New Platform - What do you think?

Discussion in 'Forum Related Issues' started by ddave, May 28, 2010.

  1. ddave

    ddave Master of the Pit OTBS Member SMF Premier Member

    Disclaimer:  This is somewhat techy but I have tried to make it straight forward and easy to understand.

    I must admit I'm kind of surprised at how the security and privacy concerns regarding Huddler are getting swept aside as evidenced by how quickly this thread

    was closed.

    I too noticed some strange behavior regarding redirects when clicking in white space and the fact that when I go to the forum, NetNanny (hey, I have young kids [​IMG]) says that someone is trying to get to Facebook.


    So I decided to do some checking as to what other sites my browser was going to when I went to the forum.  So using a network capture packet tool called Wireshark

    I decided to analyze the traffic leaving and coming into my computer.  The following screenshot shows a capture of just loading the main page.


    The results have been filtered (trust me you [​IMG]   don't want to see the entire capture) to just show the names of the site and not each and every packet.  Lots of advertising/social networking and data mining sites there but I guess we already knew about that.

    The other thing that we techy types like to capture is the login sequence.  Wireshark has a function called Follow TCP Stream where you can see the conversation between your PC and the server.  Most of the info is gobbleygook which is normal.  Some stuff will be in plain text.  Some stuff SHOULD NOT be in plain text.  Imagine my shock when I saw my password was in plain text as well.


    I changed my password for the demonstraton and changed it to something else after so don't anyone try and get into my account.[​IMG]

    Out of curiosity, I captured the login sequence of another forum I am a member of.


    As you can see, the password is encrypted, as it should be.  Incidentally, as you can see, that site is a vBulletin site.

    What does this mean?  It means that your passwords are travelling to the server in plain text, folks.  That means they can be easily read and collected.  Will they be?  I don't know.  Will I be using the same password that I used to use for other accounts.  Absolutely not!! 

    Probably an oversight on the Huddler folks part but a pretty poor security practice none the less.  Something to think about.

    Last edited: May 29, 2010
  2. abigail4476

    abigail4476 Jeff's Woman SMF Premier Member

    Regarding "plain text" passwords:  (Question answered by Huddler)

    "What he describes in his post as a security flaw is actually a fairly common practice across the Internet.  Wikipedia (the 11th most popular site on the Internet), Digg (the 36th most popular), and every phpBB forum out there all send passwords over plain text.  It is true that vBulletin encrypts the password before sending it, but it does so using an algorithm that is so insecure that the US Government describes it as "cryptographically broken and unsuitable for further use".  In other words, the encrypted version of the password that vBulletin uses is almost no more secure than sending it in plain text.

    He is right about one thing though.  When he says "Will I be using the same password that I used to use for other accounts.  Absolutely not!!", that is absolutely the right attitude.  Security best practices suggest that you should use different passwords for different websites that you visit.  And any time that you do not see the "lock" which indicates that a website is encrypted using SSL, you should always assume that any information that you send will be transmitted in plain text.


    Kyle Harmon

    Partner Services -


    The last portion of his response is the most important, and that is a reminder that this site is not a secure site, nor was it secure on the original vBulletin platform.  

    e.g., feel free to analyze the security of Huddler, but remember to compare fairly to other sites that are also using ads--such as vBulletin forums that use Google ads.  (like  or Also,  is a phpBB forum, so you might try capturing their traffic as well, and see if your full password turns up.   (I'm curious about that, too.)

    No one is going to sweep aside privacy and security concerns, however, there needs to be a fair comparison between other similar forums in order to ascertain what unique problems actually exist.  Those unique problems can be analyzed and addressed as they are found.  
  3. bmudd14474

    bmudd14474 Smoking Guru Staff Member Administrator Group Lead OTBS Member SMF Premier Member

    Also remember that you should never use the same password for normal browsing and your banking. You should always have different ones. Also remember to not use passwords that are easy to guess like your birthday, last 4 of your ssn, name. You should try to use a combination of letters and numbers. Also use uppercase and lowercase. Change a i into a 1 or O into 0. I know its not easy to keep track of all of these passwords but your identity and financial information are worth the hassle. 
  4. abigail4476

    abigail4476 Jeff's Woman SMF Premier Member

    ROFL!!!!!  Brian--insider alert/high-five!!!!!  [​IMG]   (P.S.  You are 100% right!)
    Last edited: May 29, 2010
  5. tulsajeff

    tulsajeff Master of the Pit Staff Member Administrator OTBS Member

    Tru dat!!
  6. ddave

    ddave Master of the Pit OTBS Member SMF Premier Member

    Okay.  I included a screenshot of the login sequence in my original post, but can do so again.  I replaced the image with one that I took AFTER I changed my password  [​IMG] so if anyone is wondering why that post is edited, now you know.

    I am not a member of Sharky or SausageSource but here are the DNS queries that occur when the Smoked-Meat, BBQBrethren and QJoint sites load.


    Can you imagine the uproar if Microsoft used that response when someone pointed out a potential security flaw?  Just because it is common practice doesn't mean it is a good idea.  And clearly forum software can be made to encrypt passwords.  But it doesn't sound like Huddler is going to do that anytime soon.
     Okay, then tell me what my password was?  I changed mine back after the demo, but I posted a screen shot of the traffic capture.  If there encryption is almost no more secure than plain text, then decrypt it and tell me what it was.

    I did not set out to prove that vBulletin is/was more secure than Huddler.  But with all the discussion of strange behavior that users have been experiencing as far as strange pages popping up and how these reports were dismissed as "problems with your ISP" or "the problem is on your end" I was curious about what was going on behind the scenes on the network.

      When I originally posted this, Jeff moved it to the Mod forum and PMed me saying that it shouldn't be in the general forum.  I responded that I felt the members should be aware of it so they could take appropriate measures as they see fit as far as their password choice.  He has done that after checking with Huddler, and I commend him for that.

    However, I think it is pretty evident that there is more going on here than meets the eye.  I don't think it is something that is intentionally being allowed and I would hope that the bug reports will be taken seriously and not casually dismissed.  The new platform has a ton of potential.  I'll admit some of the new features are really starting to interest me but all the strange background stuff is concerning me.

    Okay, I am taking off my propeller head cap now and getting ready to select some ribs for tomorrow's smoke.[​IMG]

  7. abigail4476

    abigail4476 Jeff's Woman SMF Premier Member

    Well..thanks for the detailed reply!  I appreciate that. [​IMG]    You're obviously a smarter cookie than I am--my eyes are crossing just staring at the screenshots!  The diversity between the screen shots probably has to do with the fact that we're on an ad network instead of just on Google ads, so since we're pulling ads from multiple sites, I would assume there to be multiple, diverse sources. With that said, the number of links may be less important, comparatively speaking, than the types of links.  Is there something to be concerned about by the sheer number of addresses shown?  Are there any malicious things in there that we should be worried about?  

    As far as the passwords go, I agree with Brian that it's a good precaution to use a new [unique from your normal] password for the new platform until all the kinks have been worked out, and unless or until the passwords can be encrypted in the code.   Good work, btw.

    In the meantime, asking Huddler to encrypt passwords is a reasonable request.  The complaint has been submitted to Huddler, and hopefully they'll get back to us with a resolution. [​IMG]
    Last edited: May 29, 2010
  8. ddave

    ddave Master of the Pit OTBS Member SMF Premier Member

     You're welcome.
     Sorry about that.  Occupational hazard. [​IMG]
     Not really.  Not as long as each site provides a necessary function that can be explained and that you and Jeff are comfortable with.  It will just take longer to completely load the page for some folks.
    You may want to do some research on  It has been associated with various spyware problems as this Google search illustrates.

    It could be the source of the as yet unexplainable behavior discussed in the  "Not Sure What the Problem Is" thread.  For what it's worth, I've had pages pop up when I clicked on white space in the forum pages.
     Given Huddler's response that plain text password transmission is a "fairly common practice across the Internet" makes me think it's not too high on their list of priorites.

    But at least the membership knows about the issue and can take steps to safeguard their passwords.

  9. chefrob

    chefrob Master of the Pit OTBS Member

    thx dave for some i must go and uncross my eyes![​IMG]
  10. chefrob

    chefrob Master of the Pit OTBS Member

    just had another malware alert..............

Share This Page