OBiTALK Community

General Support => On-Topic: Obihai and OBi Products => Topic started by: 202Owner on January 13, 2015, 08:43:21 AM

Title: Is OBiTALK login secure?
Post by: 202Owner on January 13, 2015, 08:43:21 AM
I see no HTTPS when logging into OBiTALK.  Are my login credentials being transmitted in the open?  Is this secure access or could my OBi device(s) be at risk by someone able to compromise this traffic and my account?
Title: Re: Is OBiTALK login secure?
Post by: LTN1 on January 13, 2015, 02:19:22 PM
When I open the obitalk initial site, it is not https. However, when I log in with my Google credentials, it takes me to the administrative site (where I can configure, etc.) and that site is https--secure.

Do you log in with your Google credentials or the non Google way? Can you try logging in with the Google credentials if you haven't already?
Title: Re: Is OBiTALK login secure?
Post by: giqcass on January 13, 2015, 08:56:16 PM
To be on the safe side use the following url to log in.
https://www.obitalk.com/obinet/login/


EDIT: I examined the login code.  I am not a security expert but the login even on the unencrypted pages post to a secure https address so I believe they should be secure.  You can use the URL above for peace of mind.  Perhaps someone with more information will speak on this topic.

So far as your Google Credentials are concerned Obihai no longer has access to them.  Obihai only receives an access token now.
Title: Re: Is OBiTALK login secure?
Post by: 202Owner on January 14, 2015, 05:19:50 AM
Quote from: LTN1 on January 13, 2015, 02:19:22 PM
When I open the obitalk initial site, it is not https. However, when I log in with my Google credentials, it takes me to the administrative site (where I can configure, etc.) and that site is https--secure.

Do you log in with your Google credentials or the non Google way? Can you try logging in with the Google credentials if you haven't already?

I login the non-Google way.  If I go to login the Google way, OBiTALK appears to want to access my Google profile... which I decline, so no login.

Given the OBiTALK login is not secure, I will assume the OBiTALK portal security is suspect... as was their initial Google Chat implementation.  You can't offer multiple ways to login, some unsecure, and call it secure.
Title: Re: Is OBiTALK login secure?
Post by: 202Owner on January 14, 2015, 05:24:08 AM
Quote from: giqcass on January 13, 2015, 08:56:16 PM
To be on the safe side use the following url to log in.
https://www.obitalk.com/obinet/login/

EDIT: I examined the login code.  I am not a security expert but the login even on the unencrypted pages post to a secure https address so I believe they should be secure.  You can use the URL above for peace of mind.  Perhaps someone with more information will speak on this topic.

So far as your Google Credentials are concerned Obihai no longer has access to them.  Obihai only receives an access token now.

I can only assume that if the browser does not indicate a secure connection, then the connection is not secured.  And the portal traffic is not secured.

Thanks for looking at it!
Title: Re: Is OBiTALK login secure?
Post by: WelshPaul on January 17, 2015, 07:28:20 AM
I have not looked into obihai's use of https a whole lot but from what I have seen so far it appears Obihai posts from http to https and once completed returns back to http. This is usually done to reduce server load, https uses more resources. It is secure however it doesn't protect you from any man in the middle attacks as explained here: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

If your worried login via this link: https://www.obitalk.com/obinet/action/login

Once logged in to your OBiTALK account just click on the URL and manually change http to https that way your working over https permanently.