 |
|
03-17-2017, 12:35 PM
|
#1
|
|
Veteran
Join Date: Aug 2016
Posts: 1,037
|
TWINSPIRES still clueless
Guess the tech gurus at TwinSpires didn't learn much when they were hacked a few years ago. It seems that their login is INSECURE and they don't have a an available secure page (https:// prefix) option. Too much work for them, I suppose. 
Way to go 
|
|
|
|
03-17-2017, 04:03 PM
|
#2
|
|
Registered User
Join Date: Jan 2015
Posts: 1,955
|
Having the same issue, and at Xpressbet, and even at this site - PaceAdvantage. Tried accessing from my desktop and through the hotspot on my phone - same issue with certain sites.
Not sure what it is, but it's not just Twinspires.
|
|
|
|
|
03-17-2017, 04:34 PM
|
#3
|
|
Registered User
Join Date: Jul 2006
Posts: 5,594
|
I noticed this recently with Firefox on my home computer. A lot of sites I normally go to get flagged as not secure.
|
|
|
|
|
03-17-2017, 05:07 PM
|
#4
|
|
Registered User
Join Date: Jan 2015
Posts: 1,955
|
I'm seeing it with Chrome and Firefox - on many, many sites. This just started today. It's as if there's been a mass expiration of security certificates, or some other lookup issue via DNS is indicating to the browser that not all is kosher.
What's weird is that many sites indicate an insecure connection, even when a login is not being used - and Bloomberg.com has been secure, than insecure, and then secure again with repeated visits.
Certainly won't be logging into any financial accounts, including ADWs, until this gets resolved....
Fortunately, my session into horsetourneys.com was secure so I could get some picks in today - but since DRF.com, Twinspires, and Xpressbet are all insecure, I can't watch the races..... 
|
|
|
|
|
03-17-2017, 07:23 PM
|
#5
|
|
Registered User
Join Date: Jan 2015
Posts: 1,955
|
I opened tickets with Twinspires and Xpressbet on this issue. Xpressbet quickly responded, indicating the issue was known and is being worked - but that it affects the general site only. Once logged in, the account and wagering info is secure. I went ahead and logged in, and indeed the web site is then appearing as normal - secure.
They recommend changing your password on a weekly basis until the issue is resolved. I suspect we'll find out more about the root cause of this problem, since it's affected SO MANY sites.
Still no response from Twinspires, which is the experience I've had in the past - slower and not as detailed as TVG or Xpressbet when issues are encountered, but no major gripes.
|
|
|
|
|
03-17-2017, 09:41 PM
|
#6
|
|
Veteran
Join Date: Aug 2016
Posts: 1,037
|
Quote:
Originally Posted by Parkview_Pirate
I opened tickets with Twinspires and Xpressbet on this issue. Xpressbet quickly responded, indicating the issue was known and is being worked - but that it affects the general site only. Once logged in, the account and wagering info is secure. I went ahead and logged in, and indeed the web site is then appearing as normal - secure.
They recommend changing your password on a weekly basis until the issue is resolved. I suspect we'll find out more about the root cause of this problem, since it's affected SO MANY sites.
Still no response from Twinspires, which is the experience I've had in the past - slower and not as detailed as TVG or Xpressbet when issues are encountered, but no major gripes.
|
They're misinformed:
"Serving login forms over HTTP is especially dangerous because of the wide variety of attacks that can be used against them to extract a user’s password. Network eavesdroppers could steal a user's password by sniffing the network, or by modifying the served page in transit. This page details the security mechanisms Firefox has put in place to warn users and developers of such risks.
The HTTPS protocol is designed to protect user data from eavesdropping (confidentiality) and from modification (integrity) on the network. Websites that handle user data should use HTTPS to protect their users from attackers. If a website uses HTTP instead of HTTPS, it is trivial to steal user information (such as their login credentials). This was famously demonstrated by Firesheep. "
Doesn't matter how secure the site is AFTER your password has been sniffed. It's already too late for you.
|
|
|
|
|
03-17-2017, 11:16 PM
|
#7
|
|
Registered User
Join Date: Jan 2015
Posts: 1,955
|
Quote:
Originally Posted by rsetup
They're misinformed:
"Serving login forms over HTTP is especially dangerous because of the wide variety of attacks that can be used against them to extract a user’s password. Network eavesdroppers could steal a user's password by sniffing the network, or by modifying the served page in transit. This page details the security mechanisms Firefox has put in place to warn users and developers of such risks.
The HTTPS protocol is designed to protect user data from eavesdropping (confidentiality) and from modification (integrity) on the network. Websites that handle user data should use HTTPS to protect their users from attackers. If a website uses HTTP instead of HTTPS, it is trivial to steal user information (such as their login credentials). This was famously demonstrated by Firesheep. "
Doesn't matter how secure the site is AFTER your password has been sniffed. It's already too late for you. |
Won't argue that it's easy to swipe passwords from an insecure connection - but it still requires someone to be actively sniffing the billions of packets rolling through, especially if the root cause of this problem is as widespread as I think it is. Lower risk via hardwired home connection as well, versus using the free wireless at Starbucks.
One potential workaround would be to log in, change your password when connected via the secure connection, and repeat every time you go on the web site. A PITA, but worth the risk perhaps if you want to bet. Since there's limited personal information on these accounts (no SSN), it's not that big of deal to me anyway.
The other option is to wait until all these web sites get their ducks in a row. My bank, credit union, trading accounts, Amazon, and now Bloomberg again - all appear to be okay. Ebay isn't, but I don't use it anyway.
BTW - a correction from my earlier post. It was Twinspires that responded to me, shortly after I opened a ticket with Xpressbet. Xpressbet also got back to me, after about two hours, and informed me their web site is secure (huh?) and to contact support if the problem persists....
|
|
|
|
|
03-18-2017, 12:13 AM
|
#8
|
|
PA Steward
Join Date: Mar 2001
Location: Del Boca Vista
Posts: 88,533
|
I don't see this website (PaceAdvantage.com) moving to https anytime soon. It's a major pain in the ass.
And since this website doesn't deal in any financial transactions with members, I don't really view it as necessary.
For those who are still concerned about this, I recommend that if you are using a password on here that you also use elsewhere, you change your password on here to something you do not use on any other website.
|
|
|
|
|
03-18-2017, 12:19 AM
|
#9
|
|
Registered User
Join Date: Jan 2015
Posts: 1,955
|
Poking around some more, this issue seems very browser dependent, and the version of the browser is critical.
https://www.wordfence.com/blog/2017/...tps-wordpress/
https://support.mozilla.org/t5/Prote...fox/ta-p/27861
Versions 56 of Chrome and 52 of Firefox are flagging sites not providing a SSL connection - which may very well mean that these sites have been "insecure" for a long time. Not sure if it's a real concern, or more cosmetic in nature.
What is concerning that when browsing to Twinspires on my Blackberry phone's browser, or via Edge on my Windows 10 virtual machine, there is NO indication of any problem. Since many sites are working properly, it does seem the onus to rectify the problem lies on the web server/site side....
|
|
|
|
|
03-18-2017, 08:34 AM
|
#10
|
|
Veteran
Join Date: Sep 2014
Posts: 2,053
|
scumbags just charged me $3 bucks for ''free pp's'' why? 
they other 6 tracks didn't charge me for... guess they thought i wouldn't notice
Last edited by no breathalyzer; 03-18-2017 at 08:35 AM.
|
|
|
|
|
03-18-2017, 09:35 AM
|
#11
|
|
crusty old guy
Join Date: Aug 2003
Location: Snarkytown USA
Posts: 3,914
|
Quote:
Originally Posted by Parkview_Pirate
Poking around some more, this issue seems very browser dependent, and the version of the browser is critical.
|
I am not entirely sure of your point. Yes, Firefox v52 now gives more obvious (cosmetic) indicators on the login/password fields that a connection is not secure. But there have always been indicators (lock icons, for example) showing a secure connection. If in doubt, just look in the address bar for https.
There's an addon for Firefox called HTTPS Everywhere which attempts to force a secure connection, if available. And therein lies the rub -- there has to be one available. For example, you cannot make a connection to the home page of the Bris site unless HTTPS Everywhere is disabled. The login page is secured, however, and the addon works fine.
A bigger issue would be if SSL gets compromised; then everyone would need to use a different secure protocol.
|
|
|
|
|
03-18-2017, 12:33 PM
|
#12
|
|
Registered User
Join Date: Jan 2015
Posts: 1,955
|
Quote:
Originally Posted by headhawg
I am not entirely sure of your point. Yes, Firefox v52 now gives more obvious (cosmetic) indicators on the login/password fields that a connection is not secure. But there have always been indicators (lock icons, for example) showing a secure connection. If in doubt, just look in the address bar for https.
|
The point I was trying to make is that the "sudden" change is due to the browser, and not something else. For me, it appears that version 56 of Chrome was the trigger, which came out at the end of January, but didn't work it's way through the update system until this Thursday (for me, running Linux Mint).
The other point I was trying to make is that not all browsers are showing the "problem", per se. I was surprised to see that Edge on W10 doesn't indicate a warning. But then again, that's Microsoft.
PA has some solid advice - just make sure your password is unique to the site. And Twinspires offered up the idea of a regular schedule of change in passwords until they get HTTPS implemented. Seems much of the horse racing world is affected, with DRF, PA, BRIS, HDW, Twinspires and Xpressbet not "secure". TVG's initial connection does appear to be secure.
|
|
|
|
|
03-18-2017, 12:40 PM
|
#13
|
|
Registered User
Join Date: Jan 2015
Posts: 1,955
|
Quote:
Originally Posted by no breathalyzer
scumbags just charged me $3 bucks for ''free pp's'' why?
they other 6 tracks didn't charge me for... guess they thought i wouldn't notice |
Review your wagers for that day. The first guess is that you made a wager at six out of seven of the tracks for which you downloaded the PPs. And if the track canceled after 4 races, and you hadn't made a bet at that track yet, you would still be charged.
This has happened to me a few times when I've downloaded 3 or 4 (or more) tracks' PPs for the day. Sometimes you don't find a race to play at a particular track, and/or forget to put a token wager out there to cover the cost of the PPs....
|
|
|
|
|
03-19-2017, 01:56 PM
|
#14
|
|
Registered User
Join Date: Feb 2010
Posts: 1,458
|
i got a weird screen yesterday on TS regarding clearing out my cookies...I just turned off and back on and it worked
|
|
|
|
|
03-19-2017, 03:22 PM
|
#15
|
|
Registered User
Join Date: Jun 2006
Location: Rhode Island
Posts: 146
|
Typical twinspires response
I contacted them about his issue and they said they were aware of it and it wouldn't impact their service. CLUELESS 
I guess having parts of the site secure after you log in is enough security in their minds. I think they hire junior college flunkies to run tech support.
I need a 100% secure wagering service starting with my login! Suggestions so I can leave twinspires
|
|
|
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
