablabla1&B1=GO http://www.mersenne.org/account/?user_login=Dubslow*&user_password=blablablabla2&B1=GO etc. *this is just an example |
|
|
|
|
|
2012-02-10, 02:58
|
#6 |
|
Basketry That Evening!
"Bunslow the Bold"
Jun 2011
40<A<43 -89<O<-88
722110 Posts |
I hope that's not actually your password
|
|
|
|
|
2012-02-10, 03:59
|
#7 | |
|
Oct 2011
Maryland
2·5·29 Posts |
Quote:
|
|
|
|
|
|
2012-02-10, 06:19
|
#8 |
|
Romulan Interpreter
"name field"
Jun 2011
Thailand
19×541 Posts |
One primenet "real" issue (but still minor) could be the fact that the customized team report does not seem to work... Or... is it only my case? (I can't see no result if I click customize, and select teams flag to 1). Did that ever worked?
|
|
|
|
|
2012-02-11, 17:03
|
#9 |
Sep 2009
2·1,213 Posts |
Don't forget that browsing history could be read if your computer was stolen (or sold without wiping the hard disk).
Primenet should use SSL (AKA https) for logging in, even if the rest of the traffic is http.The same could be said of mersenneforum.org. And it would be nice if reading and writing private messages on here was encrypted. It's recommended to have 1 password for each important site (banking etc) and another for sites don't really matter. And a third for sites that don't use https to logon. Chris |
|
|
|
|
2012-02-11, 17:58
|
#10 | |
|
Oct 2011
Maryland
2·5·29 Posts |
Quote:
If I didn't have a math degree, and were randomly looking for a distributed computing project to join, the login to primenet would be a major turnoff for me. Probably enough so to convince me to look for a different project. |
|
|
|
|
|
2012-02-12, 00:57
|
#11 | |
Aug 2002
2·7·13·47 Posts |
Quote:
|
|
|
|
|
 |
| Thread Tools | |
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| A minor typo | Chuck | GPU to 72 | 1 | 2011-12-12 13:36 |
| Minor changes to a lot of sequences | Greebley | Aliquot Sequences | 18 | 2010-08-21 13:52 |
| Minor GMP-ECM bug | jasonp | GMP-ECM | 2 | 2007-11-25 18:40 |
| Minor bug | PhilF | Software | 1 | 2006-03-22 01:04 |
| A minor bug in PRP-24.14 | Kosmaj | 15k Search | 3 | 2005-08-29 20:28 |
