OUR NETWORK:TiVoCommunity TechLore MyOpenRouter Dijit Community MediaSmart Home See all... About UsAdvertiseContact Us
Previous Thread | Next Thread

 
Learn about scoring Forum's Raw Score: 210042.0
September 11, 2009 09:25 AM

Categories: My.Pogoplug Website

Rating (0 votes)
  • 1
  • 2
  • 3
  • 4
  • 5
Rate This!

Member Avatar

pnam

Member
Joined: 08/15/2009

Hi,

It concerns me that https is not the default login option. Ideally, when a user types in my.pogoplug.com, it should redirect to the https server automatically. Then after login, they should be redirected back to the http server for performance. It is possible to post from http to https, but most people will be wary of that. 

I always click the secure button when I remember, but sometimes I forget. And also, I'm not sure if the remember me functionality is secure either. I haven't taken a look at the cookies or html/js to see what they're doing, but this feature should be secure as well. It should probably be some unique token in the cookie unrelated to my login info that is sent securely to the server and matched to some token in the database.Well, that's how I would do it anyway. If it is not sent securely, someone might be able to read the token and duplicate my session.

Nobody wants someone sniffing traffic on the site and pulling peoples passwords. I wouldn't be surprised if it's not already happening. If someone was sniffing logins it would make sense for them not to do anything for a while that would cause the service to change their security.

Well, I hope this gets resolved.

Thanks,
Peter

Discussion:    Add a Comment | Comments 1-6 of 6 | Latest Comment

crimsonredmk Avatar
Member
September 11, 2009 9:36 PM

I was thinking the same thing today, just make it all HTTPS SSL'ed and drop the potentially insecure HTTP login. Even if it takes 2 extra seconds, I don't think it matters.

crimsonredmk Avatar
Member
September 17, 2009 6:48 AM

CloudEngines really needs to come out and detail everything they've done to make this secure, not just SSL on my.pogoplug.com. How secure is the API? How about the my.pogoplug.com backend to access data on the Pogoplug? Basically, how secure is this service?

JS Avatar
Member
March 1, 2010 2:51 PM updated: March 1, 2010 2:57 PM

As most configurations are a compromise between easy usability and good security - and PogoPlug is so easy to use...

...combined with the deafening silence from CloudEngines in this (and other, related) threads...

...I'm drawing my own conclusion: PogoPlug puts ease of use ahead of security, so I for one would be wary about putting anything I value or wish to keep private on a PogoPlug drive.

 The other thing to be concerned about is how CloudEngines create their hashes (used when sharing)... security by obscurity ie not publishing the implementation is nearly always a flawed approach and thus insecure.

It would be lovely if CloudEngines pubished their security design but unless and until they do, it's best to assumeit's an insecure service especially aganst packet sniffing and similar monitoring.(Would be great to be proven - not just told - that I'm wrong, though :-)

Cheers, JS

Generic Member Avatar
Cloud Engines
March 1, 2010 3:27 PM

The March release does exactly this - ALL logins are now over https and then a re-direct is made back to http. A new setting has been added so that if a user wants, the entire session continues in https after sign-in. We have also added several additional layers of security at the Pogoplug device level. We'll be putting up a full post detailing the new security in a few weeks.

JS Avatar
Member
March 1, 2010 3:38 PM updated: March 1, 2010 4:12 PM

Wow, fast response - thanks Jed!

Will await the March release before putting other foot into my mouth - will you also be sharing details of the hash mechanisim too?

Cheers, JS

Generic Member Avatar
Member
  • member since: 07/08/2010
  • rank: 6967 of 12555
  • 1 comments
July 21, 2010 5:03 AM

I'm concerned that I can still use my activation email link to login to my account, without entering the password I set when I first activated the account 2 weeks ago.

Discussion:    Add a Comment | Back to Top | Comments 1-6 of 6 | Latest Comment

Add Your Reply

(will not be displayed)

Email me when comments are added to this thread

 
 

Please log in or register to participate in this community!

Log In

Remember

Not a member? Sign up!

Did you forget your password?

You can also log in using OpenID.

close this window
close this window