Forum Feedback HTTPS for TE ?

[Gaurish]

Why is it impossible to log into the TE via HTTPS. Sometimes I log in from public networks which can't be trusted and am scared of typing my password over plain http - which anyone could easily intercept.Also, TE does have a market where large number transaction happen hence lots of sensitive info like Bank account numbers is always floating around in PMs which could be intercepted and read easily as its in plain text. seem like a major security flaw to me atleast

HTTPS should be implemented

 

[krishnandu]

Good Initiative, I must say

 

[Sandy]

^ are you guys serious??

 

[XTechManiac]

True. Trade Zone section is one of the most active section in this forum.. I really think HTTPS should be implemented..

 

[sibot]

doesn't make any sense to have HTTPS on a forum.

 

[DigitalDude]

security certificate/SSL for a forum is just waste of server resources, and unneeded recurring cost.

nothing more. no one is typing their bank account passwords or credit card numbers in pm's. it's just bank account numbers that's all. and btw if all your passwords are same (for eg. your online banking account and TE login) then it's your foolishness.

unnecessary paranoia I would say.

_

 

[Gaurish]

Lol, I just noticed.

Even Administrator Control panel and Moderator control panel are not Secure. Meaning the password which are sent in plaintext can be sniffed and attacker can gain control, maybe steal all of database(including user passwords). Its unlikely that this can happen but you can't deny the possibility. If that does happen, everything be doomed

The way I see this is --> Better Be safe than sorry

security certificate/SSL for a forum is just waste of server resources, and unneeded recurring cost.

SSL certs are cheap(like 450bucks a year). even you can get one for free.

nothing more. no one is typing their bank account passwords or credit card numbers in pm's. it's just bank account numbers that's all. and btw if all your passwords are same (for eg. your online banking account and TE login) then it's your foolishness.

unnecessary paranoia I would say.

If you call need for protecting sensitive info like passwords a paranoia, then you are wrong. internet isn't a very friendly place, my friend.you never know who is sniffing your data next hop.

 

[DigitalDude]

sniffing data over the network is not a piece of cake and involves a big cost esp. in these days as the traffic is huge. if someone is sniffing your internet traffic, then you have bigger things to worry than the TE password

see.. If someone grabs my TE id and password, I just don't care lol. but if it happens for my online banking/trading account password or even my email password, then all hell will break loose for me.

so what requires an SSL feature ? TE, Gmail or my online banking/trading website ?

to be clear, I call the idea of having SSL for TE as unnecessary paranoia, not the general need for protecting your sensitive info like your bank/trading passwords. I hope I'm clear now.

and it's just additional load on the TE server, browsing will be relatively slower. so this trade-off and price is not justified for the miniscule value of information that is being protected i.e. your TE password or bank account number.

even Digitalpoint Forums doesn't have SSL for their admincp or modcp. I don't think Shawn is broke or dumb Log in - Digital Point Forums - vBulletin Admin Control Panel

_

 

[Crazy_Eddy]

Meaning the password which are sent in plaintext can be sniffed and attacker can gain control, maybe steal all of database(including user passwords).

You do know that passwords are hashed in the db, right?

And HTTPS or no, there is something else that makes access to admincp restricted to only the right people.. IINM

 

[Gaurish]

You do know that passwords are encrypted in the db, right?

And HTTPS or no, there is something else that makes access to admincp restricted to only the right people.. IINM

I know Passwords are encrytped in db but they are vunerable while user(admins included) logs in.

Im just saying that it would be a welcome security feature to have

 

[Crazy_Eddy]

maybe steal all of database(including user passwords).

^^ I was referring to this. This is purely false, and I'm sure someone like you should know that encrypted passwords cannot simply be flicked off a db that way, even if we handed it to you on a silver platter.

While I understand the usefulness of HTTPS, blatantly claiming "TE is insecure!" and harping on false info like above isn't right either

 

[Gaurish]

^^ I was referring to this. This is purely false, and I'm sure someone like you should know that encrypted passwords cannot simply be flicked off a db that way, even if we handed it to you on a silver platter.

I have maintained vBulletin based forums based in past. the best way to store passwords is hashing them with secret salt with 1 way function. AFAIK, vbulletin uses php's inbuilt MD5 hashing function.

However, you can get password via bruteforce. Its very hard but its possible.sometimes if you get lucky, even googling with harsh value gives you appropriate plain-text password this can disaster because most people tend to utilize same password everywhere.

Anyways, Its not passwords but huge Email database(30k+ unique email) which can be used to send targeted spam to all TE members. This kind of database will sell in market nicely

While I understand the usefulness of HTTPS, blatantly claiming "TE is insecure!" and harping on false info like above isn't right either

Hmmm...you referring to my initial post title of "Why TE isn't Secure?" which I guess you edited.

you misunderstand. By Secure I meant HTTP Secure(HTTPS) not in general sense of security.

 

[Crazy_Eddy]

^ Make up your mind dood. From passwords, to databases, to emails.. what next? You seem to be trying pretty hard to find a loophole

vB uses a salt. Plus I believe it does a double-MD5 hash on the password (+salt) too. The so called hash databases you find via google are a joke. They're updated only when someone tries entering their pw to find the hash in the first place.

As I already stated, leave the concerns about the database to the TE admins.

Your issue about logging in from public networks makes perfect sense.. so lets worry about that one, and perhaps the admins can comment on that. Though IMHO if you are that paranoid, you shouldn't be using public space networks in the first place

 

[Gaurish]

^ Make up your mind dood. From passwords, to databases, to emails.. what next? You seem to be trying pretty hard to find a loophole

I was just commenting since were related topics and came up in discussion

Your issue about logging in from public networks makes perfect sense.. so lets worry about that one, and perhaps the admins can comment on that.

Okay:hap2:

 

[Renegade]

I am confused :S What is the concern here? That some members are too lazy to keep different passwords to email and banking accounts? And so we shall have a certificate installed? Or is it only about MODCP and ADMINCP?

 

[shantanugoel]

Well if you are so concerned about security, if by public place you meant:

1. cyber cafe/friend's place -then you should be more concerned about keyloggers than web traffic snoopers

2. Office/workplace - Setup and use an ssh tunnel. I do that for a lot of sites which might have some kind of my confidential data but dont have https.

 

[Safin]

I have maintained vBulletin based forums based in past. the best way to store passwords is hashing them with secret salt with 1 way function. AFAIK, vbulletin uses php's inbuilt MD5 hashing function.

However, you can get password via bruteforce. Its very hard but its possible.sometimes if you get lucky, even googling with harsh value gives you appropriate plain-text password this can disaster because most people tend to utilize same password everywhere.

VB uses salt + double md5 hash. The value is absolutely meaningless even if someone spoofs it.

The password you submit also is hashed while its sent from browser to us.

The map tables you are referring to are available for simple md5 hashes of common strings. They won't work here.

 

[dasgupta_arup]

@shantanugoel
that ssh tunnel what is it?
Sorry for noob question, will google

 

[abbY]

what is salt ?

 

[Renegade]

what is salt ?

Salt is a mineral that is composed primarily of sodium chloride. It is essential for animal life in small quantities, but is harmful to animals and plants

Wikipedia Source: What is Salt?