Comprehensive data protection for all workloads
Post Reply
lobo519
Veteran
Posts: 315
Liked: 38 times
Joined: Sep 29, 2010 3:37 pm
Contact:

why is this site not secure?!?

Post by lobo519 »

My security guys picked up my password for the Veeam forums website today in Snorby! Never really noticed this site isn't secure.

sorry didn't know where else to post.
Rich1985
Lurker
Posts: 1
Liked: never
Joined: Jun 30, 2011 8:44 am
Full Name: Richard
Contact:

Re: why is this site not secure?!?

Post by Rich1985 »

I've just noticed this after you mentioned it, more importantly it does not appear that the login to your veeam account details is over ssl either..
ThomasMc
Veteran
Posts: 293
Liked: 19 times
Joined: Apr 13, 2011 12:45 pm
Full Name: Thomas McConnell
Contact:

Re: why is this site not secure?!?

Post by ThomasMc »

I wouldn't imagine there are many forums that use https, just out of curiosity why is you security guy doing man in the middle to you :D
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: why is this site not secure?!?

Post by tsightler »

It's not really "man-in-the-middle" if the site is not secure. Almost all companies monitor for intrusions and other security related incidents at their perimeter. I would agree that very few forums use SSL, we used to catch passwords from forums and other similar sites all the time.
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: why is this site not secure?!?

Post by Gostev »

ThomasMc wrote:I wouldn't imagine there are many forums that use https
Ditto
ThomasMc
Veteran
Posts: 293
Liked: 19 times
Joined: Apr 13, 2011 12:45 pm
Full Name: Thomas McConnell
Contact:

Re: why is this site not secure?!?

Post by ThomasMc »

tsightler wrote:It's not really "man-in-the-middle" if the site is not secure.
Ah, thanks Tom
lobo519
Veteran
Posts: 315
Liked: 38 times
Joined: Sep 29, 2010 3:37 pm
Contact:

Re: why is this site not secure?!?

Post by lobo519 »

Gostev wrote: Ditto
I guess that makes it ok..... :|
What about the support/account portal??? thats not secure either..
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: why is this site not secure?!?

Post by tsightler »

I'm not saying it's OK, or not OK, I'm just pointing out that Veeam is not unique in this regard. On a personal note, I believe that all logins should be secure, but I know that they are not. Too many people share the same password for multiple sites so this provides exposure. That being said, until earlier this year, social sites like Facebook didn't even have secure login.
lobo519
Veteran
Posts: 315
Liked: 38 times
Joined: Sep 29, 2010 3:37 pm
Contact:

Re: why is this site not secure?!?

Post by lobo519 »

Point taken - on a side note - that was aimed at Gostev.. :wink: :wink:
cparker4486
Expert
Posts: 231
Liked: 18 times
Joined: Dec 07, 2009 5:09 pm
Full Name: Chris
Contact:

Re: why is this site not secure?!?

Post by cparker4486 »

Gostev wrote: Ditto
It's unfortunate that you feel that way. Security breaches happen at companies because the people in charge have this kind of attitude towards security.
-- Chris
dkteo
Lurker
Posts: 1
Liked: never
Joined: May 31, 2011 6:28 am
Full Name: Teddy Ostergaard
Contact:

Re: why is this site not secure?!?

Post by dkteo »

tsightler wrote:It's not really "man-in-the-middle" if the site is not secure.
That doesn't really matter. If your firewall/security guy steps intercepts the traffic, it is man-in-the-middle per definition. This could also easily be done if the website was using ssl.
Bunce
Veteran
Posts: 259
Liked: 8 times
Joined: Sep 18, 2009 9:56 am
Full Name: Andrew
Location: Adelaide, Australia
Contact:

Re: why is this site not secure?!?

Post by Bunce »

Huh? SSL tunnel is between the client browser and the web server hosting the site.
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: why is this site not secure?!?

Post by Gostev »

...unless there is SSL spoofing by a man-in-the-middle
Bunce
Veteran
Posts: 259
Liked: 8 times
Joined: Sep 18, 2009 9:56 am
Full Name: Andrew
Location: Adelaide, Australia
Contact:

Re: why is this site not secure?!?

Post by Bunce »

which requires a dodgy certificate, DSN spoofing, compromised PC, end user to ignore warning & accept accessing an untrusted site, etc. Most of the time - use error.

At the end of the day - any sensitive information such as business or corporate data must be secured.

A forum is not. No one with a brain will store sensitive information in forum registration details.

Client information / ticketing systems etc are - and must be secured. To not do so, is unprofessional.
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: why is this site not secure?!?

Post by Gostev »

Client information is secured. However, this community forum is not a part of Veeam IT infrastructure, and is not a "paid" resource like our technical support. This is standalone project that is maintained voluntarily, everyone at all is free to register and post here. The forum runs within certain constraints dictated by the board software feature set, backend server performance, etc.

Access to this forum is not something you get by paying Veeam money, and not something Veeam "owes" once you pay. Everyone is free to choose whether or not he/she wants to register on, and use this forum. If you don't feel comfortable using this forum for whatever reason (particularly, inability to logon to this board securely), please use our technical support instead. Support is paid-for service provided to customers with active maintenance agreements only. As a paid service, some may even consider support as being more convenient (for example, nobody will ask you to "search before you post") :wink:

If our web team gets some free cycles next year, I will ask them to research the possibility of adding SSL logons to this board.
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: why is this site not secure?!?

Post by tsightler »

dkteo wrote: That doesn't really matter. If your firewall/security guy steps intercepts the traffic, it is man-in-the-middle per definition. This could also easily be done if the website was using ssl.
So I would agree that the security guy is a man in the middle, but if there is no encryption, then he is not performing a "man-in-the-middle" attack. The term "man-in-the-middle" almost always refers to some type of cryptographic attack or at least some type of attack to get traffic to be redirected where it's not supposed to go (for example ARP cache poisoning). Simply being a "man-in-the-middle" and monitoring the traffic whizzing by is not really a man-in-the-middle attack but more akin to standing in a public room and overhearing a conversation. My overall point was that unless traffic is encrypted, you should have zero expectation that someone along the path might not see your traffic as it's quite likely that your traffic is monitored at several points along the way.

I'm curious as to your statement as to how this is "easily" done using SSL. Certainly modern firewalls are performing SSL inspection by basically "breaking the chain" between the client and the SSL endpoint. Is this what you are referring to or is there something else?
Bunce
Veteran
Posts: 259
Liked: 8 times
Joined: Sep 18, 2009 9:56 am
Full Name: Andrew
Location: Adelaide, Australia
Contact:

Re: why is this site not secure?!?

Post by Bunce »

Gostev wrote: If our web team gets some free cycles next year, I will ask them to research the possibility of adding SSL logons to this board.
I doubt many care about securing the forum and would prefer resources be put into other areas.

I imagine most are referring to the client area / control panel (product keys / ticketing information etc)
Gostev wrote: Client information is secured
Image

Image

Certificates cost < $300. While its not protecting financial details or anything, its a relatively simple fix to something many see as unacceptable.
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: why is this site not secure?!?

Post by Gostev »

Bunce wrote:Most don't care about securing the forum - its the client area.
Maybe, but up until your post it was the opposite - just about everyone who participated were talking about securing the forum specifically :D let me quote the original poster.
lobo519 wrote:My security guys picked up my password for the Veeam forums website today in Snorby! Never really noticed this site isn't secure.
Moreover, whole 1st page both myself and other people have been commenting about how all other forums are typically not secure as well. I also explained that this forum is not a part of Veeam infrastructure. But now, all of a sudden you turn this all around and point at our web-site. So, I just wanted to make it clear that all of my prior comments were regarding this board only (otherwise, they may look stupid after your post) :D

Concerning the main web-site, this is not something I have much insight into, so I will forward this feedback to our web team director and see what he has to say.
Bunce
Veteran
Posts: 259
Liked: 8 times
Joined: Sep 18, 2009 9:56 am
Full Name: Andrew
Location: Adelaide, Australia
Contact:

Re: why is this site not secure?!?

Post by Bunce »

Gostev wrote:But now, all of a sudden you turn this all around and point at our web-site.
I didn't all of a sudden do anything.

The client area was raised in the first reply to the OP, and the OP himself later posted the following, to which I was responding in my initial post.
lobo519 wrote: I guess that makes it ok..... :|
What about the support/account portal??? thats not secure either..
So take a breath and chill for a second Anton. Its the holidays after all. :D
Gostev wrote: Concerning the main web-site, this is not something I have much insight into, so I will forward this feedback to our web team director and see what he has to say.
That would be swell. Thankyou.
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: why is this site not secure?!?

Post by Gostev »

My holiday starts in 3 days only... but as long as nobody thinks I am clueless lamer based on my comments (as they relate to this board only), I am cool ;)
wa15
Veteran
Posts: 323
Liked: 25 times
Joined: Jan 02, 2014 4:45 pm
Contact:

[MERGED] Veeam Support Portal - SSL

Post by wa15 »

Hello all,

It doesn't look like the portal to upload logs for Veeam support is encrypted. Since the logs contain IP addresses and internal server names; are there any plans for adding SSL encryption to the support portal so that the data exchange is encrypted?

Thanks.
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: why is this site not secure?!?

Post by Gostev »

I heard from the web team recently that this is coming this year finally...
emachabert
Veeam Vanguard
Posts: 395
Liked: 169 times
Joined: Nov 17, 2010 11:42 am
Full Name: Eric Machabert
Location: France
Contact:

Re: why is this site not secure?!?

Post by emachabert » 1 person likes this post

Just a quick reply about SSL stuff and internal security teams...

Most of big companies have web proxies that handle automatic SSL man-in-the-middle for trafic analysis and web filtering nowdays (Trendmicro, McAfee etc..).
And "normal" end users even don't know their SSL trafic is being unencrypted inside the proxy.

How it works:
- Bob the security admin create a GPO to deploy the proxy's certificate as a trusted certification authority to all the computers in the company.
- Each time a user tries to access a SSL secured website, the Proxy generate a similar certificate (CommonName) on the fly
- Proxy establish the SSL connection to the website, as if it was the end user.
- Proxy acts as a man-in-the-middle and do its job : Malware analysis, Virus analysis, Web filtering...no more Pr0n through SSL :-)

Privacy ?
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
Bunce
Veteran
Posts: 259
Liked: 8 times
Joined: Sep 18, 2009 9:56 am
Full Name: Andrew
Location: Adelaide, Australia
Contact:

Re: why is this site not secure?!?

Post by Bunce »

Happens at small companies to. If you don't like it, you're always free to work for someone else.
emachabert
Veeam Vanguard
Posts: 395
Liked: 169 times
Joined: Nov 17, 2010 11:42 am
Full Name: Eric Machabert
Location: France
Contact:

Re: why is this site not secure?!?

Post by emachabert » 1 person likes this post

Naaaaa I'm the guy who design and setup that stuff ;-)

By the way, people are now using their smartphone with high speed bandwitdh over 4G for their personnal stuff.
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
Post Reply

Who is online

Users browsing this forum: Bing [Bot], john_wood, Semrush [Bot] and 125 guests