-
Welcome back Guest! Did you know you can mentor other members here at H-M? If not, please check out our Relaunch of Hobby Machinist Mentoring Program!
Resolved Bitdefender Login Problem
- Thread starter bbobh
- Start date
- Joined
- Jun 29, 2014
- Messages
- 4,059
Take a close look at your url...it is www.hobby....login/login.
I'm not sure where that link is coming from but I'm quite certain that is not our login url. Anytime you see a warning like this you shoul heed the advice and "go back to safety" because you may have been the victim of a phishing attempt.
My recommendation is to go into your account page and reset you password, just to be on the safe side. For what it is worth, I'm not seeing anything weird on the admin side associated with your account.
I'm not sure where that link is coming from but I'm quite certain that is not our login url. Anytime you see a warning like this you shoul heed the advice and "go back to safety" because you may have been the victim of a phishing attempt.
My recommendation is to go into your account page and reset you password, just to be on the safe side. For what it is worth, I'm not seeing anything weird on the admin side associated with your account.
Thank you for your reply.
While this occurrence could have been something like phishing, I had the feeling that there was more going on here so did some sleuthing and research this morning. While I am sure that you are well aware of what is summarized following, it may be helpful to those HM users with less technical background.
Some background:
- I am not a web expert nor an IT guy so my apologies if I get something very wrong.
- In the early days of web browsing, all connections were http://www. In technical terms, this connection utilizes hyper text transport protocol to access a web site. http: connections are open, in that they are unencrypted and a person with enough technical savvy could watch what was being sent and received.
- As web technology developed, the need/desire for online payment and use of other confidential records became obvious. To make this web usage more secure, the use of https:// was introduced where the s stood for secure. A secure socket layer or SSL encrypts the data such that it is much more difficult to intercept. In general, for several years web sites used http: and banks and other confidential sites used https://.
- In recent years the usage of https: has become more common as it provides a more secure web browsing experience. Web sites purchase a security certificate that allows them to move to https:// as the default. Most websites appear to still offer functionality in both normal and secure mode.
- I use Microsoft Edge day to day and for several years have had HM stored as a favorite.
- To start HM I type hobb in the address bar. My browser finds this address in my Favorites and suggests it to me as I type. By selecting this address I avoid typing the rest of the URL.
- In reviewing the Xenforo forum this morning (HM is based on Xenforo) it appears that this forum engine has at some point evolved to use of https://.
- As web browsers evolve, it appears that at least some are allowing default to the https:// even when the user attempts to access the older http://
- I tested both Edge and Chrome and determined that they both allow use of http:// and are configurable for default to https://
- The HM implementation of Xenforo appears to allow both http:// and https://. In the first case one does not get the secure site notification in the address bar. In the second case the lock symbol appears next to the HM URL.
- At some point Bitdefender started alarming password entry on http:// where the password is obviously transmitted unencrypted.
- My iOS devices all point to the secure URL so suspect that they auto direct.
What I think happened in my case:
- When I got the Bitdefender warning that day a month or so ago, it is clear that Edge pointed to the unsecured http://www.hobby-machinist.com. Looking at the screen shot above, Edge actually indicates to the left of the URL that it is not secure.
- Realizing that Edge Favorites was actually inserting the requested URL I looked at the URL stored in favorites and found that it was the insecure http:// version.
The fix: (I hope)
- I edited the Favorites HM entry to reflect the https:// URL and tested to be sure that typing only hobb would result in the secure URL. It did.
- I tested login using the secure URL and got no alarm from Bitdefender.
Next steps - I need to go through all of my favorites and update the URLs where necessary or I suspect I will begin to get security alarms from all sites transitioning to secure connections.
I hope this update to my issue may be helpful to others. If I have any of this wrong I would greatly appreciate a course correction.
Respectfully,
Bob
While this occurrence could have been something like phishing, I had the feeling that there was more going on here so did some sleuthing and research this morning. While I am sure that you are well aware of what is summarized following, it may be helpful to those HM users with less technical background.
Some background:
- I am not a web expert nor an IT guy so my apologies if I get something very wrong.
- In the early days of web browsing, all connections were http://www. In technical terms, this connection utilizes hyper text transport protocol to access a web site. http: connections are open, in that they are unencrypted and a person with enough technical savvy could watch what was being sent and received.
- As web technology developed, the need/desire for online payment and use of other confidential records became obvious. To make this web usage more secure, the use of https:// was introduced where the s stood for secure. A secure socket layer or SSL encrypts the data such that it is much more difficult to intercept. In general, for several years web sites used http: and banks and other confidential sites used https://.
- In recent years the usage of https: has become more common as it provides a more secure web browsing experience. Web sites purchase a security certificate that allows them to move to https:// as the default. Most websites appear to still offer functionality in both normal and secure mode.
- I use Microsoft Edge day to day and for several years have had HM stored as a favorite.
- To start HM I type hobb in the address bar. My browser finds this address in my Favorites and suggests it to me as I type. By selecting this address I avoid typing the rest of the URL.
- In reviewing the Xenforo forum this morning (HM is based on Xenforo) it appears that this forum engine has at some point evolved to use of https://.
- As web browsers evolve, it appears that at least some are allowing default to the https:// even when the user attempts to access the older http://
- I tested both Edge and Chrome and determined that they both allow use of http:// and are configurable for default to https://
- The HM implementation of Xenforo appears to allow both http:// and https://. In the first case one does not get the secure site notification in the address bar. In the second case the lock symbol appears next to the HM URL.
- At some point Bitdefender started alarming password entry on http:// where the password is obviously transmitted unencrypted.
- My iOS devices all point to the secure URL so suspect that they auto direct.
What I think happened in my case:
- When I got the Bitdefender warning that day a month or so ago, it is clear that Edge pointed to the unsecured http://www.hobby-machinist.com. Looking at the screen shot above, Edge actually indicates to the left of the URL that it is not secure.
- Realizing that Edge Favorites was actually inserting the requested URL I looked at the URL stored in favorites and found that it was the insecure http:// version.
The fix: (I hope)
- I edited the Favorites HM entry to reflect the https:// URL and tested to be sure that typing only hobb would result in the secure URL. It did.
- I tested login using the secure URL and got no alarm from Bitdefender.
Next steps - I need to go through all of my favorites and update the URLs where necessary or I suspect I will begin to get security alarms from all sites transitioning to secure connections.
I hope this update to my issue may be helpful to others. If I have any of this wrong I would greatly appreciate a course correction.
Respectfully,
Bob