Computer Related > Car4Play security Company Cars
Thread Author: No FM2R Replies: 17
View Threaded 

 Fri 24 Mar 17 13:55 
 Car4Play security - No FM2R
I get "login insecure" warnings when I log into Car4play. This rarely happens elsewhere.

Today I got...

"Your connection is not secure

The owner of www.car4play.com has configured their website improperly. To protect your information from being stolen you have not been connected to this site"


Should I be concerned?
Reply to this message | Report message
       
 Fri 24 Mar 17 13:57 
 Car4Play security - No FM2R
support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861
Reply to this message | Report message
       
 Fri 24 Mar 17 14:19 
 Car4Play security - smokie
I'm sure you are aware, but for the benefit of others, this is not because the site is any less secure than it was yesterday but that a new version of Firefox is warning when you are connecting over an http rather than https page.

So although in my opinion there is nothing new to be concerned about, I've asked Stephen to respond. Thanks for raising it as no doubt others will see it too.
Last edited by: smokie on Fri 24 Mar 17 at 14:19
Reply to this message | Report message
       
 Fri 24 Mar 17 14:27 
 Car4Play security - No FM2R
>>I'm sure you are aware...............

No, I wasn't. I didn't even realise that Firefox had upgraded. Sorry.

I'd still be interested in Stephen's thoughts though.
Reply to this message | Report message
       
 Tue 28 Mar 17 01:47 
 Car4Play security - No FM2R
Clearly a matter of some priority.
Reply to this message | Report message
       
 Tue 28 Mar 17 08:48 
 Car4Play security - smokie
Have chased...
Reply to this message | Report message
       
 Tue 28 Mar 17 13:09 
 Car4Play security - Stuartli
>>No, I wasn't. I didn't even realise that Firefox had upgraded. Sorry.>>

Perhaps you have Firefox (or Waterfox) configured from Tools>Options>Advanced>Update tab to automatically update?

This new (and irritating) security feature was introduced in, IIRC, version 52.0, which was quickly upgraded to 52.0.1. The message pops up on quite a few websites in my case and also autofill/complete is disabled on such web pages...:-(

See:

www.ghacks.net/2017/03/07/firefox-52-0-released-find-out-what-is-new/
Reply to this message | Report message
       
 Tue 28 Mar 17 16:24 
 Car4Play security - No FM2R
>>Perhaps you have Firefox (or Waterfox) configured ........ to automatically update?

I do. Is there a particular reason not to?

Are http:: login sites a particular security risk in those cases where one is only accessing a forum, a news site or similar? [assuming you don't reuse passwords etc. etc.]

I have been contemplating the fact that I've been using Waterfox for a long time, ever since Chrome annoyed my for its resource usage. In fact its been such a long time that I wonder if I should be investigating others.

Any thoughts on Edge, for example?
Reply to this message | Report message
       
 Tue 28 Mar 17 16:54 
 Car4Play security - Stuartli
>>I do. Is there a particular reason not to?>>

Yes, you said you hadn't realised that Firefox might have been upgraded...!

Haven't used Edge. Stuck with Waterfox for several years now, although I also have Firefox (to maintain the profiles) and occasionally run SpeedyFox as it's much easier than doing such tasks manually.

Personal feelings are that things are exactly the same as before other than Firefox/Waterfox pointing out the warning. If you have a Username and Password "remembered" for a particular website then you also get the warning, but these are listed to allow you to carry on as normal following a Shut Down or Restart sequence.
Reply to this message | Report message
       
 Tue 28 Mar 17 17:09 
 Car4Play security - No FM2R
>>Yes, you said you hadn't realised that Firefox might have been upgraded...!

Kind of the point of auto update, surely? I have everything on automatic update that I can.
Reply to this message | Report message
       
 Tue 28 Mar 17 18:40 
 Car4Play security - Stuartli
>>Kind of the point of auto update, surely? I have everything on automatic update that I can.>>

Yes, but this is always the problem with just stating something that is, in fact, unintentionally ambiguous...:-)

My personal choice is to prefer to know what has been updated and why, other than in cases such as Avast! and similar utilities.
Reply to this message | Report message
       
 Tue 28 Mar 17 18:49 
 Car4Play security - No FM2R
You've lost me.

Anyway, my thinking is that any potential downside of auto update is vastly outweighed by the potential downside of me not getting around to manually updating something for one reason or another.

On top of that, I don't think I would add any value to the upgrade process by inserting a check or confirmation from me.
Reply to this message | Report message
       
 Tue 28 Mar 17 19:27 
 Car4Play security - Stuartli
>>You've lost me>>

In which way?

I've pointed out before in these forums that just because one member does things a certain way they shouldn't assume that it's the best method for all!!

I do have some utilities etc that I have to update on a regular basis, but it's not a problem and I know it's been done; perhaps being retired means I have more time to undertake such matters.
Reply to this message | Report message
       
 Tue 28 Mar 17 19:33 
 Car4Play security - No FM2R
>> >>You've lost me>>
>>
>> In which way?

with the unintentionally ambiguous stuff.

>> I've pointed out before in these forums that just because one member does things a
>> certain way they shouldn't assume that it's the best method for all!!

I agree with that. But I didn't think you were making that assumption, and i wasn't.

Don't worry, I'm sure I'm just missing the point and its not important.

Out of interest, do you allow apps on your phone to auto update? I do though there sometimes one gets caught out with changing functionality. Not enough to worry too much, but it happens.

Reply to this message | Report message
       
 Tue 28 Mar 17 19:41 
 Car4Play security - Zero
As a matter of policy I have everything set to notify but not auto update. I like to know whats available, and why, and I decide the if when and where.
Reply to this message | Report message
       
 Tue 28 Mar 17 16:44 
 Car4Play security - car4play
I think FF is complaining about not having a secure (https) site for the login form.

It could be solved by us
- buying a certificate for the domain
- installing it for the site - and getting it to work with multi host on the same IP as C4P shares the IP with other sites. This would preclude all early versions of IE that don't support this feature.
- then making either just the login pages run on the secure server, or simply let the whole site use https...

Either way the short response is it's quite a lot of work and a bit of time that I don't have at the mo.

The only thing to be aware of is that if you are using a public network (e.g. public wifi) then someone in theory can hijack the access point and redirect all traffic through them as a kind of proxy thus allowing them to read all the packets that get sent from your computer. As it isn't https, it means that any usernames and passwords are going to be sent in clear text and they could read them. Hence the could be "stolen" message you get.

Simplest for now is to have a password on here that isn't shared with any other accounts you might have.
Reply to this message | Report message
       
 Tue 28 Mar 17 16:50 
 Car4Play security - No FM2R
Thank you, and I don't share any passwords between accounts and everythign we right on here is in the open anyway, so it sounds like no particular issue.

Unique passwords are essential of course. I know that the Old Backroom stored passwords unencrypted, so I assume C4P does the same. Again I've never thought it an issue being that it is simply a forum.
Reply to this message | Report message
       
 Tue 28 Mar 17 17:34 
 Car4Play security - car4play
The passwords are stored hashed up on the database with variable seeding on the hash to prevent reverse hashing. So if someone hacks the database they would have to work quite hard to recover the password.
The old backroom stored them in plaintext.
Reply to this message | Report message
       
Latest Forum Posts