HTTPS support?
I was trying to log in via Firefox on my Mac and I got a warning that the site was insecure and I should not submit my login credentials. This is a new feature of a Firefox that alerts you to when a site isn't using HTTPS. I went to the address bar and typed in https://forum.dvdtalk.com and got a connection failed error. Same for https://www.dvdtalk.com.
Can we please get HTTPS activated immediately? I'm astonished the site doesn't already have it. And while we're at it, can you also tell us what security measure Internet Brands takes to protect our login information? While I use a unique, randomly generated password for each login I have, I'd still feel better knowing that IB is doing its part to protect its users too. Thanks! |
Re: HTTPS support?
I have "HTTPS Everywhere" installed on Firefox and I never got that problem. (I also have Decentraleyes and Self-Destructing Cookies installed, too.)
|
Re: HTTPS support?
I have all of those installed and still got the insecure pop-up.
|
Re: HTTPS support?
Originally Posted by Supermallet
(Post 13066494)
I'm astonished the site doesn't already have it.
I'm sure someone from IB could speak more about security measures, but I know that you can't SSH/FTP into DVD Talk's servers (or presumably access the database directly) outside of IB's network. vBulletin doesn't store passwords in plain text. They're hashed/salted. An md5 hash is made of your password, that hash is concatenated with a random, user-specific three-character "salt", and that string is hashed. So, if your password were "mypassword123" and your forum-assigned salt were "3@)", your hashed/salted password would be stored as "9294ea620adbbc95d43142dfea998308". Basically, even if someone were to get their hands on a complete dump of the database, it's not trivial to work backwards and figure out what someone's password is. They would have your email address along with any IP addresses used to register and post. |
Re: HTTPS support?
Thanks Adam! Too many news stories about sites being hacked end with "and it turns out they were keeping all the login info in a plain text file".
Of course all the hashing and salting doesn't do much if people's logins are being intercepted at the point of entry, hence HTTPS. |
Re: HTTPS support?
Passwords are hashed (but not salted and re-hashed, AFAIK) before being sent over the interwebz. There's some Javascript that does an md5 hash before anything's sent off. While not ideal from a security standpoint, it's not plain-text, at least.
Also, the MD5(CONCAT(MD5(Password), Salt)) is the way vBulletin used to do things, but it may be more advanced now. |
Re: HTTPS support?
We can't get IB to fix the hijack/redirect issue... I'm sure they will jump right on enabling HTTPS support. :sarcasm:
|
Re: HTTPS support?
I frequent many sites that gives me that message and never been hacked or had my info compromised.
I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic. |
Re: HTTPS support?
Originally Posted by Sonic
(Post 13067081)
I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic. |
Re: HTTPS support?
Originally Posted by Sonic
(Post 13067081)
I frequent many sites that gives me that message and never been hacked or had my info compromised.
I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic. |
Re: HTTPS support?
This is already in the works.
|
Re: HTTPS support?
Originally Posted by Adam Tyner
(Post 13066591)
vBulletin doesn't store passwords in plain text. They're hashed/salted. An md5 hash is made of your password, that hash is concatenated with a random, user-specific three-character "salt", and that string is hashed. So, if your password were "mypassword123" and your forum-assigned salt were "3@)", your hashed/salted password would be stored as "9294ea620adbbc95d43142dfea998308". Basically, even if someone were to get their hands on a complete dump of the database, it's not trivial to work backwards and figure out what someone's password is. They would have your email address along with any IP addresses used to register and post.
But, you know, maybe vBulletin has corrected that in the two major versions that have been released since DVD Talk's version. Apparently they updated the password hashing in the next minor version to be slightly better... |
Re: HTTPS support?
There's really no reason for HTTPS not to be implemented site-wide. With dedicated crypto instructions in CPU's these days, the processing overhead is negligible.
https://istlsfastyet.com/ I moved all my sites over to Always-On HTTPS a couple years ago, and I feel much better. I'm glad to hear it's in the works here, and hopefully it's deployed fully and correctly soon. |
All times are GMT -5. The time now is 11:40 AM. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.