Hacker News new | ask | show | jobs
by vnorby 5125 days ago
The site is asking for an email which also happens to be a PayPal account (Placeholder text is "Email (and PayPal) address..."), along with a password. The user is not a known quantity and it's his/her first submission to HN, it's very possible he/she is hoping that PayPal email addresses/passwords that you put in match. There is no HTTPS, no seals or verification, no guarantees of the security of any of your data and that your password is not being stored in plaintext. There is a security vulnerability and the site was a purchased template. It's quite possibly legit, but without more information I would avoid.
1 comments
interwho 5125 days ago
I'm bcrypting the passwords.

Exact method: sha1(bcrypt(sha1(md5.'othersalt').'salt').'anothersalt') and a few more salts + sha1s

link
LeafStorm 5125 days ago
Which means nothing if it is possible to snipe the passwords from the HTTP request. Firesheep, anyone?
link
interwho 5125 days ago
You're right, I'll get a security cert + force ssl.
link
david_shaw 5125 days ago
>You're right, I'll get a security cert + force ssl.

As someone who has worked in security for years--in particular, application security assessments--thank you for taking the sometimes hard-to-swallow criticism well, and deciding to actually fix things rather than just deflect the issue. You probably have no idea how many (even reputable) organizations decide to "accept the risk" and ignore security findings. (Edit: More so than the SSL issue, I'm talking about fixing the CSRF)

>The user is not a known quantity and it's his/her first submission to HN, it's very possible he/she is hoping that PayPal email addresses/passwords that you put in match.

There is nothing wrong with the logic in this statement, but you also need to be careful how far you take it. One could argue that any of the small "Show HN" posts around here are hoping to harvest credentials. In fact, I'm sure that some of them do. When using software as a service--or indeed, any web application--there is an inherent degree of trust behind it. Even if the user had made many HN posts, or not bought the pre-made site (which looks nice, IMO), or purchased an HTTPS certificate... credential harvesting is still a real threat.

Even bigger services that claim to encrypt password databases have often been shown to in fact do nothing of the sort (eg, sending password reminder emails etc).

This is why security guys worth their salt will always suggest using random passwords for every service you sign up for and keeping them in an encrypted file a la KeePass or a TrueCrypt container with a long, complicated "master password" for the archive. Additionally, it's always a great idea to enable 2-factor authentication where ever possible (for example, Google accounts).

link
interwho 5125 days ago
If I didn't take any criticism, how would I improve? :)

As to the fact that this is my first post here, I've been a lurker for a long time, and finally had something good to post. I've been on reddit and a few developer forums under this username (and interwhos) for much longer.

Thank you for writing this.

link