InformAction Forums

How safe is it to browse other websites in the same browser while logged in to this forum? Would this allow those websites to steal my password or use my authentication to pose as me?

Currently I use a VM to keep the browser instances separate, but is that necessary?

barbaz wrote:How safe is it to browse other websites in the same browser while logged in to this forum? Would this allow those websites to steal my password or use my authentication to pose as me?
Currently I use a VM to keep the browser instances separate, but is that necessary?

No and no.

Awesome, thanks for telling me.

A slightly longer answer: In general, if you stay logged into one site while browsing around other sites, then yes, those other sites might be able to use your authentication to pose as you.

However, there are ways for the logged-in site to defend itself against this, and you can be sure that Giorgio uses them .

Thrawn wrote:A slightly longer answer: In general, if you stay logged into one site while browsing around other sites, then yes, those other sites might be able to use your authentication to pose as you.

However, there are ways for the logged-in site to defend itself against this, and you can be sure that Giorgio uses them .

So it's not up to NoScript to defend against this? With the authentication in an unencrypted connection, what's stopping the other sites I'm browsing from sniffing the traffic and/or cookies and then using that information?

barbaz wrote:With the authentication in an unencrypted connection, what's stopping the other sites I'm browsing from sniffing the traffic and/or cookies and then using that information?

Unencrypted connections don't allow "other sites" to sniff anything. Web sites can't "sniff" each other traffic, no matter if it's encrypted or unencrypted.
Other sites can steal credentials or impersonate you by using web application level attacks, such as XSS or CSRF, which -- if the web site is affected and/or you're not protected by NoScript -- work independently from encryption (HTTPS won't save you from session riding or a XSS attack).

HTTPS/encryption prevents your traffic from being sniffed by other parties on public networks, or by your ISP if interested.
Hence sound advices, if you value your credentials in forums like these, are never use them on a public Wi-Fi spot and always use unique passwords (don't recycle across sites). The latter advice, of course, is valid in any case for any web site, because your password can be stolen in its stored form if the website's database gets compromised (even if it's stored encrypted like it should, it's usually just matter of time for an offline attacker), or a site operator can intercept it on the fly by backdooring the login form.

If it requires an attack scenario to steal my password/authentication, and since I always log in here with a browser running NoScript... I guess I'm safe then as long as I only log in from networks I know and trust that don't use unencrypted Wi-Fi.