Release List Reviews Shop Join News DVD Giveaways Video Games Advertise
DVD Reviews | Theatrical Reviews | Price Search Buy Stuff Here
DVD Talk
DVD Reviews DVD Talk Headlines HD Reviews


Add to My Yahoo! - RSS 2.0 - RSS 2.0 - DVD Talk Podcast RSS -


Go Back   DVD Talk Forum > Feedback > Forum Feedback and Support

Forum Feedback and Support Post forum feedback and related problems, here.

Reply
 
Thread Tools
Old 05-05-17, 01:28 AM   #1
Time Lord
 
Supermallet's Avatar
 
Join Date: Jun 2000
Location: Termite Terrace
Posts: 51,981
HTTPS support?

I was trying to log in via Firefox on my Mac and I got a warning that the site was insecure and I should not submit my login credentials. This is a new feature of a Firefox that alerts you to when a site isn't using HTTPS. I went to the address bar and typed in https://forum.dvdtalk.com and got a connection failed error. Same for https://www.dvdtalk.com.

Can we please get HTTPS activated immediately? I'm astonished the site doesn't already have it. And while we're at it, can you also tell us what security measure Internet Brands takes to protect our login information? While I use a unique, randomly generated password for each login I have, I'd still feel better knowing that IB is doing its part to protect its users too.

Thanks!
__________________
“Never argue with a fool; onlookers may not be able to tell the difference.”
Check out my vinyl collection!
  Reply With Quote
Old 05-05-17, 01:59 AM   #2
DVD Talk Gold Edition
 
Join Date: May 2010
Posts: 2,391
Re: HTTPS support?

I have "HTTPS Everywhere" installed on Firefox and I never got that problem. (I also have Decentraleyes and Self-Destructing Cookies installed, too.)
__________________
Wii U / 3DS Network ID: eric.n128
  Reply With Quote
Old 05-05-17, 03:04 AM   #3
Time Lord
 
Supermallet's Avatar
 
Join Date: Jun 2000
Location: Termite Terrace
Posts: 51,981
Re: HTTPS support?

I have all of those installed and still got the insecure pop-up.
__________________
“Never argue with a fool; onlookers may not be able to tell the difference.”
Check out my vinyl collection!
  Reply With Quote
Old 05-05-17, 08:54 AM   #4
DVD Talk Reviewer/ Admin
 
Adam Tyner's Avatar
 
Join Date: Sep 1999
Location: Greenville, South Cackalack
Posts: 18,844
Re: HTTPS support?

Quote:
Originally Posted by Supermallet View Post
I'm astonished the site doesn't already have it.
Most of the forums I read aren't behind HTTPS (City-Data.com, AVS Forums, LCVG, NeoGAF, blu-ray.com, Toon Zone). That's definitely not an argument against HTTPS, but it's fair to say that it's not standard practice (yet?) for message boards to be that secure.

I'm sure someone from IB could speak more about security measures, but I know that you can't SSH/FTP into DVD Talk's servers (or presumably access the database directly) outside of IB's network. vBulletin doesn't store passwords in plain text. They're hashed/salted. An md5 hash is made of your password, that hash is concatenated with a random, user-specific three-character "salt", and that string is hashed. So, if your password were "mypassword123" and your forum-assigned salt were "3@)", your hashed/salted password would be stored as "9294ea620adbbc95d43142dfea998308". Basically, even if someone were to get their hands on a complete dump of the database, it's not trivial to work backwards and figure out what someone's password is. They would have your email address along with any IP addresses used to register and post.
__________________
"When you're in your twenties, you wonder what everyone's thinking of you. When you're in your thirties, you don't care what people think of you. And when you reach your forties, you find out no one was ever thinking of you in the first place."
-Patton Oswalt
  Reply With Quote
Old 05-05-17, 09:28 AM   #5
Time Lord
 
Supermallet's Avatar
 
Join Date: Jun 2000
Location: Termite Terrace
Posts: 51,981
Re: HTTPS support?

Thanks Adam! Too many news stories about sites being hacked end with "and it turns out they were keeping all the login info in a plain text file".

Of course all the hashing and salting doesn't do much if people's logins are being intercepted at the point of entry, hence HTTPS.
__________________
“Never argue with a fool; onlookers may not be able to tell the difference.”
Check out my vinyl collection!
  Reply With Quote
Old 05-05-17, 09:36 AM   #6
DVD Talk Reviewer/ Admin
 
Adam Tyner's Avatar
 
Join Date: Sep 1999
Location: Greenville, South Cackalack
Posts: 18,844
Re: HTTPS support?

Passwords are hashed (but not salted and re-hashed, AFAIK) before being sent over the interwebz. There's some Javascript that does an md5 hash before anything's sent off. While not ideal from a security standpoint, it's not plain-text, at least.

Also, the MD5(CONCAT(MD5(Password), Salt)) is the way vBulletin used to do things, but it may be more advanced now.
__________________
"When you're in your twenties, you wonder what everyone's thinking of you. When you're in your thirties, you don't care what people think of you. And when you reach your forties, you find out no one was ever thinking of you in the first place."
-Patton Oswalt

Last edited by Adam Tyner; 05-05-17 at 09:45 AM.
  Reply With Quote
Old 05-05-17, 11:12 AM   #7
Senior Member
 
Meathead's Avatar
 
Join Date: Oct 2000
Location: Snowtown, USA
Posts: 491
Re: HTTPS support?

We can't get IB to fix the hijack/redirect issue... I'm sure they will jump right on enabling HTTPS support.
  Reply With Quote
Old 05-05-17, 09:57 PM   #8
DVD Talk Legend
 
Sonic's Avatar
 
Join Date: May 1999
Location: (formerly known as antspawn) Anus Oils
Posts: 14,994
Re: HTTPS support?

I frequent many sites that gives me that message and never been hacked or had my info compromised.

I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic.
__________________
The devil is a muthafuckin' liar, so you know I ain't worried, beeyotch! - (Reverend X)
  Reply With Quote
Old 05-06-17, 06:28 AM   #9
DVD Talk Gold Edition
 
Join Date: May 2010
Posts: 2,391
Re: HTTPS support?

Quote:
Originally Posted by Sonic View Post

I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic.
I get the same warning on another website - I use other browsers for it and I've never gotten cyber attacked. It's not a popular website, so that helps, too.
__________________
Wii U / 3DS Network ID: eric.n128
  Reply With Quote
Old 05-12-17, 01:57 PM   #10
Time Lord
 
Supermallet's Avatar
 
Join Date: Jun 2000
Location: Termite Terrace
Posts: 51,981
Re: HTTPS support?

Quote:
Originally Posted by Sonic View Post
I frequent many sites that gives me that message and never been hacked or had my info compromised.

I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic.
I also drive my car safely most days but that doesn't mean I'm immune from an accident. HTTPS is a good safety measure that every site should implement.
__________________
“Never argue with a fool; onlookers may not be able to tell the difference.”
Check out my vinyl collection!
  Reply With Quote
Old 05-12-17, 04:22 PM   #11
Administrator
 
IBobi's Avatar
 
Join Date: Mar 2011
Posts: 498
Re: HTTPS support?

This is already in the works.
  Reply With Quote
Old 05-12-17, 07:12 PM   #12
DVD Talk Legend
 
Join Date: Jun 2000
Location: Seattle
Posts: 16,438
Re: HTTPS support?

Quote:
Originally Posted by Adam Tyner View Post
vBulletin doesn't store passwords in plain text. They're hashed/salted. An md5 hash is made of your password, that hash is concatenated with a random, user-specific three-character "salt", and that string is hashed. So, if your password were "mypassword123" and your forum-assigned salt were "3@)", your hashed/salted password would be stored as "9294ea620adbbc95d43142dfea998308". Basically, even if someone were to get their hands on a complete dump of the database, it's not trivial to work backwards and figure out what someone's password is. They would have your email address along with any IP addresses used to register and post.
I mean, it's an Internet forum... but MD5 is cryptographically broken, with or without the 3-byte salt. Modern best practices would use, at a minimum, SHA-256 with a 128-byte salt and a key stretching implementation (running through the hashing function many times using the results of the previous iteration and the salt). Given the lax security, I'd venture it would be fairly trivial to find a hash match for most users in less than a day, given a database dump and a rainbow table built out for each user (salt value).

But, you know, maybe vBulletin has corrected that in the two major versions that have been released since DVD Talk's version. Apparently they updated the password hashing in the next minor version to be slightly better...
__________________
"Thus spoke BWG." - Groucho

Last edited by Breakfast with Girls; 05-12-17 at 07:18 PM.
  Reply With Quote
Old 05-17-17, 03:11 AM   #13
DVD Talk Limited Edition
 
Join Date: Feb 2000
Location: Sunny Hawaii
Posts: 6,026
Re: HTTPS support?

There's really no reason for HTTPS not to be implemented site-wide. With dedicated crypto instructions in CPU's these days, the processing overhead is negligible.

https://istlsfastyet.com/

I moved all my sites over to Always-On HTTPS a couple years ago, and I feel much better. I'm glad to hear it's in the works here, and hopefully it's deployed fully and correctly soon.
  Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -5. The time now is 03:47 PM.


Copyright 2011 DVDTalk.com All Rights Reserved. Privacy Policy and Terms of Use.

Content Relevant URLs by vBSEO 3.2.0