December 11, 2017, 10:37:06 pm *
Welcome, Guest. Please login or register.
News:
 
   Forum Home   Search Login Register OBiTALK  
Pages: [1]
  Print  
Author Topic: Is OBiTALK login secure?  (Read 8900 times)
202Owner
Full Member
***
Posts: 104


« on: January 13, 2015, 08:43:21 am »

I see no HTTPS when logging into OBiTALK.  Are my login credentials being transmitted in the open?  Is this secure access or could my OBi device(s) be at risk by someone able to compromise this traffic and my account?
Logged
LTN1
Sr. Member
****
Posts: 476


« Reply #1 on: January 13, 2015, 02:19:22 pm »

When I open the obitalk initial site, it is not https. However, when I log in with my Google credentials, it takes me to the administrative site (where I can configure, etc.) and that site is https--secure.

Do you log in with your Google credentials or the non Google way? Can you try logging in with the Google credentials if you haven't already?
Logged
giqcass
Hero Member & Beta Tester
*****
Posts: 1439


« Reply #2 on: January 13, 2015, 08:56:16 pm »

To be on the safe side use the following url to log in.
https://www.obitalk.com/obinet/login/


EDIT: I examined the login code.  I am not a security expert but the login even on the unencrypted pages post to a secure https address so I believe they should be secure.  You can use the URL above for peace of mind.  Perhaps someone with more information will speak on this topic.

So far as your Google Credentials are concerned Obihai no longer has access to them.  Obihai only receives an access token now.
« Last Edit: January 13, 2015, 09:08:03 pm by giqcass » Logged

Register at e164.org and friends can use Sipbroker to call you from a regular telephone for free from almost any country.
DDNS hack for OBi
Old OBi? Want Ring.to?
202Owner
Full Member
***
Posts: 104


« Reply #3 on: January 14, 2015, 05:19:50 am »

When I open the obitalk initial site, it is not https. However, when I log in with my Google credentials, it takes me to the administrative site (where I can configure, etc.) and that site is https--secure.

Do you log in with your Google credentials or the non Google way? Can you try logging in with the Google credentials if you haven't already?

I login the non-Google way.  If I go to login the Google way, OBiTALK appears to want to access my Google profile... which I decline, so no login.

Given the OBiTALK login is not secure, I will assume the OBiTALK portal security is suspect... as was their initial Google Chat implementation.  You can't offer multiple ways to login, some unsecure, and call it secure.
« Last Edit: January 14, 2015, 05:25:27 am by 202Owner » Logged
202Owner
Full Member
***
Posts: 104


« Reply #4 on: January 14, 2015, 05:24:08 am »

To be on the safe side use the following url to log in.
https://www.obitalk.com/obinet/login/

EDIT: I examined the login code.  I am not a security expert but the login even on the unencrypted pages post to a secure https address so I believe they should be secure.  You can use the URL above for peace of mind.  Perhaps someone with more information will speak on this topic.

So far as your Google Credentials are concerned Obihai no longer has access to them.  Obihai only receives an access token now.

I can only assume that if the browser does not indicate a secure connection, then the connection is not secured.  And the portal traffic is not secured.

Thanks for looking at it!
Logged
WelshPaul
OBi Phone Beta Tester
***
Posts: 405



« Reply #5 on: January 17, 2015, 07:28:20 am »

I have not looked into obihai's use of https a whole lot but from what I have seen so far it appears Obihai posts from http to https and once completed returns back to http. This is usually done to reduce server load, https uses more resources. It is secure however it doesn't protect you from any man in the middle attacks as explained here: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

If your worried login via this link: https://www.obitalk.com/obinet/action/login

Once logged in to your OBiTALK account just click on the URL and manually change http to https that way your working over https permanently.
« Last Edit: January 17, 2015, 07:45:28 am by WelshPaul » Logged

For everything VoIP
www.ukvoipforums.com
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC