Post Reply Site Security Upgrades
jchysk 
71214 cr points
Send Message: Send PM GB Post
29 / M / Las Vegas, NV, USA
Offline
Posted 9/2/13
Crunchyroll has a substantial user base and I imagine that alone makes it a nice target for hackers. I haven't heard of any issues with Crunchyroll specifically, but you usually don't hear about the problems until after the site has been hacked and all the users' information is dumped online.

My immediate suggestions would be to offer a multi-factor authentication option to users and use https sitewide. https://launchkey.com is free and the easiest mult-ifactor solution for users.
Crunchyroll obviously has SSL since it processes payments and also has a store now. It's at least used on the login page, but not across the whole site. Overhead with all the video perhaps is the stopping factor there? The ciphers can be changed to support forward secrecy as well.

Most things are small and seem nitpicky, but every little bit helps with security.
58668 cr points
Send Message: Send PM GB Post
30 / M / Dallas, TX
Online
Posted 9/2/13
I'm personally not a fan of multi-factor authentication, and much prefer more flexible policies that encourage strong, easier to remember passwords.

I do agree that seeing wider use of HTTPS on non-video pages, particularly the forums and shop. It may not be necessary, but it wouldn't hurt in reducing the risk of man-in-the-middle attacks, not that I feel CR is as at risk a target as financial institutions and the like.
10042 cr points
Send Message: Send PM GB Post
40 / M
Offline
Posted 9/3/13

jchysk wrote:

Crunchyroll has a substantial user base and I imagine that alone makes it a nice target for hackers. I haven't heard of any issues with Crunchyroll specifically, but you usually don't hear about the problems until after the site has been hacked and all the users' information is dumped online.

My immediate suggestions would be to offer a multi-factor authentication option to users and use https sitewide. https://launchkey.com is free and the easiest mult-ifactor solution for users.
Crunchyroll obviously has SSL since it processes payments and also has a store now. It's at least used on the login page, but not across the whole site. Overhead with all the video perhaps is the stopping factor there? The ciphers can be changed to support forward secrecy as well.

Most things are small and seem nitpicky, but every little bit helps with security.



I would rather CR spent that money on fixing the video playback issues. I can't think of a single site that streams video and uses Multi-factor authentication.

jchysk 
71214 cr points
Send Message: Send PM GB Post
29 / M / Las Vegas, NV, USA
Offline
Posted 9/4/13
Well over half of sites implement at least a two-factor solution after being hacked.
If you look at the sites that are hacked: LinkedIn, Twitter, Evernote, Living Social, Sony, Yahoo, etc. The reasons these sites are hacked aren't for the access to the accounts on the site but for the email addresses + hashed passwords which they then crack and attempt to break everyone's stuff.
I'm firmly anti-password and can't wait until they're fully done away with. It's a lot easier to log in without them and it's usually far more secure.
By the way, with multi-factor it can be passive factors that don't require any extra effort to use, but make logging in far more secure. In an ideal world all sites would upgrade from passwords to a multi-factor solution.
50161 cr points
Send Message: Send PM GB Post
M / North Europe Some...
Offline
Posted 1/6/14
just use lastpass with 2-factor, like everyone else does :p
You must be logged in to post.