why is this site not secure?!?

[lobo519]

My security guys picked up my password for the Veeam forums website today in Snorby! Never really noticed this site isn't secure.

sorry didn't know where else to post.

[Rich1985]

I've just noticed this after you mentioned it, more importantly it does not appear that the login to your veeam account details is over ssl either..

[ThomasMc]

I wouldn't imagine there are many forums that use https, just out of curiosity why is you security guy doing man in the middle to you

[tsightler]

It's not really "man-in-the-middle" if the site is not secure. Almost all companies monitor for intrusions and other security related incidents at their perimeter. I would agree that very few forums use SSL, we used to catch passwords from forums and other similar sites all the time.

[Gostev]

I wouldn't imagine there are many forums that use https

Ditto

[ThomasMc]

It's not really "man-in-the-middle" if the site is not secure.

Ah, thanks Tom

[lobo519]

Ditto

I guess that makes it ok.....
What about the support/account portal??? thats not secure either..

[tsightler]

I'm not saying it's OK, or not OK, I'm just pointing out that Veeam is not unique in this regard. On a personal note, I believe that all logins should be secure, but I know that they are not. Too many people share the same password for multiple sites so this provides exposure. That being said, until earlier this year, social sites like Facebook didn't even have secure login.

[lobo519]

Point taken - on a side note - that was aimed at Gostev..

[cparker4486]

Ditto

It's unfortunate that you feel that way. Security breaches happen at companies because the people in charge have this kind of attitude towards security.

[dkteo]

It's not really "man-in-the-middle" if the site is not secure.

That doesn't really matter. If your firewall/security guy steps intercepts the traffic, it is man-in-the-middle per definition. This could also easily be done if the website was using ssl.

[Bunce]

Huh? SSL tunnel is between the client browser and the web server hosting the site.

[Gostev]

...unless there is SSL spoofing by a man-in-the-middle

[Bunce]

which requires a dodgy certificate, DSN spoofing, compromised PC, end user to ignore warning & accept accessing an untrusted site, etc. Most of the time - use error.

At the end of the day - any sensitive information such as business or corporate data must be secured.

A forum is not. No one with a brain will store sensitive information in forum registration details.

Client information / ticketing systems etc are - and must be secured. To not do so, is unprofessional.

[Gostev]

Client information is secured. However, this community forum is not a part of Veeam IT infrastructure, and is not a "paid" resource like our technical support. This is standalone project that is maintained voluntarily, everyone at all is free to register and post here. The forum runs within certain constraints dictated by the board software feature set, backend server performance, etc.

Access to this forum is not something you get by paying Veeam money, and not something Veeam "owes" once you pay. Everyone is free to choose whether or not he/she wants to register on, and use this forum. If you don't feel comfortable using this forum for whatever reason (particularly, inability to logon to this board securely), please use our technical support instead. Support is paid-for service provided to customers with active maintenance agreements only. As a paid service, some may even consider support as being more convenient (for example, nobody will ask you to "search before you post")

If our web team gets some free cycles next year, I will ask them to research the possibility of adding SSL logons to this board.

[tsightler]

That doesn't really matter. If your firewall/security guy steps intercepts the traffic, it is man-in-the-middle per definition. This could also easily be done if the website was using ssl.

So I would agree that the security guy is a man in the middle, but if there is no encryption, then he is not performing a "man-in-the-middle" attack. The term "man-in-the-middle" almost always refers to some type of cryptographic attack or at least some type of attack to get traffic to be redirected where it's not supposed to go (for example ARP cache poisoning). Simply being a "man-in-the-middle" and monitoring the traffic whizzing by is not really a man-in-the-middle attack but more akin to standing in a public room and overhearing a conversation. My overall point was that unless traffic is encrypted, you should have zero expectation that someone along the path might not see your traffic as it's quite likely that your traffic is monitored at several points along the way.

I'm curious as to your statement as to how this is "easily" done using SSL. Certainly modern firewalls are performing SSL inspection by basically "breaking the chain" between the client and the SSL endpoint. Is this what you are referring to or is there something else?

[Bunce]

If our web team gets some free cycles next year, I will ask them to research the possibility of adding SSL logons to this board.

I doubt many care about securing the forum and would prefer resources be put into other areas.

I imagine most are referring to the client area / control panel (product keys / ticketing information etc)

Client information is secured

Certificates cost < $300. While its not protecting financial details or anything, its a relatively simple fix to something many see as unacceptable.

[Gostev]

Most don't care about securing the forum - its the client area.

Maybe, but up until your post it was the opposite - just about everyone who participated were talking about securing the forum specifically let me quote the original poster.

My security guys picked up my password for the Veeam forums website today in Snorby! Never really noticed this site isn't secure.

Moreover, whole 1st page both myself and other people have been commenting about how all other forums are typically not secure as well. I also explained that this forum is not a part of Veeam infrastructure. But now, all of a sudden you turn this all around and point at our web-site. So, I just wanted to make it clear that all of my prior comments were regarding this board only (otherwise, they may look stupid after your post)

Concerning the main web-site, this is not something I have much insight into, so I will forward this feedback to our web team director and see what he has to say.

[Bunce]

But now, all of a sudden you turn this all around and point at our web-site.

I didn't all of a sudden do anything.

The client area was raised in the first reply to the OP, and the OP himself later posted the following, to which I was responding in my initial post.

I guess that makes it ok.....
What about the support/account portal??? thats not secure either..

So take a breath and chill for a second Anton. Its the holidays after all.

Concerning the main web-site, this is not something I have much insight into, so I will forward this feedback to our web team director and see what he has to say.

That would be swell. Thankyou.

[Gostev]

My holiday starts in 3 days only... but as long as nobody thinks I am clueless lamer based on my comments (as they relate to this board only), I am cool

[wa15]

Hello all,

It doesn't look like the portal to upload logs for Veeam support is encrypted. Since the logs contain IP addresses and internal server names; are there any plans for adding SSL encryption to the support portal so that the data exchange is encrypted?

Thanks.

[Gostev]

I heard from the web team recently that this is coming this year finally...

[emachabert]

Just a quick reply about SSL stuff and internal security teams...

Most of big companies have web proxies that handle automatic SSL man-in-the-middle for trafic analysis and web filtering nowdays (Trendmicro, McAfee etc..).
And "normal" end users even don't know their SSL trafic is being unencrypted inside the proxy.

How it works:
- Bob the security admin create a GPO to deploy the proxy's certificate as a trusted certification authority to all the computers in the company.
- Each time a user tries to access a SSL secured website, the Proxy generate a similar certificate (CommonName) on the fly
- Proxy establish the SSL connection to the website, as if it was the end user.
- Proxy acts as a man-in-the-middle and do its job : Malware analysis, Virus analysis, Web filtering...no more Pr0n through SSL

Privacy ?

[Bunce]

Happens at small companies to. If you don't like it, you're always free to work for someone else.

[emachabert]

Naaaaa I'm the guy who design and setup that stuff

By the way, people are now using their smartphone with high speed bandwitdh over 4G for their personnal stuff.