I’m used to seeing short-sighted responses on Twitter when it comes to security, but admittedly this one took me by surprise:
This was from a vBulletin “Tech Support Guy” as part of a thread about the security profile of the website MMO Champion, a World of Warcraft discussion site. This is a site that allows you to register with a username and password, store your date of birth (and hide it from public view), communicate privately with other registered users via the messaging system and of course being a vBulletin site, partake in the usual public forum activities.
For this particular site, naturally there’s a lot of discussion about gaming. There’s the general banter of raids and dungeons and druids which you’d expect, but of course there’s also the reputation participants gain through thousands and even tens of thousands of posts to the forum. They engage in all the usual interactions you’d expect from a site of this nature and clearly many people have invested a lot in their online personas there.
Then there are also the discussions such as how to tell your mum that you’re a teenager dating a 30 year old. Now clearly that’s a public forum, but one would speculate that the sorts of private discussions that would then lead to may be rather sensitive in nature. Indeed that’s the entire purpose of a private messaging facility – to take a discussion off the public timeline and be afforded some privacy. Or so you’d think.
Getting back to Zach’s message, the problem is that this particular website hasn’t elected to use SSL. Anywhere. This, of course, poses a serious privacy risk for all the reasons I’ve written about many, many times before. We also know from many previous incidents that a lack of SSL can make it dead easy to gain access to someone else’s credentials during login or their authentication token during, well, basically any authenticated activity on the website. It’s not just the NSA or the ISPs or the public wifi at the coffee shops, it’s things like the Wifi Pineapple as well. If you had any doubt whatsoever about how easy hijacking unencrypted traffic can be, read The beginners guide to breaking website security with nothing more than a Pineapple. Regardless, the debate about “should we or shouldn’t we” when it comes to SSL on websites handling credentials is well and truly over.
But it all begs the question – who’d actually want to hijack someone’s account?
The flaw in this thinking is that Zach is looking for motive – what is there of value to an attacker on MMOC? The value, of course, is simply that it’s there and we should never underestimate the value of opportunisim. But it’s more than just that and clearly when people use an online service, they have an expectation of privacy. I’d expect that from day one, let alone after many years of usage and countless hours on the site. Something like this is exactly what I wouldn’t want to see happen:
If I was a user of that site and had invested the amount of time that clearly many people have in building their online personas and engaging with the community, I wouldn’t see it as particularly funny if someone hijacked my account and started posting under my identity. I doubt most other users of the site would either.
But as a user of MMOC, should you care about privacy? I mean what have you got to hide, right? There’s an excellent TED talk by Mikko Hypponen titled How the NSA betrayed the world's trust that touches on this. I’m particularly fond of this statement:
Whoever tells you that they have nothing to hide simply hasn’t thought about this long enough. Because we have this thing called privacy and if you really think that you have nothing to hide, please make sure that’s the first thing you tell me because then I know that I should not trust you with any secrets because obviously you can’t keep a secret.
The message seems to be that MMOC’s implementation should not be trusted to keep a secret and that it really wouldn’t be a big deal if they couldn’t, it would just result in “some funny posts”. Maybe.
What makes this whole situation all the more bizarre is that this isn’t vBulletin’s site per se, it’s “chaud’s”:
I don’t know what’s weirder – that chaud blames vBulletin for the forum not using SSL or that vBulletin tech support is making assertions about the privacy requirements of one particular implementation of their software! I got so confused about the whole thing that I asked for clarification:
And that’s when everything went really, really quiet. Which is probably for the best, but it remains a very confusing, very odd series of interactions that frankly has me more than a little suspicious of vBulletin’s understanding of fundamental web security concepts not to mention users’ expectations of privacy. Who knows, maybe it’s just a rogue public voice, but until told otherwise, that seems to be their view.
As Mikko concludes in that video, frankly, what people are doing on this site is none of anyone else’s business and they should be afforded the privacy that one would expect.