Dominic Sparks

I’m not one of those people who’s particularly over-cautious about using the web, at least I don’t think I am.  Like many Mac users, I’m not too concerned about anti-virus software, and even on my Windows machines I have the minimum and most unobtrusive settings that I can get away with.  I don’t worry too much because my software firewalls are always running, and because I’m careful about what websites I visit, what software I download, and what or whose attachments I choose to open.

When it comes to protecting my identity online I take a similar approach; not so over-cautious that I have some really complex and unique password for every service I use, but also sensible enough to use new, one-off passwords with services that I don’t yet trust.  Perhaps most importantly I always check whether the sites into which I’m entering passwords and other data, are secure.  I always look for the padlock in my browser.

However, all too frequently these days I’m landing on login-screens that have no padlock.  The big question is, does this mean they are not secure?

The first time I encountered this on a site that claimed to be secure I was pretty worried, and contacted the site to report the problem and ask for an explanation.  It turned out that although the page itself was not secure, the login area was embedded inside a frame and was itself secured using an ssl connection.  The site in question was the now-defunct Monday Lottery.   Since then I usually go to slightly longer lengths to determine a site’s security for myself, rather than immediately firing off an email.  It makes sense to check one’s facts first, even though this practice of not securing the whole page is far from helpful in encouraging users to look out for and take notice of the padlock and other indicators.

Most of the online-services I use not only claim that ‘We Take Your Privacy Seriously’; they also seem to live up to their word.  I’m not talking specifically about the fine and complicated details about what they choose to do with my personal details, but about how well they appear to protect my details at the point of entry; i.e. when I’m entering them into the browser.  Some example sites are Facebook, Twitter, and Friendfeed; they all have un-encrypted main pages, but they are secure because the login details get posted using an ssl connection to an https url.  Similarly, such sites tend to use secure connections on any pages that contain personal details.  It’s not easy to tell this just by looking at the page in your browser; you have to delve deeper by viewing the page’s source, and to be totally sure the only way is to either to contact the site by email, or to sniff the network packets using a tool such as Wireshark.

It’s unfortunate that these ever-more complex sites seem to want to ignore the padlock convention.  I guess they have their reasons; maybe it’s just the Web 2.0 way.  But, apart from the fact that it makes it harder to tell whether sites are secure, this failure to adopt a standard approach is harmful to the Padlock convention as a whole. It’s a bit like the ‘Herd-Immunity’ argument that accompanies most discussions of the MMR Vaccine;  If it is not adopted universally then the disease will prevail.  In the case of the visibility of a site’s security the failure works like this.   I’m an avid facebook user, and I can’t live without Twitter.  Many of the top twitterers that I follow use both these tools, as well as Friendfeed, Huddle, Fav.or.it, various blogging sites, and so on.  We all trust these sites, and often rightly so as they are secure, but mainly we trust them because other people we trust also trust them. No-one is complaining about facebook security, or twitter (well, not much!), or friendfeed, and I think we take it for granted that sites that are used and recommended by others in our online-communities are similarly trustworthy.  My friends trust facebook, twitter, friendfeed, and others even though they have no padlock.  If it’s good enough for them, then it’s good enough for me!

Recently this propagation of trust has led many twitterers to sign up for the twitorfit website.  Tweets have been going out left right and center from people suggesting that their followers give them a rating.  It’s just a bit of fun, and it’s backed by two well known and well trusted web companies; Huddle.net and fav.or.it.  But, in the midst of a recent bout of security-doubt, I decided to take a look at their login screen.  Unlike most of the sites mentioned above, Twitorfit doesn’t have it’s own user database; It’s specifically designed for the twitter community, and as such uses the Twitter API and Twitter username/password to identify users.   Because of this fact, because their webpage was asking me for my twitter details, and in the light of recent security breaches at twitter, and the general consensus that twitter security as a whole has a few holes, I was slightly dubious about the lack of the padlock.  Looking further at the page source I found that it submits my twitter credentials using an unsecured connection.  And sniffing the network packets with Wireshark showed my username and password in plain text.  This is not a good thing, and as a Software Architect who thinks about security most days of the week, I found it pretty unbelievable.

Now, twitorfit is just a bit of fun, and if they had their own username/password I wouldn’t be quite so concerned. But in this case I am entrusting them with my Twitter details, and they are making a bold (and true) claim that they will not store them, but in my opinion they are not taking enough care to protect these details at the point of entry.  Ok, so it’s only my twitter username and password, and it’s not like this is going to end up with anyone getting into my banking site, or credit card site, or my amazon account, or whatever other online services I use, right. Because just like absolutely every other person on the planet I made sure my passwords on all these sites are totally and absolutely unrelated, and not guessable given even the slightest piece of knowledge…. yeah,right!

Following up on this, and knowing that twitorfit is actually built by the teams at Huddle.net and fav.or.it, I decided to put these sites to the test.  Huddle.net appears ok, using https on it’s main page.  But where things get really nasty is on fav.or.it.  They support many different ways of logging in; I can use credentials from a dozen-or-so other sites, and use them to identify my self to fav.or.it.  Quite astonishingly, if I sniff the packets when using this page I can see my details in plain text.  The excerpt below is the trace of the packets sent when I log in using a (fake, of course) wordpress account. You can clearly see the username and password that I entered (‘myUsername/myPassword’) in the last line:

POST /auth/login HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://my.fav.or.it/auth/login
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; InfoPath.2)
Host: my.fav.or.it
Content-Length: 45
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: favorit_anon=23f0a583606687330f1f34c680c71960g23620a; __utma=170299703.3468827689299247000.1231713511.1231713511.1231713511.1; __utmb=170299703.1.10.1231713511; __utmc=170299703; __utmz=170299703.1231713511.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); favorit_session=v2dptt26fua094kns753u3e073; __utma=75863689.3438752490060657000.1231713576.1231713576.1231713576.1; __utmb=75863689.4.10.1231713576; __utmc=75863689; __utmz=75863689.1231713576.1.1.utmcsr=fav.or.it|utmccn=(referral)|utmcmd=referral|utmcct=/

user=myUsername&pass=myPassword&type=wordpress

Quite simply put, this is outrageous and to my mind totally unacceptable.  I’m trusting this site with my details and they are falling at the first hurdle.

So, for what it’s worth, here’s my advice.

If you use fav.or.it, be very careful which credentials you use to log in.
If you use twitter, choose a unique password for your account and change it regularly…
And in general, don’t take anything at face value; sites without a padlock might or might not be secure, and sites that are trustworthy might not be as robustly secure as they ought to be.