PDA

View Full Version : TWINSPIRES still clueless


rsetup
03-17-2017, 01:35 PM
Guess the tech gurus at TwinSpires didn't learn much when they were hacked a few years ago. It seems that their login is INSECURE and they don't have a an available secure page (https:// prefix) option. Too much work for them, I suppose. :rolleyes:

Way to go :ThmbUp:

Parkview_Pirate
03-17-2017, 05:03 PM
Having the same issue, and at Xpressbet, and even at this site - PaceAdvantage. Tried accessing from my desktop and through the hotspot on my phone - same issue with certain sites.

Not sure what it is, but it's not just Twinspires.

098poi
03-17-2017, 05:34 PM
I noticed this recently with Firefox on my home computer. A lot of sites I normally go to get flagged as not secure.

Parkview_Pirate
03-17-2017, 06:07 PM
I'm seeing it with Chrome and Firefox - on many, many sites. This just started today. It's as if there's been a mass expiration of security certificates, or some other lookup issue via DNS is indicating to the browser that not all is kosher.

What's weird is that many sites indicate an insecure connection, even when a login is not being used - and Bloomberg.com has been secure, than insecure, and then secure again with repeated visits.

Certainly won't be logging into any financial accounts, including ADWs, until this gets resolved....

Fortunately, my session into horsetourneys.com was secure so I could get some picks in today - but since DRF.com, Twinspires, and Xpressbet are all insecure, I can't watch the races.....:pout:

Parkview_Pirate
03-17-2017, 08:23 PM
I opened tickets with Twinspires and Xpressbet on this issue. Xpressbet quickly responded, indicating the issue was known and is being worked - but that it affects the general site only. Once logged in, the account and wagering info is secure. I went ahead and logged in, and indeed the web site is then appearing as normal - secure.

They recommend changing your password on a weekly basis until the issue is resolved. I suspect we'll find out more about the root cause of this problem, since it's affected SO MANY sites.

Still no response from Twinspires, which is the experience I've had in the past - slower and not as detailed as TVG or Xpressbet when issues are encountered, but no major gripes.

rsetup
03-17-2017, 10:41 PM
I opened tickets with Twinspires and Xpressbet on this issue. Xpressbet quickly responded, indicating the issue was known and is being worked - but that it affects the general site only. Once logged in, the account and wagering info is secure. I went ahead and logged in, and indeed the web site is then appearing as normal - secure.

They recommend changing your password on a weekly basis until the issue is resolved. I suspect we'll find out more about the root cause of this problem, since it's affected SO MANY sites.

Still no response from Twinspires, which is the experience I've had in the past - slower and not as detailed as TVG or Xpressbet when issues are encountered, but no major gripes.

They're misinformed:

"Serving login forms over HTTP is especially dangerous because of the wide variety of attacks that can be used against them to extract a userís password. Network eavesdroppers could steal a user's password by sniffing the network, or by modifying the served page in transit. This page details the security mechanisms Firefox has put in place to warn users and developers of such risks.
The HTTPS (https://en.wikipedia.org/wiki/HTTP_Secure) protocol is designed to protect user data from eavesdropping (confidentiality) and from modification (integrity) on the network. Websites that handle user data should use HTTPS to protect their users from attackers. If a website uses HTTP instead of HTTPS, it is trivial to steal user information (such as their login credentials). This was famously demonstrated by Firesheep (https://codebutler.github.io/firesheep/). "


Doesn't matter how secure the site is AFTER your password has been sniffed. It's already too late for you.

Parkview_Pirate
03-18-2017, 12:16 AM
They're misinformed:

"Serving login forms over HTTP is especially dangerous because of the wide variety of attacks that can be used against them to extract a userís password. Network eavesdroppers could steal a user's password by sniffing the network, or by modifying the served page in transit. This page details the security mechanisms Firefox has put in place to warn users and developers of such risks.
The HTTPS (https://en.wikipedia.org/wiki/HTTP_Secure) protocol is designed to protect user data from eavesdropping (confidentiality) and from modification (integrity) on the network. Websites that handle user data should use HTTPS to protect their users from attackers. If a website uses HTTP instead of HTTPS, it is trivial to steal user information (such as their login credentials). This was famously demonstrated by Firesheep (https://codebutler.github.io/firesheep/). "


Doesn't matter how secure the site is AFTER your password has been sniffed. It's already too late for you.

Won't argue that it's easy to swipe passwords from an insecure connection - but it still requires someone to be actively sniffing the billions of packets rolling through, especially if the root cause of this problem is as widespread as I think it is. Lower risk via hardwired home connection as well, versus using the free wireless at Starbucks.

One potential workaround would be to log in, change your password when connected via the secure connection, and repeat every time you go on the web site. A PITA, but worth the risk perhaps if you want to bet. Since there's limited personal information on these accounts (no SSN), it's not that big of deal to me anyway.

The other option is to wait until all these web sites get their ducks in a row. My bank, credit union, trading accounts, Amazon, and now Bloomberg again - all appear to be okay. Ebay isn't, but I don't use it anyway.

BTW - a correction from my earlier post. It was Twinspires that responded to me, shortly after I opened a ticket with Xpressbet. Xpressbet also got back to me, after about two hours, and informed me their web site is secure (huh?) and to contact support if the problem persists....

PaceAdvantage
03-18-2017, 01:13 AM
I don't see this website (PaceAdvantage.com) moving to https anytime soon. It's a major pain in the ass.

And since this website doesn't deal in any financial transactions with members, I don't really view it as necessary.

For those who are still concerned about this, I recommend that if you are using a password on here that you also use elsewhere, you change your password on here to something you do not use on any other website.

Parkview_Pirate
03-18-2017, 01:19 AM
Poking around some more, this issue seems very browser dependent, and the version of the browser is critical.

https://www.wordfence.com/blog/2017/01/chrome-56-ssl-https-wordpress/

https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861

Versions 56 of Chrome and 52 of Firefox are flagging sites not providing a SSL connection - which may very well mean that these sites have been "insecure" for a long time. Not sure if it's a real concern, or more cosmetic in nature.

What is concerning that when browsing to Twinspires on my Blackberry phone's browser, or via Edge on my Windows 10 virtual machine, there is NO indication of any problem. Since many sites are working properly, it does seem the onus to rectify the problem lies on the web server/site side....

no breathalyzer
03-18-2017, 09:34 AM
scumbags just charged me $3 bucks for ''free pp's'' why?:rant:

they other 6 tracks didn't charge me for... guess they thought i wouldn't notice

headhawg
03-18-2017, 10:35 AM
Poking around some more, this issue seems very browser dependent, and the version of the browser is critical.I am not entirely sure of your point. Yes, Firefox v52 now gives more obvious (cosmetic) indicators on the login/password fields that a connection is not secure. But there have always been indicators (lock icons, for example) showing a secure connection. If in doubt, just look in the address bar for https.

There's an addon for Firefox called HTTPS Everywhere which attempts to force a secure connection, if available. And therein lies the rub -- there has to be one available. For example, you cannot make a connection to the home page of the Bris site unless HTTPS Everywhere is disabled. The login page is secured, however, and the addon works fine.

A bigger issue would be if SSL gets compromised; then everyone would need to use a different secure protocol.

Parkview_Pirate
03-18-2017, 01:33 PM
I am not entirely sure of your point. Yes, Firefox v52 now gives more obvious (cosmetic) indicators on the login/password fields that a connection is not secure. But there have always been indicators (lock icons, for example) showing a secure connection. If in doubt, just look in the address bar for https.

The point I was trying to make is that the "sudden" change is due to the browser, and not something else. For me, it appears that version 56 of Chrome was the trigger, which came out at the end of January, but didn't work it's way through the update system until this Thursday (for me, running Linux Mint).

The other point I was trying to make is that not all browsers are showing the "problem", per se. I was surprised to see that Edge on W10 doesn't indicate a warning. But then again, that's Microsoft.

PA has some solid advice - just make sure your password is unique to the site. And Twinspires offered up the idea of a regular schedule of change in passwords until they get HTTPS implemented. Seems much of the horse racing world is affected, with DRF, PA, BRIS, HDW, Twinspires and Xpressbet not "secure". TVG's initial connection does appear to be secure.

Parkview_Pirate
03-18-2017, 01:40 PM
scumbags just charged me $3 bucks for ''free pp's'' why?:rant:

they other 6 tracks didn't charge me for... guess they thought i wouldn't notice

Review your wagers for that day. The first guess is that you made a wager at six out of seven of the tracks for which you downloaded the PPs. And if the track canceled after 4 races, and you hadn't made a bet at that track yet, you would still be charged.

This has happened to me a few times when I've downloaded 3 or 4 (or more) tracks' PPs for the day. Sometimes you don't find a race to play at a particular track, and/or forget to put a token wager out there to cover the cost of the PPs....

tanner12oz
03-19-2017, 02:56 PM
i got a weird screen yesterday on TS regarding clearing out my cookies...I just turned off and back on and it worked

molson721
03-19-2017, 04:22 PM
I contacted them about his issue and they said they were aware of it and it wouldn't impact their service. CLUELESS :confused:
I guess having parts of the site secure after you log in is enough security in their minds. I think they hire junior college flunkies to run tech support.
I need a 100% secure wagering service starting with my login! Suggestions so I can leave twinspires

rsetup
04-23-2017, 01:21 PM
As of today, https login.

Well done :ThmbUp:

Dahoss2002
04-24-2017, 03:40 AM
As of today, https login.

Well done :ThmbUp:

I noticed that too:headbanger:
Still lost though :lol:

toddbowker
04-24-2017, 01:20 PM
I can't speak for TS as I don't have any insight into how their systems are built, but this very question did come up back during my tenure at AmericaTab (if you look far enough back in the archives here, you'll probably find a thread about it).

At AmericaTab, although the affiliated website's (WinTicket, BrisBet etc) home pages were not secured by SSL, the underlying AmericaTab site was. When logging in, a users login information was sent by a POST command to a URL that started with "https://www.americatab.com". The browser would have to encrypt the information prior to sending it to the SSL secured URL.

So in layman's terms, you would not see the "lock" on the homepage, but the underlying login was actually encrypted.

It is a little more obvious to the customer now that Chrome and FF have made the changes in this area mentioned in an earlier post.