Results 1 to 14 of 14
  1. #1
    Scampi's Avatar
    Scampi is offline Private Member
    Join Date
    August 2013
    Posts
    855
    Thanks
    371
    Thanked 314 Times in 181 Posts

    Default How Secure are your Details on HTTP?

    I've just noticed Codetaff doesn't use HTTPS. How secure is HTTP? Considering banking details etc. are on there, is it safe?

    Name:  codaf.jpg
Views: 114
Size:  11.6 KB

  2. The Following User Says Thank You to Scampi For This Useful Post:

    AussieDave (18 March 2018)

  3. #2
    AussieDave's Avatar
    AussieDave is offline Public Member
    Join Date
    November 2005
    Location
    from the land downunder
    Posts
    3,588
    Blog Entries
    1
    Thanks
    1,353
    Thanked 1,468 Times in 846 Posts

    Default

    There's a number of aff programs who STILL have not moved to SSL. Any login that's not SSL (https), the login data could be intercepted - it's sent over the net as plain text. Same goes for any personal/banking data etc.

    SSL (https) data in encrypted.

    Whereas http is not.

    Reiterating, http is transmitted (sent) in plain text format to the server, and visa versa. Hence, http is not secure!
    Last edited by AussieDave; 18 March 2018 at 6:20 pm. Reason: grammatics
    ---
    Do the right thing, even when no one is looking. It's called integrity.
    ---

    igaming affiliates rights - fairness for all iGaming affiliates

  4. The Following User Says Thank You to AussieDave For This Useful Post:

    Scampi (19 March 2018)

  5. #3
    Malikbhai is online now Public Member
    Join Date
    September 2017
    Posts
    500
    Thanks
    141
    Thanked 279 Times in 182 Posts

    Default

    SSL is overhyped; for websites at least.

    The only security it provides is for data transmission from website to the server. If I wanted to steal that transmission; I'd sit outside the data center that houses thousands of servers and then try to brush it out. Only complex hacking is done this way; for example, the ones we see from the NSA, the Russian government and the greatest looking guy in the world: Mr. Kim Jong un. Such attempts of housebreaking are generic and used for retrospective information retrieval.

    There are higher chances of larceny by data center employees, who willfully sell out client profiles to the highest bidder than remote hacking; as it requires enormous resources that only the governments and organized crime syndicates have.

    Users are vulnerable when they use an unencrypted internet connection

    A website can have an SSL installation, yet the client profiles can be stolen; if one's connection from the browser to the website is insecure. SSL only encrypts data movement from the website to the server. This means that if you were the target, any person running wireshark-type data-packet sniffing software would be able to suck out the user and password details you send over to an SSL site.

    The solution to that is a VPN connection, that encrypts your connection to the data centers. People who don't even know what a VPN is; are in the majority.

    More security is required on POSs, where credit card data is sent out to the processor. If it's insecure then it can be smelled out by somebody sitting in a car, in the parking area. This is a huge problem in the U.S., and most credit card thefts happen this way.

    Many large U.S. stores don't secure credit card processing over the internet.
    Last edited by Malikbhai; 19 March 2018 at 5:13 pm.

  6. The Following User Says Thank You to Malikbhai For This Useful Post:

    Scampi (19 March 2018)

  7. #4
    AussieDave's Avatar
    AussieDave is offline Public Member
    Join Date
    November 2005
    Location
    from the land downunder
    Posts
    3,588
    Blog Entries
    1
    Thanks
    1,353
    Thanked 1,468 Times in 846 Posts

    Default

    Quote Originally Posted by Malikbhai View Post
    SSL is overhyped; for websites at least.
    While I agree the chances of someone specifically intercepting a unsecured http data send, is unlikely, the OP specially asked "how secure is HTTP?". In which case, the correct answer is, it's not secure.
    ---
    Do the right thing, even when no one is looking. It's called integrity.
    ---

    igaming affiliates rights - fairness for all iGaming affiliates

  8. #5
    Breakout Affiliates's Avatar
    Breakout Affiliates is offline Non-sponsor Affiliate Program
    Join Date
    May 2017
    Location
    Cape Town, South Africa
    Posts
    195
    Thanks
    34
    Thanked 137 Times in 99 Posts

    Default

    Quote Originally Posted by Scampi View Post
    I've just noticed Codetaff doesn't use HTTPS. How secure is HTTP? Considering banking details etc. are on there, is it safe?

    Name:  codaf.jpg
Views: 114
Size:  11.6 KB
    Not at all secure, on any level, information is being sent unencrypted to and from the server.
    Mandy Goldberg
    Head of Affiliates
    Breakout Affiliates powered by 4KingMedia

    Skype: mandy.goldberg.affiliation
    https://breakoutaffiliates.com/
    https://breakoutcasino.com/
    https://breakoutpoker.com/
    https://breakoutgaming.com/

  9. The Following User Says Thank You to Breakout Affiliates For This Useful Post:

    Cash Bonus (19 March 2018)

  10. #6
    TheGooner's Avatar
    TheGooner is offline Private Member
    Join Date
    March 2007
    Location
    New Zealand
    Posts
    4,114
    Thanks
    1,845
    Thanked 4,012 Times in 1,906 Posts

    Default

    Point of order gents - computer nerd speaking :

    Because we are talking about proper websites like Income Access or NetRefer- it's unlikely that the actual password is being sent anywhere.
    This would be extremely bad practice - and I'm pretty sure that you guys did actually guess that in the 15-20 years of the internet prior to https being widespread that passwords were not being compromised.


    What is most likely to be sent from the browser is a SHA-256 HASH of the password and other elements in the message to the server.
    The server then compares this value against a HASH of the locally stored password using a secure process.

    This is the same way banks send PIN data from ATMs and EFT-POS all across the planet using basic x.25 protocols (the message is never encrypted) and don't have to worry about the integrity of the systems or data. Sensitive PIN information is never exposed in transit only a calculated HASH.

    Another powerful real-world example of how encryption algos can help business. (like Crypto-currency)

    --------------

    NB :

    A HASH is a computational encryption of data to get an 8 or 16 byte result - it takes the pin or password, and usually 2-3 items of other known data - including one piece of changing data (like milliseconds or sequence number) and gets a result that is very variable but cryptographically calculable and secure.

    eg. Here is a basic example.

    Let's take a password example and use username Albert and password Einstein DONE AT 10:17AM ON 20-03-2018.

    The crpytographic function will take all three elements and convert them to hexidecimal equivalents and combine them in an extremely clever and complicated way that makes it extremely hard to crack

    0000ALBERT
    00EINSTEIN
    1017436435
    ----------------
    ???????????? = HASH

    It's impossible to reverse engineer this HASH back to the original password - as all the elements effect the HASH - so intercepting the HASH is useless. This means that PINS (and PASSWORDS) are transmitted security over unencrypted protocols.

    -------------------------------

    TL : DR; ?
    In summary, in proper commercial systems the password is NEVER sent out of the browser at all.
    Cryptography sends a clever HASH that means password data is secure whether it's http or https;
    Last edited by TheGooner; 19 March 2018 at 4:25 pm. Reason: More info for clarity.

  11. The Following 2 Users Say Thank You to TheGooner For This Useful Post:

    elgoog (20 March 2018), Scampi (19 March 2018)

  12. #7
    Malikbhai is online now Public Member
    Join Date
    September 2017
    Posts
    500
    Thanks
    141
    Thanked 279 Times in 182 Posts

    Default

    Because we are talking about proper websites like Income Access or NetRefer- it's unlikely that the actual password is being sent anywhere.
    This would be extremely bad practice - and I'm pretty sure that you guys did actually guess that in the 15-20 years of the internet prior to https being widespread that passwords were not being compromised.
    Now a days MD5 hashes or any other hashes for that matter are pre computed for all possible strings and stored for easy access. Though in theory MD5 is not reversible but using such databases you may find out which text resulted in a particular hash value.

    Salting the hashes can add in extra security layer; which makes breaking even harder; if not impossible.

    Most hackings that have a commercial value attached to it aren't the result of sophistication; but simple social engineering done on the employees of the victim company.

    A successful heist is done through the effective use of human emotions; not scripts.
    Last edited by Malikbhai; 19 March 2018 at 4:30 pm.

  13. #8
    TheGooner's Avatar
    TheGooner is offline Private Member
    Join Date
    March 2007
    Location
    New Zealand
    Posts
    4,114
    Thanks
    1,845
    Thanked 4,012 Times in 1,906 Posts

    Default

    Quote Originally Posted by Malikbhai View Post
    Now a days MD5 hashes or any other hashes for that matter are pre computed for all possible strings and stored for easy access.
    Can't speak for MD5 - but SHA-256 still gives good protection.

    Basically - to do all the HASH calculations for the unknown piece of data (password or PIN) would take billions and billions of years - at 1 million hashes per second it would take
    12,700,000,000,000,000,000,000,000,000,000,000,000 ,000,000,000,000,000,000,000,000,000,000,000,000,0 00,000,000,000,000 years to test all possibilities. (past the expected time of human life on earth).

    And, there would be around 36^64 / 2^256 or 34,600,000,000,000,000,000,000 collisions found.
    (These false positives where data matches the hash but isn't the correct value)

    This stackoverflow answer explains it in detail :
    https://stackoverflow.com/questions/...-a-sha256-hash
    Last edited by TheGooner; 19 March 2018 at 4:37 pm. Reason: more info and a link

  14. #9
    Malikbhai is online now Public Member
    Join Date
    September 2017
    Posts
    500
    Thanks
    141
    Thanked 279 Times in 182 Posts

    Default

    Quote Originally Posted by TheGooner View Post
    Can't speak for MD5 - but SHA-256 still gives good protection.

    Basically - to do all the HASH calculations for the unknown piece of data (password or PIN) would take billions and billions of years - at 1 million hashes per second it would take
    12,700,000,000,000,000,000,000,000,000,000,000,000 ,000,000,000,000,000,000,000,000,000,000,000,000,0 00,000,000,000,000 years to test all possibilities. (past the expected time of human life on earth).

    And, there would be around 36^64 / 2^256 or 34,600,000,000,000,000,000,000 collisions found.
    (These false positives where data matches the hash but isn't the correct value)

    This stackoverflow answer explains it in detail :
    https://stackoverflow.com/questions/...-a-sha256-hash
    I'm aware of SHA-256. And yes, the latest cryptology adds another near-impenetrable firewall to an already decent packet transmission protocols.

    But eventually it jots down to one thing: is user data hackable or not?

    Technically, perhaps not. However, like I said above; most financially lucrative breaches happen by someone sitting in North Korea making up a fake relationship with a forever-alone IT head who has access to client profiles - as an example.

    Encryption technology is like wearing thick jackets in a cold winter; but this is not a guarantee one wouldn't get the flu. People wear the protective clothing in winters and still get the seasonal flu.

    Companies need to be careful about who they are employing to fight against data breaches, than being pedantic about programming.
    Last edited by Malikbhai; 19 March 2018 at 4:58 pm.

  15. #10
    TheGooner's Avatar
    TheGooner is offline Private Member
    Join Date
    March 2007
    Location
    New Zealand
    Posts
    4,114
    Thanks
    1,845
    Thanked 4,012 Times in 1,906 Posts

    Default

    I'll park the North Korean diatribe ..
    Although I'd suggest Russia, China, USA and Israel are probably far more active than the technically inferior NK state.

    Glad we agree that http vs https is not a big issue for passwords with commercial systems.

  16. #11
    Malikbhai is online now Public Member
    Join Date
    September 2017
    Posts
    500
    Thanks
    141
    Thanked 279 Times in 182 Posts

    Default

    Quote Originally Posted by TheGooner View Post
    I'll park the North Korean diatribe ..
    Although I'd suggest Russia, China, USA and Israel are probably far more active than the technically inferior NK state.

    Glad we agree that http vs https is not a big issue for passwords with commercial systems.
    Israeli contribution is far more prominent.

    But, yes. OK.

  17. #12
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Sinking Faster, just when I thought it couldn't get worse it did!
    Posts
    25,743
    Thanks
    1,609
    Thanked 7,330 Times in 4,653 Posts

    Default

    Not real sure how many websites are authenticating passwords on the public IP, instead of a private IP

    Please do not try and think the database servers are "localhost"

    So, sitting outside the data center does nothing really, unless you are already sitting on a compromised server inside, and if so has little to do with browser traffic.

    Rick
    Universal4

  18. The Following User Says Thank You to universal4 For This Useful Post:

    Cash Bonus (20 March 2018)

  19. #13
    Muppet is offline Private Member
    Join Date
    December 2007
    Posts
    564
    Thanks
    165
    Thanked 650 Times in 282 Posts

    Default

    Quote Originally Posted by Malikbhai View Post
    The only security it provides is for data transmission from website to the server.

    A website can have an SSL installation, yet the client profiles can be stolen; if one's connection from the browser to the website is insecure. SSL only encrypts data movement from the website to the server. This means that if you were the target, any person running wireshark-type data-packet sniffing software would be able to suck out the user and password details you send over to an SSL site.
    Watchoo talking bout Willis?

    The website is on the server. It doesn't live in your browser. SSL encrypts the transmission of data between the client computer (i.e. your web browser) and the website's server, which may be 20 hops away across the internet. Among other things SSL protects your plain text passwords from being intercepted anywhere along those 20 hops along the way. That's it. If the server's private key is stolen then sure you could have a specific, targeted man in the middle attack. But no SSL means any server hop along the way can steal your data.

    If a website is not using SSL then your password could be sniffed or captured. Sure they might be client side hashing the password first as TheGooner mentioned, but I think that is a mighty generous assumption to make as I have personally found more than a handful of casinos transmitting logins and passwords in plain text. RealDealBet was one I can remember not too long ago, and to their credit they fixed it when I pointed it out to them. Even if they are client side hashing first, if you're using a common word or you have reused your password from another site that has been breached, your hash may already be in a rainbow table somewhere already which means you are owned.

    On that point, I tested out that CodeTaff site and posted a test login. I don't have an account there but this is the data my browser posted. It is clearly not being encrypted client side before posting.

    Code:
    ReturnUrl=&__RequestVerificationToken=MHwwSjqjfOoSOua0IZ0tBYgK_ZqbA3qrq2b161M3K2Prb9j1rw97CvAX18QLoaQrJEx4gXtZblgNF8jVmm129ubgxVsmJA9W8142rLVIlMQ1&UserName=myusername&Password=testing&RememberMe=false
    Most casinos and poker sites have caught on and are using SSL these days. It is rare to find one that isn't. But affiliate programs are a different story and there are many that don't encrypt, which in this day and age is borderline criminal.

  20. The Following 2 Users Say Thank You to Muppet For This Useful Post:

    Cash Bonus (20 March 2018), TheGooner (20 March 2018)

  21. #14
    TheGooner's Avatar
    TheGooner is offline Private Member
    Join Date
    March 2007
    Location
    New Zealand
    Posts
    4,114
    Thanks
    1,845
    Thanked 4,012 Times in 1,906 Posts

    Default

    UserName=myusername&Password=testing


    Yes- I would expect the Password to be looking like Password=
    MHwwSjqjfOoSOua0IZ0tBYgK_ZqbA3qrq2b161M3K2Prb9j1rw 97CvAX1 if they were using ecryption or hashing or anything else - there is absolutely no need to send the password in clear text.


  22. The Following User Says Thank You to TheGooner For This Useful Post:

    Cash Bonus (20 March 2018)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •