Jump to content

Heartbleed

jallerton

By jallerton
in General BBO Discussion

 Share

Recommended Posts

Mbodell

Mbodell

Posted
Posted

That's....troubling, frankly. Login details at the very least should be encrypted.

 

Agreed. When I log in to the web view I can see that username and password get sent in plain text as part of the form data of a request to http://webutil.bridgebase.com/v2/ud_api.php and to http://webutil.bridgebase.com/v2/rd_listmail.php. It appears that someone then hashes the password because the username and a large number instead is sent for the later request to http://webutil.bridgebase.com/v2/frontpage.php. Fortunately there is only small amounts of money associated with BBO accounts. The only query param in the URL is a cbust which is a random number (and likely is there to trick/force caches not to cache the pages). But as far as I can tell from the Chrome network the form data, including the password for the first two reuqests, is in plain text.

Link to comment
Share on other sites
1eyedjack

1eyedjack

Posted
Posted

That's....troubling, frankly. Login details at the very least should be encrypted.

 

No IT guy, me, but I had the impression that if the URL starts with "https://" then it is sent encrypted, but if it starts with "http://" then it is not. Heartbleed compromised the encryptions. A lot of sites (most of BBO included) use the basic "http://" URL. Maybe that it is an oversimplification?

Link to comment
Share on other sites
FM75

FM75

Posted
Posted

the web pages we use for credit card entry use https and have been patched.

 

the various bbo clients don't use encryption in the first place.

 

Thanks for the answer.

 

I guess I would agree with subsequent posters that the login should be secure. That said, access to the login would not seem to compromise anything but the username and password. If the login was secure, it potentially - and ironically - would have exposed whatever was in memory, as opposed to just being able to login (and change a password).

Link to comment
Share on other sites
jallerton

jallerton

Posted
  • Author
Posted

No IT guy, me, but I had the impression that if the URL starts with "https://" then it is sent encrypted, but if it starts with "http://" then it is not. Heartbleed compromised the encryptions. A lot of sites (most of BBO included) use the basic "http://" URL. Maybe that it is an oversimplification?

 

Yes indeed, that's my concern. Doesn't BBO Forums use the same passwords as BBO? To log in to BBO Forums, the address shown on my browser is:

 

https://www.bridgebase.com/forums/index.php?app=core&module=global&section=login

Link to comment
Share on other sites
inquiry

inquiry

Posted
Posted

Yes indeed, that's my concern. Doesn't BBO Forums use the same passwords as BBO? To log in to BBO Forums, the address shown on my browser is:

 

https://www.bridgeba...l&section=login

 

The forum uses whatever password you want for it. There is no forced relationship between forum password and gaming password, however, both have to have the same username. It would not surprise me if a lot of people use the same password for both, but that is on them not the software.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...