Re: [slim] RadioTime: security/privacy suggestions
A poll associated with this post was created, to vote and see the results, please visit http://forums.slimdevices.com/showthread.php?t=34909 Question: My opinion of this is... - I don't use RadioTime, and I think this is OK - I don't use RadioTime, but that sounds like a problem - I use RadioTime, and I don't care about these "flaws" - I use RadioTime, and this bothers me at least a bit Peter, thanks for the great feedback. I do work for RadioTime, but not in a technical role. We've tried to balance security against ease of use, since our site is about finding radio, ease of use and simple implementation typically win. But we'll revisit some of the practices below. Yes, a malicious user could guess a username, then request a password reset and then discover an email address. We began displaying the email and clear text password retrieval because a fair number of users would forget the account used or misspelled the email, and then get completely frustrated and stuck in a loop. Within the radiotime system passwords are not stored in clear but encrypted. You are correct, basic registration is not secure, only paid registration. RadioTime support had deleted your account as requested, we don't know what email address they replied to (if at all). We intend to allow users to delete their own account. We'll add some text to the signup and privacy policy saying passwords may be sent in clear text. -- radiobill radiobill's Profile: http://forums.slimdevices.com/member.php?userid=11404 View this thread: http://forums.slimdevices.com/showthread.php?t=34909 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] RadioTime: security/privacy suggestions
A poll associated with this post was created, to vote and see the results, please visit http://forums.slimdevices.com/showthread.php?t=34909 Question: My opinion of this is... - I don't use RadioTime, and I think this is OK - I don't use RadioTime, but that sounds like a problem - I use RadioTime, and I don't care about these "flaws" - I use RadioTime, and this bothers me at least a bit Hi, radiobill. Quick question: do you work for RadioTime, or have you? radiobill;199017 Wrote: > The risk is much lower -- another user might guess a RadioTime account > name to listen to favorite stations. But the user would not be able to > identify your email > That's not true. When you submit a valid RadioTime username in the "forgot password" page (http://radiotime.com/SendPassword.aspx), the web site will display a message like "Your password has been sent to [EMAIL PROTECTED]", revealing the user's email address. > or your identity, nor would they be able to make any changes to your > RadioTime account. Since you don't enter a password for the SlimServer > or the SqueezeNetwork the password is never at risk See below for more discussion of the password risk. My concern is how the passwords are stored and processed in the RadioTime system, including those of RadioTime users who never use the SlimServer or SqueezeNetwork integration. > , much less the email used to register. > > Registration with RadioTime.com is secure and passwords entered into > radiotime.com and the RedButton TiVo-style Windows software are > protected. That's also not true. I don't know about the RedButton software, but the login process on the web site is not secure. The page that displays the login form and processes login attempts (http://radiotime.com/Login.aspx) is not secure. Nor is the page that's used to set up an account (http://radiotime.com/Enroll/QuickEnroll.aspx). RadioTime does appear to use secure web pages (https) when soliciting credit card information, as it is almost certainly required to do by its credit card processing contracts. > Obviously you'll want to use a lower risk password for casual sites like > RadioTime, as compared to a bank account or accounts with sensitive > information. Certainly it's a "best practice" for users to use better passwords for less "casual" sites like online banking. And if SqueezeNetwork required a user's RadioTime password to work (as it requires Live365 passwords), that should clearly suggest to the user that a "lower risk password" would be appropriate. But not all RadioTime users use the SN integration and, more importantly, it's also a best practice for site designers not to store passwords in "cleartext" or in an easily recoverable format, and not to send cleartext passwords via unencrypted channels like email -- but that's what RadioTime has done. Below is more detail on my findings, since you seem intent on questioning not only the importance of RadioTime's flaws, but the existence of the flaws. There might be some even more interesting (frightening!) combination attack possibilities. For instance, if RadioTime has not built good anti-CSRF measures into the portion of the web site that updates a user's profile, an attacker who knew a victim's email address might be able to write a simple attack that would send a RadioTime user's username and password to the attacker without the victim's knowledge. -Peter Suggestions for RadioTime: RadioTime: * Devise a new "forgot password" system that does not depend on recovering the "cleartext" password and convert every single stored user password to a strongly salted hash. * Modify your "forgot password" web interface so that it does not display "Your password has been sent to " + the user's email address * Modify your web applications so that https is used at least for displaying login forms and password maintenance forms and for processing logins, password changes, and any other user requests that include users' passwords. * Modify your APIs so that passwords are required and drop the old APIs. * Make sure your non-web login API uses https/SSL/TLS. * Reassess your system design in light of industry best practice and documents such as the Payment Card Industry Data Security Standard, the Open Web Application Security Project (OWASP) guidelines, etc. Privacy Issues RadioTime will provide account information without a password. Passwords are not required for obtaining information about a RadioTime user. RadioTime has an application programming interface (API) for accessing a user's "favorites" and local radio programming. This API does not require the user's password. By submitting a username to this API, an attacker could learn roughly where a RadioTime user lives, and what programming interests that
Re: [slim] RadioTime: security/privacy suggestions
A poll associated with this post was created, to vote and see the results, please visit http://forums.slimdevices.com/showthread.php?t=34909 Question: My opinion of this is... - I don't use RadioTime, and I think this is OK - I don't use RadioTime, but that sounds like a problem - I use RadioTime, and I don't care about these "flaws" - I use RadioTime, and this bothers me at least a bit The risk is much lower -- another user might guess a RadioTime account name to listen to favorite stations. But the user would not be able to identify your email or your identity, nor would they be able to make any changes to your RadioTime account. Since you don't enter a password for the SlimServer or the SqueezeNetwork the password is never at risk, much less the email used to register. Registration with RadioTime.com is secure and passwords entered into radiotime.com and the RedButton TiVo-style Windows software are protected. Obviously you'll want to use a lower risk password for casual sites like RadioTime, as compared to a bank account or accounts with sensitive information. -- radiobill radiobill's Profile: http://forums.slimdevices.com/member.php?userid=11404 View this thread: http://forums.slimdevices.com/showthread.php?t=34909 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
[slim] RadioTime: security/privacy suggestions
A poll associated with this post was created, to vote and see the results, please visit http://forums.slimdevices.com/showthread.php?t=34909 Question: My opinion of this is... - I don't use RadioTime, and I think this is OK - I don't use RadioTime, but that sounds like a problem - I use RadioTime, and I don't care about these "flaws" - I use RadioTime, and this bothers me at least a bit The RadioTime applications and systems have some design flaws that present security and privacy threats to its users. Some recommendations: Current RadioTime Users: * Try not to log in to RadioTime from less secure networks like public wireless access points. * Make sure the password you are using for RadioTime is *not* the same as, nor even similar to, any password you use for any other account you care about. If it is, log in to RadioTime's web site and change your password. * Be aware that anyone can access your list of RadioTime "favorites" and your general location simply by providing your username (they do *not* need your password). Also, anyone can learn the email address you provided to RadioTime. If this concerns you, - Log in to RadioTime and change your location - Log in to RadioTime and change your email address - Log in to RadioTime and delete all your RadioTime favorites - Ask RadioTime to delete your account - Create a new account (see below) New RadioTime Users: * Choose a unique, hard-to-guess username. Your username should look like a hard-to-guess password, e.g. "peterwhktufuyyrt". This will protect your account against the no-password privacy flaws in the RadioTime system. * Choose a password for RadioTime is *not* the same as, nor even similar to, any password you use for any other account you care about. -Peter -- peterw http://www.tux.org/~peterw/ free plugins: http://www.tux.org/~peterw/#slim BlankSaver BottleRocket FuzzyTime SaverSwitcher SleepFade StatusFirst VolumeLock peterw's Profile: http://forums.slimdevices.com/member.php?userid=2107 View this thread: http://forums.slimdevices.com/showthread.php?t=34909 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
