ATS login is not secure

When I log into ATS, as soon as I hit the password box, I get the message that the login is not secure. That my password may be intercepted by anyone watching. Can someone explain to me how this works with various websites? Why would it not be secure here? Thanks.

a reply to: iTruthSeeker

They are not employing the HTTPS protocol. I believe it would have to be done site-wide.

There are several layers to a network transmission including web access. HTTPS happens in one of those layers. The protocol uses an encryption method to ensure communication between computers and networks are secure.

The "man-in-the-middle" attack exploits this vulnerability in HTTP. You could, if you had the know-how, set up a forwarding computer and monitor network traffic to access un-encrypted data like passwords. There are other metadata you can find out using this method that might be useful.

As for not using it here on ATS, that is a board question and defer to them.

It means that any data transfered on ATS including email, ATS password, etc is unsecured and could be suceptible to middleman exploits.

I work in digital marketing and definitely would recommend making a switch to A) truly protect members' data B) improve search engine rankings and C) maintain compliance with California state laws.

A certificate costs about $150 for a site.

It's actually illegal to NOT use encryption if a site is shown to users in the state of California under the Online Privacy Act, if the website asks for information such as email, credit card or bank acc info, social security etc.

Also, legally you must have a link to the privacy policy accessible from the home screen and clearly labeled under the California act... legally, I would suggest being in compliance, or risk potentially catastrophic lawsuits from California users if your data is ever hacked...

California online privacy protection act info
consumercal.org...

How convenient.

Now we can say....you know all them warnings....wasn't me dude.

originally posted by: Medusa18
It means that any data transfered on ATS including email, ATS password, etc is unsecured and could be suceptible to middleman exploits.

I work in digital marketing and definitely would recommend making a switch to A) truly protect members' data B) improve search engine rankings and C) maintain compliance with California state laws.

A certificate costs about $150 for a site.

It's actually illegal to NOT use encryption if a site is shown to users in the state of California under the Online Privacy Act, if the website asks for information such as email, credit card or bank acc info, social security etc.

Also, legally you must have a link to the privacy policy accessible from the home screen and clearly labeled under the California act... legally, I would suggest being in compliance, or risk potentially catastrophic lawsuits from California users if your data is ever hacked...

California online privacy protection act info
consumercal.org...

There were times I got the uncertified message for ATS, and as of right now, TalkTalk is replacing my router, because of serious crashes saying that it has become 'infected' from an uncertified site, it sounded like gobbledegook to me, although the router is cabled, not WiFi....(too many white van men going slowly up and down my road)
surely they couldn't all be spooks?

a reply to: smurfy

The uncertified pops up because the site doesn't have an SSL certificate that authenticates and protects the site.

Although it's not remotely likely ATS caused the issue with your computer, it definitely is possible with the wrong redirect ads or links.

Great info and explaining it. Thanks Teotwawki and Medusa18.

a reply to: Medusa18

I believe ATS is hosted in AZ.
Not CA.

a reply to: Medusa18

A certificate costs about $150 for a site.

If this is the case, then there is no reason whatoever that ATS doesn't employ some better protection. Not taking a jab at ATS, I am just confused as to why they wouldn't do this. Maybe a site owner can explain the reasoning behind it?

unless it's plaintext or someone has the key they cannot decrypt your password

originally posted by: toysforadults
unless it's plaintext or someone has the key they cannot decrypt your password

Well that is just it - the keystrokes are not encrypted at all.

The stored password obviously (hopefully!) are, however everytime you send the password from your computer (that is, every time you log in)to ATS' servers, it is not.

originally posted by: Medusa18
a reply to: smurfy

The uncertified pops up because the site doesn't have an SSL certificate that authenticates and protects the site.

That much I know. The redirecting ads I don't do, while ATS has had some problems with some ads anyway.

a reply to: havok

BUT the law reads that any site that is USED by those who live in CA allows certain protections to their stage citizens...

It boils down to a states rights issue, and although I'm not a proponent of the law, you have to respect their rights.

The precedent I've read has been that IF the site's data was breached, THEN the California act could be used to hold sites liable for California residents loss of data privacy.

..."Anything you say, can and will be used against you"...period! There's no such thing as "security". You don't live in that kind of a world, that battle is lost. And that kind of country doesn't exist anymore. ATS is an LP/OP for gathering records, it always has been, (read first line). Yes, it has the nutcase with "planet X" viewed from their backyard,... The gay, male lesbian that needs validation,..The Dike that doesn't understand how she got pregnant and doesn't know what to do, it even has the Ex-Soldier that's just burnt on idiots haveing their say.
OP. Let me tell you a secret? You're not "secure" at anytime, on the "internet".

Plain text passwords or public key security plausibly could be spoofed with a man in the middle attack but why does ATS need more authentication then what is offered? We aren't engaged in intellectual property theft or insider trading to any serious degree. Everything is posted out in the open and links are provided on request. There is an ATS complaint process in place whether someone be California resident or otherwise and feels private information has been wrongly disseminated. Most of the veteran AtSers write stuff in a manner that it can easily be moved anyways.

originally posted by: Medusa18
It means that any data transfered on ATS including email, ATS password, etc is unsecured and could be suceptible to middleman exploits.

I work in digital marketing and definitely would recommend making a switch to A) truly protect members' data B) improve search engine rankings and C) maintain compliance with California state laws.

A certificate costs about $150 for a site.

It's actually illegal to NOT use encryption if a site is shown to users in the state of California under the Online Privacy Act, if the website asks for information such as email, credit card or bank acc info, social security etc.

Also, legally you must have a link to the privacy policy accessible from the home screen and clearly labeled under the California act... legally, I would suggest being in compliance, or risk potentially catastrophic lawsuits from California users if your data is ever hacked...

California online privacy protection act info
consumercal.org...

Oh rry...





Methinks some members, Californian or not, have been subjected to far more than simple data breach.

Call it a hunch.

ATS doesn't appear to have a valid SSL certificate allowing HTTPS connections. I noticed this a while ago, and it's been brought up before.

I don't think anyone really seemed to care the last time it was brought up. Most people shurgged and said they just leave themselves logged in.

I mean, if anyone uses public WIFI and logs into ATS, a hacker nearby sniffing packets could easily grab the login credentials. Chances of that happening are pretty low, and it's not like sensitive personal or financial information is stored/used on ATS.

Still, it's odd. I have an SSL certificate for my Qnap NAS so I can remotely access my files over the internet (think a personal cloud/Dropbox). It was pretty cheap. Not sure what they run for a site the size of ATS though that uses a CDN.

Google seems to encourage and really, really *want* websites to ALL be using HTTPS connections:

developers.google.com "Why HTTPS Matters"

One common misconception about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your users to make inferences about their behaviors and intentions, and to de-anonymize their identities. For example, employees might inadvertently disclose sensitive health conditions to their employers just by reading unprotected medical articles.

a reply to: Cauliflower

I've read there has been a lot of problems with PKI and CA especially anything that has to do with Symantec.

I guess there is some new CA authentication protocol they are working on not sure where it's at and how secure SSL is anymore.

In all honesty, it'd take any good load-balancer a whole 30 minutes to front end this website with a secure backend channel using up to date cipher protocols and a 302-responding 80 redirect.

Why hasn't this been done yet?

Need some help? I'm cheapish.

a reply to: Kettu

Oh ive had plenty.

I get alerts to people spoofing etc.

One time i was taking a crap while browsing ATS at the local pizza place and got an alert. I immediately disconnected my wifi.

Walked out of the restroom to see a gentleman in the corner of the restaraunt on his lap top.

Had plenty of spooks come here over the years. Fun times. Always an interesting conversation.

My favorite likes to talk about colliding black holes and simulation theory. Funny guy.



ps: the seemingly easy accessibility and potential for hacking and whatnot of this site is probably a ruse.

You know, draw em in for easy pickens.