Is OBiTALK login secure?

Started by 202Owner, January 13, 2015, 08:43:21 AM

Previous topic - Next topic

202Owner

I see no HTTPS when logging into OBiTALK.  Are my login credentials being transmitted in the open?  Is this secure access or could my OBi device(s) be at risk by someone able to compromise this traffic and my account?

LTN1

When I open the obitalk initial site, it is not https. However, when I log in with my Google credentials, it takes me to the administrative site (where I can configure, etc.) and that site is https--secure.

Do you log in with your Google credentials or the non Google way? Can you try logging in with the Google credentials if you haven't already?

giqcass

#2
To be on the safe side use the following url to log in.
https://www.obitalk.com/obinet/login/


EDIT: I examined the login code.  I am not a security expert but the login even on the unencrypted pages post to a secure https address so I believe they should be secure.  You can use the URL above for peace of mind.  Perhaps someone with more information will speak on this topic.

So far as your Google Credentials are concerned Obihai no longer has access to them.  Obihai only receives an access token now.
Long live our new ObiLords!

202Owner

#3
Quote from: LTN1 on January 13, 2015, 02:19:22 PM
When I open the obitalk initial site, it is not https. However, when I log in with my Google credentials, it takes me to the administrative site (where I can configure, etc.) and that site is https--secure.

Do you log in with your Google credentials or the non Google way? Can you try logging in with the Google credentials if you haven't already?

I login the non-Google way.  If I go to login the Google way, OBiTALK appears to want to access my Google profile... which I decline, so no login.

Given the OBiTALK login is not secure, I will assume the OBiTALK portal security is suspect... as was their initial Google Chat implementation.  You can't offer multiple ways to login, some unsecure, and call it secure.

202Owner

Quote from: giqcass on January 13, 2015, 08:56:16 PM
To be on the safe side use the following url to log in.
https://www.obitalk.com/obinet/login/

EDIT: I examined the login code.  I am not a security expert but the login even on the unencrypted pages post to a secure https address so I believe they should be secure.  You can use the URL above for peace of mind.  Perhaps someone with more information will speak on this topic.

So far as your Google Credentials are concerned Obihai no longer has access to them.  Obihai only receives an access token now.

I can only assume that if the browser does not indicate a secure connection, then the connection is not secured.  And the portal traffic is not secured.

Thanks for looking at it!

WelshPaul

#5
I have not looked into obihai's use of https a whole lot but from what I have seen so far it appears Obihai posts from http to https and once completed returns back to http. This is usually done to reduce server load, https uses more resources. It is secure however it doesn't protect you from any man in the middle attacks as explained here: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

If your worried login via this link: https://www.obitalk.com/obinet/action/login

Once logged in to your OBiTALK account just click on the URL and manually change http to https that way your working over https permanently.
For everything VoIP
www.ukvoipforums.com