ATS login is not secure

originally posted by: mysterioustranger
Tryin' to figure out what so special about it..?

Linux has a few advantages, one is that it's very secure for a few reasons. It's not 100% secure (nothing is) but it's above average. Another advantage to Linux is that most distributions are free. Finally, the big advantage is that Linux is very modular and can optimize specific actions, there's builds that are focused on penetration testing, builds for web servers, builds for office environments, and so on.... it's not published as a one size fits all solution.

originally posted by: Arbitrageur
On topic, what's the worst that can happen to me due to ATS lax security?

Account and password get hacked, it becomes cross referenced with your email as well as any other uses of the email or username online. Password (plus some variations on the password) get used on those accounts to try and get access. With good security on your end? There's not really anything bad that will happen to you. With average security? You could be opening several accounts up to being compromised.

a reply to: Arbitrageur

You: "On topic, what's the worst that can happen to me due to ATS lax security?"

My point? No issues.What security issue if Ive been logged in since I joined, or months to years say? Never log out, never sign in, never use password they gave me 8 yrs ago. So what security issues will I have if Ive never had them? Im always bookmarked in...

If anyone is going in and out of everything, yeah. Im signed in and bookmarked at/in multiple browsers and sites, bookmarked and fav's....been doing this for years. I just click "REMEMBER ME-MY PASSWORD"...next time. I click it and Im on already.

Thats just me.

PS I just counted...Im signed/logged in to 17 sites, 5 emails, 4 sep. browsers and the rest sites like ATS, Ancestry.com, Infinityx, YouTube, Netflix....almost never needing to log out. So Im always on...home, work, laptop, phone, tab. Click n go...

a reply to: Aazadan

Though Im always signed in without passwords every time...I even stay logged into these when I run Virus Scans and when they do it automatically...

Never issues...so I dont see why people go "I think Ill go to ATS! And then Netflicks!" sign in, enter passwords, click, click...dont see the need when it isnt necessary.

Just me....

"ATS login is not secure"

It just needs a hug.

IDK, to me HTTPS secure login is like a seat belt. If you're in a really, really bad crash it won't matter if you have a seat belt on or not, but it would be weird to find a car today that doesn't have seat belts.

There was some developer talk back in '15 about how having https interfered with Google Adsense revenue, but that's been debunked since. Perhaps https was turned off in hopes that revenue would go up, helping keep the lights on and the servers running?

That said, ATS sticks out like an anomaly for not having secure https connections...considering the paranoid nature of conspiracy theorists!

originally posted by: Kettu

originally posted by: Tempter
In all honesty, it'd take any good load-balancer a whole 30 minutes to front end this website with a secure backend channel using up to date cipher protocols and a 302-responding 80 redirect.

Why hasn't this been done yet?

Need some help? I'm cheapish.

I dunno man. I think the owner once chimed in about how this isn't off-the-shelf forum software, it's a custom job. You have to remember that you can still read posts from like 10+ years ago on here, and all the members over the years with all their photos and stuff they've uploaded.

I have a feeling ATS as a site takes up a LOT of storage space, and with as much traffic they have globally, they need dedicated servers...not shared or virtual ones. They also appear to be using a CDN (content delivery network) to boost speeds for page loads. Then, you have to figure in the cost of DDOS mitigation stuff (ATS has been attacked in the past, I remember not being able to get on here and announcements about being attacked being made). So, I'm sure they now pay for some kind of anti-hacking thing too.

So, I don't think ATS is just some website you can host on a VPS (virtual private server) using Unbuntu with DigitalOcean for like $9 a month...

It's not like that at all.

Without getting too much into it, you can purchase a Netscaler in the cloud and host a new hostname, abovetopsecret2.com on a new IP. This new IP actually would resolve to a Netscaler LBVIP with a bound service to 443. I could even LB the backend on 80 if needed. The point is to get the frontend using 443. Then, when we've tested abovetopsecret2.com you'd just flip the DNS and point it to the new IP, which uses the new certs, cipher groups, restricted TLS, etc and BAM, secure site.

It's child's play. ATS NOT using HTTPS is a joke in 2017. Or its intentional.

Either way, that's some bad IT right there.

I just noticed this today. No https is bad.

Anyone scanning traffic along the route from your computer to ats can see the passwords since they are in plain text.

Pretty much any government agency gathering data now has your passwords. If you use the same password on this site and other websites. I'd change those passwords now. Especially if that site is banking related.

I I'm not sure why ats does not have https support. especially when loggin in. I regularly setup websites and use ssl certs. It's not that hard to setup.

I think ATS is basically running blind.

I have said this before in another thread but ATS these days feels like the lights are on but nobody is home.

Sure the site still does what it should but things like this make me feel like there is no longer anyone actually running and directing the site properly.

I don't know how it works but am guessing there is some kind of processes to go through in establishing a secure login system and because nobody is doing that kind of stuff anymore on ATS day to day its been missed.

a reply to: grey580

Anyone scanning traffic along the route from your computer to ats can see the passwords since they are in plain text.

Suppose we were able to generate ATS secure cookies for members only, would that be safe?
There are a lot of bots on the Net and you don't want to get singled out as a nefarious activist.

a reply to: Cauliflower

No not the same.

SSL encrypts the traffic between your browser and the server.

As it stand the site has no encryption. A malicious hacker could sniff traffic and see your password.

Simple explanation.



Longer explanation

I just glanced through all of the replies and didn't see any reply from ATS management. Have they replied to this? I'm interested in their take on it.

(If I missed it, let me know.)

a reply to: grey580

The Site Owners probably understand the hash risk better than we do.

No answer to this? Wow....

Maybe I never noticed before, but when I came here tonight the far left of my address bar says "Not secure'. I'd think I would have noticed it before. Has ATS always had that notification??

originally posted by: grey580
a reply to: Cauliflower
SSL encrypts the traffic between your browser and the server.
As it stand the site has no encryption. A malicious hacker could sniff traffic and see your password.

Not just that, everybody in between (ISPs, ocean cable owners, backbone providers, NSA, spammers, criminals looking for passwords and bank-logins, etc.) will be able to openly read what YOUR IP-address has posted and read at what second in time. Word for word.

This is indeed pretty bad. I've purposely stopped visiting ATS forums for that reason years ago. The only fairly safe way to visit ATS is through Onion Routing.

So, ATS management;
If you need someone to make your entire website available with TLS/SSL, with a freely renewable certificate (LetsEncrypt), let me know. I can do this for you, and make sure the old http:// requests (bookmarks etc) will properly redirect to the new secure ones starting with https:// , so you will not lose any visitors. I can make it get an A+ at Qualys www.ssllabs.com...


Feel free to email me about the details on how this could be arranged (I can do this entirely remotely, I'm not expensive, a small donation after a job successfully completed would be fine..). I have a LinkedIn profile for reference, if you need some more 'trust', which I'll gladly provide the link to.

With regards, a CISSP, CEH and almost CHFI, DFI.

www.ssllabs.com...
this could become like this:
www.ssllabs.com...