-
- Veteran
- Posts: 315
- Liked: 38 times
- Joined: Sep 29, 2010 3:37 pm
- Contact:
why is this site not secure?!?
My security guys picked up my password for the Veeam forums website today in Snorby! Never really noticed this site isn't secure.
sorry didn't know where else to post.
sorry didn't know where else to post.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Jun 30, 2011 8:44 am
- Full Name: Richard
- Contact:
Re: why is this site not secure?!?
I've just noticed this after you mentioned it, more importantly it does not appear that the login to your veeam account details is over ssl either..
-
- Veteran
- Posts: 293
- Liked: 19 times
- Joined: Apr 13, 2011 12:45 pm
- Full Name: Thomas McConnell
- Contact:
Re: why is this site not secure?!?
I wouldn't imagine there are many forums that use https, just out of curiosity why is you security guy doing man in the middle to you
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: why is this site not secure?!?
It's not really "man-in-the-middle" if the site is not secure. Almost all companies monitor for intrusions and other security related incidents at their perimeter. I would agree that very few forums use SSL, we used to catch passwords from forums and other similar sites all the time.
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: why is this site not secure?!?
DittoThomasMc wrote:I wouldn't imagine there are many forums that use https
-
- Veteran
- Posts: 293
- Liked: 19 times
- Joined: Apr 13, 2011 12:45 pm
- Full Name: Thomas McConnell
- Contact:
Re: why is this site not secure?!?
Ah, thanks Tomtsightler wrote:It's not really "man-in-the-middle" if the site is not secure.
-
- Veteran
- Posts: 315
- Liked: 38 times
- Joined: Sep 29, 2010 3:37 pm
- Contact:
Re: why is this site not secure?!?
I guess that makes it ok.....Gostev wrote: Ditto
What about the support/account portal??? thats not secure either..
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: why is this site not secure?!?
I'm not saying it's OK, or not OK, I'm just pointing out that Veeam is not unique in this regard. On a personal note, I believe that all logins should be secure, but I know that they are not. Too many people share the same password for multiple sites so this provides exposure. That being said, until earlier this year, social sites like Facebook didn't even have secure login.
-
- Veteran
- Posts: 315
- Liked: 38 times
- Joined: Sep 29, 2010 3:37 pm
- Contact:
Re: why is this site not secure?!?
Point taken - on a side note - that was aimed at Gostev..
-
- Expert
- Posts: 231
- Liked: 18 times
- Joined: Dec 07, 2009 5:09 pm
- Full Name: Chris
- Contact:
Re: why is this site not secure?!?
It's unfortunate that you feel that way. Security breaches happen at companies because the people in charge have this kind of attitude towards security.Gostev wrote: Ditto
-- Chris
-
- Lurker
- Posts: 1
- Liked: never
- Joined: May 31, 2011 6:28 am
- Full Name: Teddy Ostergaard
- Contact:
Re: why is this site not secure?!?
That doesn't really matter. If your firewall/security guy steps intercepts the traffic, it is man-in-the-middle per definition. This could also easily be done if the website was using ssl.tsightler wrote:It's not really "man-in-the-middle" if the site is not secure.
-
- Veteran
- Posts: 259
- Liked: 8 times
- Joined: Sep 18, 2009 9:56 am
- Full Name: Andrew
- Location: Adelaide, Australia
- Contact:
Re: why is this site not secure?!?
Huh? SSL tunnel is between the client browser and the web server hosting the site.
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: why is this site not secure?!?
...unless there is SSL spoofing by a man-in-the-middle
-
- Veteran
- Posts: 259
- Liked: 8 times
- Joined: Sep 18, 2009 9:56 am
- Full Name: Andrew
- Location: Adelaide, Australia
- Contact:
Re: why is this site not secure?!?
which requires a dodgy certificate, DSN spoofing, compromised PC, end user to ignore warning & accept accessing an untrusted site, etc. Most of the time - use error.
At the end of the day - any sensitive information such as business or corporate data must be secured.
A forum is not. No one with a brain will store sensitive information in forum registration details.
Client information / ticketing systems etc are - and must be secured. To not do so, is unprofessional.
At the end of the day - any sensitive information such as business or corporate data must be secured.
A forum is not. No one with a brain will store sensitive information in forum registration details.
Client information / ticketing systems etc are - and must be secured. To not do so, is unprofessional.
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: why is this site not secure?!?
Client information is secured. However, this community forum is not a part of Veeam IT infrastructure, and is not a "paid" resource like our technical support. This is standalone project that is maintained voluntarily, everyone at all is free to register and post here. The forum runs within certain constraints dictated by the board software feature set, backend server performance, etc.
Access to this forum is not something you get by paying Veeam money, and not something Veeam "owes" once you pay. Everyone is free to choose whether or not he/she wants to register on, and use this forum. If you don't feel comfortable using this forum for whatever reason (particularly, inability to logon to this board securely), please use our technical support instead. Support is paid-for service provided to customers with active maintenance agreements only. As a paid service, some may even consider support as being more convenient (for example, nobody will ask you to "search before you post")
If our web team gets some free cycles next year, I will ask them to research the possibility of adding SSL logons to this board.
Access to this forum is not something you get by paying Veeam money, and not something Veeam "owes" once you pay. Everyone is free to choose whether or not he/she wants to register on, and use this forum. If you don't feel comfortable using this forum for whatever reason (particularly, inability to logon to this board securely), please use our technical support instead. Support is paid-for service provided to customers with active maintenance agreements only. As a paid service, some may even consider support as being more convenient (for example, nobody will ask you to "search before you post")
If our web team gets some free cycles next year, I will ask them to research the possibility of adding SSL logons to this board.
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: why is this site not secure?!?
So I would agree that the security guy is a man in the middle, but if there is no encryption, then he is not performing a "man-in-the-middle" attack. The term "man-in-the-middle" almost always refers to some type of cryptographic attack or at least some type of attack to get traffic to be redirected where it's not supposed to go (for example ARP cache poisoning). Simply being a "man-in-the-middle" and monitoring the traffic whizzing by is not really a man-in-the-middle attack but more akin to standing in a public room and overhearing a conversation. My overall point was that unless traffic is encrypted, you should have zero expectation that someone along the path might not see your traffic as it's quite likely that your traffic is monitored at several points along the way.dkteo wrote: That doesn't really matter. If your firewall/security guy steps intercepts the traffic, it is man-in-the-middle per definition. This could also easily be done if the website was using ssl.
I'm curious as to your statement as to how this is "easily" done using SSL. Certainly modern firewalls are performing SSL inspection by basically "breaking the chain" between the client and the SSL endpoint. Is this what you are referring to or is there something else?
-
- Veteran
- Posts: 259
- Liked: 8 times
- Joined: Sep 18, 2009 9:56 am
- Full Name: Andrew
- Location: Adelaide, Australia
- Contact:
Re: why is this site not secure?!?
I doubt many care about securing the forum and would prefer resources be put into other areas.Gostev wrote: If our web team gets some free cycles next year, I will ask them to research the possibility of adding SSL logons to this board.
I imagine most are referring to the client area / control panel (product keys / ticketing information etc)
Gostev wrote: Client information is secured
Certificates cost < $300. While its not protecting financial details or anything, its a relatively simple fix to something many see as unacceptable.
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: why is this site not secure?!?
Maybe, but up until your post it was the opposite - just about everyone who participated were talking about securing the forum specifically let me quote the original poster.Bunce wrote:Most don't care about securing the forum - its the client area.
Moreover, whole 1st page both myself and other people have been commenting about how all other forums are typically not secure as well. I also explained that this forum is not a part of Veeam infrastructure. But now, all of a sudden you turn this all around and point at our web-site. So, I just wanted to make it clear that all of my prior comments were regarding this board only (otherwise, they may look stupid after your post)lobo519 wrote:My security guys picked up my password for the Veeam forums website today in Snorby! Never really noticed this site isn't secure.
Concerning the main web-site, this is not something I have much insight into, so I will forward this feedback to our web team director and see what he has to say.
-
- Veteran
- Posts: 259
- Liked: 8 times
- Joined: Sep 18, 2009 9:56 am
- Full Name: Andrew
- Location: Adelaide, Australia
- Contact:
Re: why is this site not secure?!?
I didn't all of a sudden do anything.Gostev wrote:But now, all of a sudden you turn this all around and point at our web-site.
The client area was raised in the first reply to the OP, and the OP himself later posted the following, to which I was responding in my initial post.
So take a breath and chill for a second Anton. Its the holidays after all.lobo519 wrote: I guess that makes it ok.....
What about the support/account portal??? thats not secure either..
That would be swell. Thankyou.Gostev wrote: Concerning the main web-site, this is not something I have much insight into, so I will forward this feedback to our web team director and see what he has to say.
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: why is this site not secure?!?
My holiday starts in 3 days only... but as long as nobody thinks I am clueless lamer based on my comments (as they relate to this board only), I am cool
-
- Veteran
- Posts: 323
- Liked: 25 times
- Joined: Jan 02, 2014 4:45 pm
- Contact:
[MERGED] Veeam Support Portal - SSL
Hello all,
It doesn't look like the portal to upload logs for Veeam support is encrypted. Since the logs contain IP addresses and internal server names; are there any plans for adding SSL encryption to the support portal so that the data exchange is encrypted?
Thanks.
It doesn't look like the portal to upload logs for Veeam support is encrypted. Since the logs contain IP addresses and internal server names; are there any plans for adding SSL encryption to the support portal so that the data exchange is encrypted?
Thanks.
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: why is this site not secure?!?
I heard from the web team recently that this is coming this year finally...
-
- Veeam Vanguard
- Posts: 395
- Liked: 169 times
- Joined: Nov 17, 2010 11:42 am
- Full Name: Eric Machabert
- Location: France
- Contact:
Re: why is this site not secure?!?
Just a quick reply about SSL stuff and internal security teams...
Most of big companies have web proxies that handle automatic SSL man-in-the-middle for trafic analysis and web filtering nowdays (Trendmicro, McAfee etc..).
And "normal" end users even don't know their SSL trafic is being unencrypted inside the proxy.
How it works:
- Bob the security admin create a GPO to deploy the proxy's certificate as a trusted certification authority to all the computers in the company.
- Each time a user tries to access a SSL secured website, the Proxy generate a similar certificate (CommonName) on the fly
- Proxy establish the SSL connection to the website, as if it was the end user.
- Proxy acts as a man-in-the-middle and do its job : Malware analysis, Virus analysis, Web filtering...no more Pr0n through SSL
Privacy ?
Most of big companies have web proxies that handle automatic SSL man-in-the-middle for trafic analysis and web filtering nowdays (Trendmicro, McAfee etc..).
And "normal" end users even don't know their SSL trafic is being unencrypted inside the proxy.
How it works:
- Bob the security admin create a GPO to deploy the proxy's certificate as a trusted certification authority to all the computers in the company.
- Each time a user tries to access a SSL secured website, the Proxy generate a similar certificate (CommonName) on the fly
- Proxy establish the SSL connection to the website, as if it was the end user.
- Proxy acts as a man-in-the-middle and do its job : Malware analysis, Virus analysis, Web filtering...no more Pr0n through SSL
Privacy ?
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
-
- Veteran
- Posts: 259
- Liked: 8 times
- Joined: Sep 18, 2009 9:56 am
- Full Name: Andrew
- Location: Adelaide, Australia
- Contact:
Re: why is this site not secure?!?
Happens at small companies to. If you don't like it, you're always free to work for someone else.
-
- Veeam Vanguard
- Posts: 395
- Liked: 169 times
- Joined: Nov 17, 2010 11:42 am
- Full Name: Eric Machabert
- Location: France
- Contact:
Re: why is this site not secure?!?
Naaaaa I'm the guy who design and setup that stuff
By the way, people are now using their smartphone with high speed bandwitdh over 4G for their personnal stuff.
By the way, people are now using their smartphone with high speed bandwitdh over 4G for their personnal stuff.
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
Who is online
Users browsing this forum: Bing [Bot], john_wood, Semrush [Bot] and 125 guests