Supermallet

I was trying to log in via Firefox on my Mac and I got a warning that the site was insecure and I should not submit my login credentials. This is a new feature of a Firefox that alerts you to when a site isn't using HTTPS. I went to the address bar and typed in https://forum.dvdtalk.com and got a connection failed error. Same for https://www.dvdtalk.com.

Can we please get HTTPS activated immediately? I'm astonished the site doesn't already have it. And while we're at it, can you also tell us what security measure Internet Brands takes to protect our login information? While I use a unique, randomly generated password for each login I have, I'd still feel better knowing that IB is doing its part to protect its users too.

Thanks!

EinCB

I have "HTTPS Everywhere" installed on Firefox and I never got that problem. (I also have Decentraleyes and Self-Destructing Cookies installed, too.)

Supermallet

I have all of those installed and still got the insecure pop-up.

Adam Tyner

Most of the forums I read aren't behind HTTPS (City-Data.com, AVS Forums, LCVG, NeoGAF, blu-ray.com, Toon Zone). That's definitely not an argument against HTTPS, but it's fair to say that it's not standard practice (yet?) for message boards to be that secure.

I'm sure someone from IB could speak more about security measures, but I know that you can't SSH/FTP into DVD Talk's servers (or presumably access the database directly) outside of IB's network. vBulletin doesn't store passwords in plain text. They're hashed/salted. An md5 hash is made of your password, that hash is concatenated with a random, user-specific three-character "salt", and that string is hashed. So, if your password were "mypassword123" and your forum-assigned salt were "3@)", your hashed/salted password would be stored as "9294ea620adbbc95d43142dfea998308". Basically, even if someone were to get their hands on a complete dump of the database, it's not trivial to work backwards and figure out what someone's password is. They would have your email address along with any IP addresses used to register and post.

Supermallet

Thanks Adam! Too many news stories about sites being hacked end with "and it turns out they were keeping all the login info in a plain text file".

Of course all the hashing and salting doesn't do much if people's logins are being intercepted at the point of entry, hence HTTPS.

Adam Tyner

Passwords are hashed (but not salted and re-hashed, AFAIK) before being sent over the interwebz. There's some Javascript that does an md5 hash before anything's sent off. While not ideal from a security standpoint, it's not plain-text, at least.

Also, the MD5(CONCAT(MD5(Password), Salt)) is the way vBulletin used to do things, but it may be more advanced now.

Meathead

We can't get IB to fix the hijack/redirect issue... I'm sure they will jump right on enabling HTTPS support.

Sonic

I frequent many sites that gives me that message and never been hacked or had my info compromised.

I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic.

EinCB

I get the same warning on another website - I use other browsers for it and I've never gotten cyber attacked. It's not a popular website, so that helps, too.

Supermallet

I also drive my car safely most days but that doesn't mean I'm immune from an accident. HTTPS is a good safety measure that every site should implement.

ibobi

This is already in the works.

Breakfast with Girls

I mean, it's an Internet forum... but MD5 is cryptographically broken, with or without the 3-byte salt. Modern best practices would use, at a minimum, SHA-256 with a 128-byte salt and a key stretching implementation (running through the hashing function many times using the results of the previous iteration and the salt). Given the lax security, I'd venture it would be fairly trivial to find a hash match for most users in less than a day, given a database dump and a rainbow table built out for each user (salt value).

But, you know, maybe vBulletin has corrected that in the two major versions that have been released since DVD Talk's version. Apparently they updated the password hashing in the next minor version to be slightly better...

TheBang

There's really no reason for HTTPS not to be implemented site-wide. With dedicated crypto instructions in CPU's these days, the processing overhead is negligible.

https://istlsfastyet.com/

I moved all my sites over to Always-On HTTPS a couple years ago, and I feel much better. I'm glad to hear it's in the works here, and hopefully it's deployed fully and correctly soon.