First  Prev  1  2  Next  Last
Post Reply Crunchyroll's recent failure
4023 cr points
Send Message: Send PM GB Post
Offline
Posted 11/6/17 , edited 11/7/17

asharka wrote:


Shisa03 wrote:

What really annoys me is there is still be no public announcement.


This is it, "datePublished":"2017-11-05T01:12:32

https://blog.ellation.com/crunchyroll-com-update-a2a593cf9155


Confirmed the timestamp in the CR response post's HTML. Assuming its UTC, that would mean the post was made November 4th, 5:12:32 pm PST. Of course, my forum comment was made well before that.

According to the CR response, they took down their site at 6:00am PST. This means they become aware of the problem between 3:30am PST (the start of the attack) and 6:00am PST. I understand if they couldn't immediately make a post with all the details, but their response was still slow, especially since the attack involved downloading malware that users might still install even after the site had been taken down. CR should have sent an email to all subscribers right after they took down the site. All it needed to include was basically, "Hey our site was hacked, don't download and install any .exe files from our site, more details later".



2020 cr points
Send Message: Send PM GB Post
23 / M
Offline
Posted 11/6/17 , edited 11/7/17
The real problem here is that this attack (A DNS rebinding) would never have been an issue if CR was using HTTPS.

For this type of attack to work, the server hosting the site and the DNS address have to both be verified for you to get that little green lock in the corner of your url bar.

If you do not get them to match, you get a page like this:


People would be pretty suspicious of an auto downloading .exe after that...

The site was likely preyed upon in the first place because of the fact it's HTTP only.

There is no place for HTTP only sites anymore. This will keep happening if CR doesn't care about it's security.

Edit: CRs image uploader seems to be broken too. Pls fix.
31 cr points
Send Message: Send PM GB Post
28 / M
Offline
Posted 11/7/17 , edited 11/7/17

BilbyFactor wrote:

The real problem here is that this attack (A DNS rebinding) would never have been an issue if CR was using HTTPS.

For this type of attack to work, the server hosting the site and the DNS address have to both be verified for you to get that little green lock in the corner of your url bar.


When i read that I realized that there isn't a green lock on this site. Someone pointed out earlier that if someone was clever and knew how to manage a online-business it would be quite swift to outmaneuver CR on this market and I can imagine so if they do not shape up quickly. It's supposed to be basic online and offline business management to provide for a secure connection while using a paid service or at least when buying something. The top left of the url-window even says "Not Secure". Wonder how I have never realized this before.

CR you really should read this topic and not only provide with some bad excuse for why you do not want to do this or put in the effort. A business should listen to their customers and with the recent attack and from what I've read from this topic there has been clear warnings from users that this might happen. You can really blame yourself if customers take their business elsewhere at this point.
109567 cr points
Send Message: Send PM GB Post
58 / M / U.S.A. (mid-south)
Offline
Posted 11/7/17 , edited 11/7/17

MrChongen wrote:

It's supposed to be basic online and offline business management to provide for a secure connection while using a paid service or at least when buying something. The top left of the url-window even says "Not Secure". Wonder how I have never realized this before.

CR does of course use HTTPS, but only on select pages, such as the login page or the shopping cart:



As I pointed out elsewhere, if people hadn't noticed before most of CR wasn't HTTPS, then they would have been unlikely to have noticed it even if it were, and the site the hack redirected people to wasn't.

31 cr points
Send Message: Send PM GB Post
28 / M
Offline
Posted 11/7/17 , edited 11/7/17

TheAncientOne wrote:


MrChongen wrote:

It's supposed to be basic online and offline business management to provide for a secure connection while using a paid service or at least when buying something. The top left of the url-window even says "Not Secure". Wonder how I have never realized this before.

CR does of course use HTTPS, but only on select pages, such as the login page or the shopping cart:



As I pointed out elsewhere, if people hadn't noticed before most of CR wasn't HTTPS, then they would have been unlikely to have noticed it even if it were, and the site the hack redirected people to wasn't.



Agreed. It is easy to just take that for granted though. Other streaming services that are paid for provide HTTPS all the way which is why it is easy to take it for granted as well. People are accustomed to the safety of other services which is why they assume CR would be safe everywhere as well. That doesn't just apply to streaming services of course. There are even "insert name here" forums that provide such service while being a free register site without any paid services. Sad that I had to hear it from someone else that I was the same. I'm not really a programmer but I am a regular internet-user with some know-how when it comes to at least private internet-using security and internet-based companies but mainly from a business management perspective. Thought my computer knowledges lies more within the physical area tbh.
23 cr points
Send Message: Send PM GB Post
20 / M / United Kingdom
Offline
Posted 11/7/17 , edited 11/7/17
In this day and age there is physically no excuse for not using having a site-wide ssl cert.

From one web developer to the other here is an FAQ:

- Will it make my site slower:
no

- Will it cost me anything:
No, it's free... use "let's encrypt"

-Can my site have DNS hijacking / Man in the Middle attack performed on it?
Nope

I've unsubbed to this site for various reasons over the last few months.
Please, get your shit together and move into 2017.

109567 cr points
Send Message: Send PM GB Post
58 / M / U.S.A. (mid-south)
Offline
Posted 11/7/17 , edited 11/8/17

recnic wrote:

-Can my site have DNS hijacking / Man in the Middle attack performed on it?
Nope

That appears to be true only if the site also implements HTTP Strict Transport Security. HTTPS alone is not sufficient, as without it, the fake site could simply drop to HTTP, which a lot of people wouldn't notice.
31 cr points
Send Message: Send PM GB Post
28 / M
Offline
Posted 11/10/17 , edited 11/10/17
It is sad since it seems like CR is spending alot more time+money+effort on doing publicity stunts than caring for what is needed to step forward. They don't have licenses for at least 20% of their shows in Europe at the same time that this topic clearly points out what they should focus on instead for the time being. Yet there hasn't been any post from CR themselves and seemingly they try to avoid stuff like this. Are they this bad with critique?
10290 cr points
Send Message: Send PM GB Post
29 / M
Offline
Posted 11/14/17 , edited 11/28/17
Crunchyroll likes being on the same level as sketchy porn sites.
10290 cr points
Send Message: Send PM GB Post
29 / M
Offline
Posted 11/14/17 , edited 11/14/17
I agree and did the same recnic. the cancel membership button in our account settings didn't even work. I had to cancel outside crunchyroll's website.
now that's fucked up.
31 cr points
Send Message: Send PM GB Post
28 / M
Offline
Posted 11/24/17 , edited 11/25/17
I just cancelled my premium membership and let them have it. I pointed out their huge mistakes in PR as well as management. I do not expect them to change anything. I even used caps for one statement. Yeah caps lock is dumb for making a point but it seems to be on their level. Kids caps lock to kids. I hope it gets better, not only with security but simply catering to their paying customers by making sure they get licenses for shows etc. Anywho the subject at hand is the security which ofc was the main reason of me canceling my premium membership. I don't know if they hire buddies that managed a mcdonalds or something but it simply is not working like what they think. Throwing tens of thousands of dollars on making youtube ads won't help them a single bit. Anyways good luck trying to get their attention fellas. This is me signing out.
First  Prev  1  2  Next  Last
You must be logged in to post.