Browsing other sites while logged in

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 9323
Joined: Sat Aug 03, 2013 5:45 pm

Browsing other sites while logged in

Post by barbaz » Sat Sep 21, 2013 4:28 pm

How safe is it to browse other websites in the same browser while logged in to this forum? Would this allow those websites to steal my password or use my authentication to pose as me?

Currently I use a VM to keep the browser instances separate, but is that necessary?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0

User avatar
Giorgio Maone
Site Admin
Posts: 8771
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Browsing other sites while logged in

Post by Giorgio Maone » Sat Sep 21, 2013 8:38 pm

barbaz wrote:How safe is it to browse other websites in the same browser while logged in to this forum? Would this allow those websites to steal my password or use my authentication to pose as me?
Currently I use a VM to keep the browser instances separate, but is that necessary?

No and no.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

barbaz
Senior Member
Posts: 9323
Joined: Sat Aug 03, 2013 5:45 pm

Re: Browsing other sites while logged in

Post by barbaz » Sat Sep 21, 2013 8:46 pm

Awesome, thanks for telling me.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Browsing other sites while logged in

Post by Thrawn » Sun Sep 22, 2013 9:50 pm

A slightly longer answer: In general, if you stay logged into one site while browsing around other sites, then yes, those other sites might be able to use your authentication to pose as you.

However, there are ways for the logged-in site to defend itself against this, and you can be sure that Giorgio uses them :).
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

barbaz
Senior Member
Posts: 9323
Joined: Sat Aug 03, 2013 5:45 pm

Re: Browsing other sites while logged in

Post by barbaz » Mon Sep 23, 2013 2:24 am

Thrawn wrote:A slightly longer answer: In general, if you stay logged into one site while browsing around other sites, then yes, those other sites might be able to use your authentication to pose as you.

However, there are ways for the logged-in site to defend itself against this, and you can be sure that Giorgio uses them :).


So it's not up to NoScript to defend against this? With the authentication in an unencrypted connection, what's stopping the other sites I'm browsing from sniffing the traffic and/or cookies and then using that information?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21

User avatar
Giorgio Maone
Site Admin
Posts: 8771
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Browsing other sites while logged in

Post by Giorgio Maone » Mon Sep 23, 2013 7:03 am

barbaz wrote:With the authentication in an unencrypted connection, what's stopping the other sites I'm browsing from sniffing the traffic and/or cookies and then using that information?

Unencrypted connections don't allow "other sites" to sniff anything. Web sites can't "sniff" each other traffic, no matter if it's encrypted or unencrypted.
Other sites can steal credentials or impersonate you by using web application level attacks, such as XSS or CSRF, which -- if the web site is affected and/or you're not protected by NoScript -- work independently from encryption (HTTPS won't save you from session riding or a XSS attack).

HTTPS/encryption prevents your traffic from being sniffed by other parties on public networks, or by your ISP if interested.
Hence sound advices, if you value your credentials in forums like these, are never use them on a public Wi-Fi spot and always use unique passwords (don't recycle across sites). The latter advice, of course, is valid in any case for any web site, because your password can be stolen in its stored form if the website's database gets compromised (even if it's stored encrypted like it should, it's usually just matter of time for an offline attacker), or a site operator can intercept it on the fly by backdooring the login form.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

barbaz
Senior Member
Posts: 9323
Joined: Sat Aug 03, 2013 5:45 pm

Re: Browsing other sites while logged in

Post by barbaz » Mon Sep 23, 2013 4:27 pm

If it requires an attack scenario to steal my password/authentication, and since I always log in here with a browser running NoScript... I guess I'm safe then as long as I only log in from networks I know and trust that don't use unencrypted Wi-Fi.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21

Post Reply