
To view parent comment, click here.
To read all comments associated with this story, please click here.
Thom Holwerda,
"Well, in all honesty - I did check with the team if our passwords (and yours) are all properly secured. I don't want to dive into specifics,"
Ah, security by obscurity then. (just kidding Thom)
" but suffice it to say they are all properly encrypted ."
Well, not exactly since it's over plain HTTP.
If hackers did get in, they could alter anything in the database. They could install keyloggers or modify the hashing function such that they are able to decrypt passwords easily.
Am I right in thinking it's extremely unlikely that you'd notice?
Even a single XSS vulnerability would give an attacker the opportunity to steal your credentials if you follow a malicious link.
If you were a high profile target, it'd probably be worth hiring someone else to do penetration testing, which most companies fail to do.
Many companies around here don't even want to pay to fix known vulnerabilities. Like sony, a theoretical attack vector isn't important until it has been actively exploited.
Thom Holwerda,
Another point to make is that by allowing third parties to execute code on your web pages, you've implicitly given them access to our credentials as well.
For example, your pages are running scripts from google adsense, google analytics and quantcast. Any one of these could target osnews users if they wanted to and capture credentials without even touching anything on the site.
I'm often a little surprised how little this bothers people.
Ohh really ? I didn't see them. ;-)
Sorry OSnews crew, I would like to see them. :-(
Really I do, although they can be a bit distracting at times.
But scripts loading from other sites and document.write just don't cut it for me. They affect performance and security a tad to much for my liking.
I block every external file with a plugin right now, which is highly annoying with people adding more and more domains to their site and loading JQuery and it's plugins and more of the same from Google, Microsoft and Yahoo.
Still I do run those adds on my own site though. :-(
They are at the bottom of the page, where they have the least impact on performance.
The site makes less money than the hosting would cost but that is currently free for us, so is the site for the users.
I wish SPDY/HTTPS/SNI would be in widespread use that would really help to speed up websites and make them secure. And not need to use HTTP like Alfman mentioned above.
While I'm talking things which could be really improved, the Certificate Authority system (as used by HTTPS and friends) could really be improved by the use of DNSSEC.
So now this comment is long enough. :-)
Edited 2011-06-19 10:09 UTC
Member since:
2005-06-29
Well, in all honesty - I did check with the team if our passwords (and yours) are all properly secured. I don't want to dive into specifics, but suffice it to say they are all properly encrypted
Edited 2011-06-18 17:12 UTC