Avid Pro Audio Community

Avid Pro Audio Community (http://duc.avid.com/index.php)
-   General Discussion (http://duc.avid.com/forumdisplay.php?f=3)
-   -   Avid DUC not secure? (http://duc.avid.com/showthread.php?t=403825)

gscaife 03-21-2019 04:42 PM

Avid DUC not secure?
 
Browsers Chrome and Safari are both warning that duc.avid.com is not a secure site. Safari will not allow me to continue the login process but Chrome will let me login (even though there is a bright red NOT SECURE warning in the banner. Apparently there isn't a https route to the site.

musicman691 03-22-2019 06:49 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by gscaife (Post 2519771)
Browsers Chrome and Safari are both warning that duc.avid.com is not a secure site. Safari will not allow me to continue the login process but Chrome will let me login (even though there is a bright red NOT SECURE warning in the banner. Apparently there isn't a https route to the site.

There isn't and there's no need to as nothing is sold here. I don't use Safari - hate the gui. My browser of choice is Firefox Quantum.


Safari will let me login no problem. What version Safari and what OSX?

mbafmike 03-22-2019 10:35 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by gscaife (Post 2519771)
Browsers Chrome and Safari are both warning that duc.avid.com is not a secure site. Safari will not allow me to continue the login process but Chrome will let me login (even though there is a bright red NOT SECURE warning in the banner. Apparently there isn't a https route to the site.


Don't panic. It is, as you said, because duc.avid.com does not use the Hypertext Transfer Protocol Secure (https).

You do not enter credit card details here in the forum, isn't it?

musicman691 03-22-2019 11:02 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by mbafmike (Post 2519830)
Don't panic. It is, as you said, because duc.avid.com does not use the Hypertext Transfer Protocol Secure (https).

You do not enter credit card details here in the forum, isn't it?

It's a free forum run by Avid.

Frank Kruse 03-24-2019 04:18 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by mbafmike (Post 2519830)
Don't panic. It is, as you said, because duc.avid.com does not use the Hypertext Transfer Protocol Secure (https).

You do not enter credit card details here in the forum, isn't it?

Well for people who use the same login credentials for every website it can be dangerous. It's never a good idea to send logins in plain text over the internets.

That's how identities get stolen and misused for worse purposes even when this is "just" a forum. So I do hope AVID will transition the DUC to https sooner than later.

Google is slowly banning search results for non-encrypted websites mid term so they won't have a choice anyway ;-)

Just be aware that everything you do here is sent across the net in plain text. Including your passwords, "private" messages etc.

F.

andrej770 03-24-2019 11:12 AM

Re: Avid DUC not secure?
 
Any entry into a browser is the responsibility of the user (credit card info, home address, dob, SSN, etc.). We've gotten so lazy these days that we want to be placated at every site we go to. Own your own security. HTTPS is only required for a site were secure information is exchanged; this is not one of those sites. ESPN is not secure either. I wonder if we're complaining to them? ;);)

Darryl Ramm 03-24-2019 12:02 PM

Re: Avid DUC not secure?
 
The opponents of https here may be underestimating the potential risks involved.

There is just no reason any public (i.e. non toy) website should use open http today..

Https protects users from man in the middle attacks, protects users from easy things like stealing passwords (yes you should not reuse passwords or slight permutations on different services... but people do). Anybody want to guess how many users share passwords across DUC and avid.com and iLok.com? This and other reasons are why companies like Google are pushing for increased adoption of https, and folks have worked to make this all easier for web site owners to deploy. There is just no valid reason why Avid has not implemented https here. If not here, God hope Avid has folks paying attention to security elsewhere. A non-SSL protected user forum associated with corporate website, cloud services, online stores, billing systems, etc, is likely to be an interesting target for a malicious hacker. Oh and folks here with home studios full of valuable equipment... maybe being careful to not share location or other personal information on DUC... it may be possible to grab enough info about those users via a MITM attack to end up locating their studio.

Frank Kruse 03-25-2019 08:31 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by Darryl Ramm (Post 2519981)
The opponents of https here may be underestimating the potential risks involved.

There is just no reason any public (i.e. non toy) website should use open http today..

Https protects users from man in the middle attacks, protects users from easy things like stealing passwords (yes you should not reuse passwords or slight permutations on different services... but people do). Anybody want to guess how many users share passwords across DUC and avid.com and iLok.com? This and other reasons are why companies like Google are pushing for increased adoption of https, and folks have worked to make this all easier for web site owners to deploy. There is just no valid reason why Avid has not implemented https here. If not here, God hope Avid has folks paying attention to security elsewhere. A non-SSL protected user forum associated with corporate website, cloud services, online stores, billing systems, etc, is likely to be an interesting target for a malicious hacker. Oh and folks here with home studios full of valuable equipment... maybe being careful to not share location or other personal information on DUC... it may be possible to grab enough info about those users via a MITM attack to end up locating their studio.

Well said.

nucelar 03-26-2019 04:32 AM

Re: Avid DUC not secure?
 
I have received a couple of extortion emails that included a real password I had used in the past. Something along the lines of "I know that your password is xxxx and that you have been naughty online, send us bitcoins etc..."

Years ago I did not have the habit of using different passwords, I used the same for the "not important" forums, including the DUC. I'm not saying the leak came from here, but people beware... use a pw that somehow you can link to the site you use it with.

Frank Kruse 03-26-2019 06:21 AM

Re: Avid DUC not secure?
 
Anyone with a DropBox, Adobe, Yahoo, Myspace, LinkedIn account and many more has likely had his credentials compromised via past data breaches.

You can check here if your address comes up in one of these databases.

https://haveibeenpwned.com

It's not only about keeping credit card info safe but also about identity theft which can gain access to the latter indirectly. If you are still using the same logins since those breaches happened you'd better change them asap.

andrej770 03-27-2019 09:07 PM

Re: Avid DUC not secure?
 
https certificates cost. This is a free forum where the terms are clearly, share at your own risk, it still falls back on individuals to understand the risk, assess it and take the necessary precautions. There is no bonafide reason to use https on this site other than to placate the paranoid. I would not waste the money frankly. There are no scripts running on this site or any vBulletin software that grabs passwords. A cookie is saved and thats it. FUD only works to on those unwilling to educate themselves on the real risks. Google scrapes this site nightly so every word you type is searchable on google.

While the whole conversation is a great discussion to have in context of information classified at a certain level other than public (which all forum data is), the risk here is so low its not worth the money investing in securing it with https. Kinda like putting a deadbolt on your dog's doghouse door. What are you protecting that any one really wants other than fleas. :D:D

Just MHO!

jeffro 04-03-2019 10:01 AM

Re: Avid DUC not secure?
 
Understand your concerns, looking into this with our host... stay tuned.

K Roche 04-03-2019 11:21 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by Frank Kruse (Post 2520181)
Anyone with a DropBox, Adobe, Yahoo, Myspace, LinkedIn account and many more has likely had his credentials compromised via past data breaches.

You can check here if your address comes up in one of these databases.

https://haveibeenpwned.com

It's not only about keeping credit card info safe but also about identity theft which can gain access to the latter indirectly. If you are still using the same logins since those breaches happened you'd better change them asap.

Wait how do we know that link is not some dark web email address gathering bottomless hole ?? :D

musicman691 04-03-2019 06:51 PM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by K Roche (Post 2521046)
Wait how do we know that link is not some dark web email address gathering bottomless hole ?? :D

Let's put it this way - it returned false positives for places I've never been

Darryl Ramm 04-03-2019 07:14 PM

Re: Avid DUC not secure?
 
Have I Been Pwoned is a *very* well respected security web site. And since that URL uses https, you can be confident that it's really that web site you are seeing. If your email address is listed there on "sites" you don't think you have been to it's a sign that somebody else may have been using your email address, or some bad sites have some of your data (some "sites" where your email address will be reported consist of data stolen elsewhere). It does not necessarily mean your email account has been compromised, but change your password anyhow.

JFreak 04-04-2019 04:29 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by andrej770 (Post 2520402)
https certificates cost.

That would be the worst excuse of not using https in a forum with a user base this large -- and a user base that may or may not have another account somewhere else in avid.com so let's just take Jeffro's word for it and assume Avid is once again taking a look into this...

andrej770 04-09-2019 07:03 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by JFreak (Post 2521098)
That would be the worst excuse of not using https in a forum with a user base this large -- and a user base that may or may not have another account somewhere else in avid.com so let's just take Jeffro's word for it and assume Avid is once again taking a look into this...



Those ďSecureĒ symbols donít guarantee a website is safe from all threats. A phishing site, for example, can legitimately display that comforting green lock next to its https address.

Phishers make active use of this: According to Phishlabs, a quarter of all phishing attacks today are carried out on HTTPS sites (two years ago it was less than 1 percent). Moreover, more than 80 percent of users believe that the mere presence of a little green lock and the word ďSecureĒ next to the URL means the site is safe, and they donít think too hard before entering their data.

Donít be lulled into thinking https is the answer, itís just a step but also a step phishers have already moved beyond.

https://www.kaspersky.com/blog/https...afe/20725/amp/


Sent from my iPhone using Tapatalk

bobcharest 04-09-2019 08:11 AM

Re: Avid DUC not secure?
 
Point taken with regard to phishing sites.

i think the point of this thread is that Itís wise to not enter a password on an unsecure site that is the same as the password one uses on banking or credit card sites.

A best practice is to not make it easier for those looking to obtain passwords that they can use to crack IDs.

Encrypting data to/from this forum would be a good thing.

Best regards,
Bob Charest


Sent from my iPhone using Tapatalk

JFreak 04-09-2019 12:41 PM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by andrej770 (Post 2521620)
Donít be lulled into thinking https is the answer, itís just a step

Of course, but would be nice to get that one sorted out

andrej770 04-09-2019 12:44 PM

Re: Avid DUC not secure?
 
Still no one has posted the justification other than a nice to have. Its a forum that google scrapes nightly to so all comments are public. Someone explain what you are asking to be protected here? Yes there will be idiots that use the same password on DUC as they use on their bank and they deserve the issues their ignorance allows, to be frank. But encrypting a public forum with public information for public consumption - I don't get the point? Its like posting the national guard around a public park that has a public library on the grounds. What are they protecting?

JFreak 04-09-2019 12:51 PM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by andrej770 (Post 2521637)
Someone explain what you are asking to be protected here?

Someone somewhere wrote that most users are idiots and are likely using same password here and there so this https most likely would be protecting other parts of avid.com

Just a guess.

Darryl Ramm 04-09-2019 12:55 PM

Re: Avid DUC not secure?
 
I explained enough issues. You don’t think it’s an issue, too bad. I don’t know any security person who would think this is not an issue worth fixing.

Want to guess how many Avid staff might reuse passwords or slight permutations on DUC and Avid in-house systems? Want to guess if they have a corporate password management system or hardware key/2FA authentication implemented for internal systems? Oh what goodies that might reveal?

Want to think what could happen if somebody MITM attacks and gets admin access to DUC and all the non-public info is scraped?

Security happens in layers, https is one of those important layers.

andrej770 04-09-2019 01:05 PM

Re: Avid DUC not secure?
 
Darryl, if you feel so strongly why not offer to pay to move it to https for Avid. Put your money where your mouth is. Oh, not that important anymore right! :D:D:D It doesn't matter to me either way. I'm not one of the idiots JFREAK was referring to. But I agree there are those that need protecting from their own bad habits. Hmmm, maybe those that want https most are those that need protecting most. :D:D:D. Tell me... whats your password? And whats in YOUR wallet! :D:D:D:D:D:D:D:D

All in fun. Pull ya panties back out! :D:D:D

Darryl Ramm 04-09-2019 01:23 PM

Re: Avid DUC not secure?
 
Cost which has been brought up here before is a fallacy. Organizations like Letís Encrypt provide certificates for *free*. Sure Iíll pay for one of those for Avid. Additional overhead costs should be down in the weeds, and easily offset by any security breach cost models.

How about having a nice slow think before you type a reply and see if you can come up with any actual reasons why using https would not improve security for almost everybody on DUC? My day job is working in the technology industry, including in the past for Google, I damn well appreciate their push to get everybody, technology luddites included, on https.

andrej770 04-09-2019 01:40 PM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by Darryl Ramm (Post 2521644)
Cost which has been brought up here before is a fallacy. Organizations like Let’s Encrypt provide certificates for *free*. Sure I’ll pay for one of those for Avid. Additional overhead costs should be down in the weeds, and easily offset by any security breach cost models.



How about having a nice slow think before you type a reply and see if you can come up with any actual reasons why using https would not improve security for almost everybody on DUC? My day job is working in the technology industry, including in the past for Google, I damn well appreciate their push to get everybody, technology luddites included, on https.



Darryl, you care! Great! I don’t! It’s simple. Nothing http or https has helped or hindered any of the work we do in PT or in the industry. AVID has never had a breach anywhere. The possibility and probability are always part of a thorough threat Matrix (I guess my days as Dir. of infoSec for a major airline for 15 years in which the no fly list landed on my desk to process in) comes in handy but doesn’t change my opinion on THIS site. This forum is about PT and PT processes. It’s great you care. There’s your pat on the back.

Now...back to writing music. Good day!


Sent from my iPhone using Tapatalk

jeffro 04-09-2019 02:23 PM

Re: Avid DUC not secure?
 
Not a bad idea to weigh the impact in cost or inconvenience when considering increases to security, but based on discussions with our forum host I don't see a valid reason at this point to not implement this change.

andrej770 04-09-2019 04:51 PM

Re: Avid DUC not secure?
 
Hooray Jeff. Darryl will be tickled pink.

As soon as that's done, everyone can go back to using the same password they use at their bank. LOL . https saved us again!

Sent from my iPhone using Tapatalk

Frank Kruse 04-10-2019 03:25 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by musicman691 (Post 2521071)
Let's put it this way - it returned false positives for places I've never been

Not saying that this is the case but it **could** mean that someone is already singing up to services in your name or using your name/email.

But again: not saying this must be the case. It just means your address is in those leaked/breached databases.

Frank Kruse 04-10-2019 03:29 AM

Re: Avid DUC not secure?
 
Quote:

Originally Posted by JFreak (Post 2521639)
Someone somewhere wrote that most users are idiots and are likely using same password here and there so this https most likely would be protecting other parts of avid.com

HTTPS won't stop people from recycling login credentials (and no one here claimed that), it protects from that info being intercepted by impersonating this website (MITM attack) and gets you to go there by sending you a fake email with a "click here to verify your account" or whatever. We all get these all the time.

Clicking on the little lock lets you verify the website you are visiting actually IS run by AVID and not someone else.

musicman691 10-14-2019 03:24 PM

Re: Avid DUC not secure?
 
Had an interesting thing just happen about an hour ago. I usually don't put my daw computer online but my other Mac was so slow with some streaming YouTube video I went to my cheesegrater. When I was done with that I decided to browse the DUC. I normally stay logged in to the DUC on both computers but when I came to the daw machine my login was cleared and when I went to login up came a message saying the connection was not secure and had steps to go through to get in here. Yet my other Mac is fine and still logged in to the DUC.


Daw comp runs OSXC 10.13.6 and other Mac (2010 Mini) is running 10.6.8


All times are GMT -7. The time now is 09:22 PM.

Powered by: vBulletin, Copyright ©2000 - 2008, Jelsoft Enterprises Limited. Forum Hosted By: URLJet.com