|
HTTPS on TA
|
View this Thread in Original format
| Swamper |
I'm moving TA to be https:// only
...still a bunch of things to fix but in case you see some weird things happening, this is why.
Carry on. :toothless |
|
|
| Mr.Mystery |
| TA 2.0 confirmed. |
|
|
| Jon_Snow |
| Make TA great again! |
|
|
| Zoso |
| Well, ...I'm all for security, but this will keep Stu offline even longer. :whip::( |
|
|
| Lira |
| Out of curiosity, is there any advantage other than being able to making purchases on TA and making sure Macedonian hackers can't post any fake news around here? |
|
|
| JEO |
| quote: | Originally posted by Lira
Out of curiosity, is there any advantage other than being able to making purchases on TA and making sure Macedonian hackers can't post any fake news around here? |
Don't know how serious you are with the second point, but HTTPS has little to do with that. Even with HTTPS, on vBulletin it's almost childishly easy to steal a user's unsalted password's MD5 hash. "Cracking" an MD5 hash to get it's original seed is quite a trivial task using any tool specifically designed for that, given the password isn't very complex. HTTPS aims to mitigate (or even eliminate, but never be so sure) the chances of man-in-the-middle attacks.
HTTPS in itself should be mandatory. All sites dealing with any sort of user input outside mouse clicks should use it no matter what, especially with Let's Encrypt doing it all for free now, and with configuring being basically automated with certbot, given you use Apache or Nginx.
What I would direct my attention to really is that vBulletin still stores your unsalted password in an MD5 hash in your cookies. Storing a password in a user's cookies in general is pointless, and with vBulletin being very exposed to XSS type of attacks, it's pointless and dangerous for the user.
Not that any of this matters to anyone I guess, but this is how those huge lists of username/email-password pairs end up in everybody's reach.
Just for fun, try the same email address you use for TA (or well, any of your email addresses) here: https://haveibeenpwned.com/ |
|
|
| Lira |
| quote: | Originally posted by JEO
Don't know how serious you are with the second point |
Nah, I was just being facetious :)
| quote: | Originally posted by JEO
[Comprehensive explanation] |
This was a good read, thanks! I stay logged on TA so I didn't even remember it needed passwords any more :p
| quote: | Originally posted by JEO
Just for fun, try the same email address you use for TA (or well, any of your email addresses) here: https://haveibeenpwned.com/ |
Dammit, good thing I tend to be creative with passwords, otherwise I'd be really angry at Adobe and Dropbox right now :mad: |
|
|
| Jon_Snow |
| quote: | Originally posted by Swamper
haha yes but who cares - I've never used the same password on sites that matter. Also, most of those were from days long before password managers were a thing. |
That wasn’t meant to be an endorsement of JEO rant on you. Nothing worse than some know it all lecturing you on the internet. I was just having a little fun.
Oh look Someone signed up for Lord of the Rings Online *points. :p |
|
|
| JEO |
| quote: | Originally posted by Jon_Snow
That wasn’t meant to be an endorsement of JEO rant on you. Nothing worse than some know it all lecturing you on the internet. I was just having a little fun.
|
Oh, IGK. It wasn't a rant, nor was I lecturing. It's just a post on a topic I find interesting. I bet the only reason we don't tend to see posts longer than two sentences from you is that there aren't any threads about molesting kids or child porn screaming for your input. I understand how it might all be very boring to you in this thread, but even you benefit from HTTPS and an otherwise secure forum, especially with you having garnered some quite undesirable associations to your name here.
And I think there are things far worse here than being lectured by someone; for example your seemingly everlasting presence on these forums and the fact that you still come here on a daily basis, although you've been the pissing post of virtually all of the "original members" since who knows how long. Didn't even that Ukrainian paedo somehow resent you? Guess there's some sort of hiearchy even in those circles, and it does seem your position isn't awfully high in it.
Also, you seem to be the type who "won't care" when a whole forum keeps calling you a paedophile, because that just makes you relevant in your opinion. Gladly accepting that kind of exposure tells me all I need to know about you, you ing -smoothie. You're like that kid who tags along even when the other kids smear your face with dog every once in a while.
| quote: | Originally posted by Jon_Snow
Oh look Someone signed up for Lord of the Rings Online *points. :p |
I don't know what you're saying with this, which is often the case with your humor (excluding the obvious ing half-pun dad jokes), but if you're implying that I signed up for .. "Lord of the Rings Online" points – what did you sign up for? To get called a paedophile every day? |
|
|
| bamski |
| quote: | Originally posted by JEO
Oh, IGK you ing -smoothie. You're like that kid who tags along even when the other kids smear your face with dog every once in a while.
I don't know what you're saying with this, which is often the case with your humor (excluding the obvious ing half-pun dad jokes), but if you're implying that I signed up for .. "Lord of the Rings Online" points – what did you sign up for? To get called a paedophile every day? |
Perfect. |
|
|
| Swamper |
| quote: | Originally posted by JEO
I don't know what you're saying with this, which is often the case with your humor (excluding the obvious ing half-pun dad jokes), but if you're implying that I signed up for .. "Lord of the Rings Online" points – what did you sign up for? To get called a paedophile every day? |
Probably talking to me... I was hooked on that dumb game in 2007 lol |
|
|
| Jon_Snow |
| quote: | Originally posted by Swamper
Probably talking to me... I was hooked on that dumb game in 2007 lol |
I was but I didn’t want to ruin the moron’s tantrum. |
|
|
|
|
