Forum Feedback and Support Post forum feedback and related problems, here.

HTTPS support?

Old 05-05-17, 01:28 AM
  #1  
Banned by request
Thread Starter
 
Supermallet's Avatar
 
Join Date: Jun 2000
Location: Termite Terrace
Posts: 54,156
HTTPS support?

I was trying to log in via Firefox on my Mac and I got a warning that the site was insecure and I should not submit my login credentials. This is a new feature of a Firefox that alerts you to when a site isn't using HTTPS. I went to the address bar and typed in https://forum.dvdtalk.com and got a connection failed error. Same for https://www.dvdtalk.com.

Can we please get HTTPS activated immediately? I'm astonished the site doesn't already have it. And while we're at it, can you also tell us what security measure Internet Brands takes to protect our login information? While I use a unique, randomly generated password for each login I have, I'd still feel better knowing that IB is doing its part to protect its users too.

Thanks!
Supermallet is offline  
Old 05-05-17, 01:59 AM
  #2  
DVD Talk Ultimate Edition
 
Join Date: May 2010
Posts: 4,479
Re: HTTPS support?

I have "HTTPS Everywhere" installed on Firefox and I never got that problem. (I also have Decentraleyes and Self-Destructing Cookies installed, too.)
EinCB is offline  
Old 05-05-17, 03:04 AM
  #3  
Banned by request
Thread Starter
 
Supermallet's Avatar
 
Join Date: Jun 2000
Location: Termite Terrace
Posts: 54,156
Re: HTTPS support?

I have all of those installed and still got the insecure pop-up.
Supermallet is offline  
Old 05-05-17, 08:54 AM
  #4  
DVD Talk Reviewer/ Admin
 
Adam Tyner's Avatar
 
Join Date: Sep 1999
Location: Greenville, South Cackalack
Posts: 21,588
Re: HTTPS support?

Originally Posted by Supermallet View Post
I'm astonished the site doesn't already have it.
Most of the forums I read aren't behind HTTPS (City-Data.com, AVS Forums, LCVG, NeoGAF, blu-ray.com, Toon Zone). That's definitely not an argument against HTTPS, but it's fair to say that it's not standard practice (yet?) for message boards to be that secure.

I'm sure someone from IB could speak more about security measures, but I know that you can't SSH/FTP into DVD Talk's servers (or presumably access the database directly) outside of IB's network. vBulletin doesn't store passwords in plain text. They're hashed/salted. An md5 hash is made of your password, that hash is concatenated with a random, user-specific three-character "salt", and that string is hashed. So, if your password were "mypassword123" and your forum-assigned salt were "[email protected])", your hashed/salted password would be stored as "9294ea620adbbc95d43142dfea998308". Basically, even if someone were to get their hands on a complete dump of the database, it's not trivial to work backwards and figure out what someone's password is. They would have your email address along with any IP addresses used to register and post.
Adam Tyner is online now  
Old 05-05-17, 09:28 AM
  #5  
Banned by request
Thread Starter
 
Supermallet's Avatar
 
Join Date: Jun 2000
Location: Termite Terrace
Posts: 54,156
Re: HTTPS support?

Thanks Adam! Too many news stories about sites being hacked end with "and it turns out they were keeping all the login info in a plain text file".

Of course all the hashing and salting doesn't do much if people's logins are being intercepted at the point of entry, hence HTTPS.
Supermallet is offline  
Old 05-05-17, 09:36 AM
  #6  
DVD Talk Reviewer/ Admin
 
Adam Tyner's Avatar
 
Join Date: Sep 1999
Location: Greenville, South Cackalack
Posts: 21,588
Re: HTTPS support?

Passwords are hashed (but not salted and re-hashed, AFAIK) before being sent over the interwebz. There's some Javascript that does an md5 hash before anything's sent off. While not ideal from a security standpoint, it's not plain-text, at least.

Also, the MD5(CONCAT(MD5(Password), Salt)) is the way vBulletin used to do things, but it may be more advanced now.

Last edited by Adam Tyner; 05-05-17 at 09:45 AM.
Adam Tyner is online now  
Old 05-05-17, 11:12 AM
  #7  
Senior Member
 
Meathead's Avatar
 
Join Date: Oct 2000
Location: Snowtown, USA
Posts: 752
Re: HTTPS support?

We can't get IB to fix the hijack/redirect issue... I'm sure they will jump right on enabling HTTPS support.
Meathead is offline  
Old 05-05-17, 09:57 PM
  #8  
DVD Talk Legend
 
Sonic's Avatar
 
Join Date: May 1999
Posts: 18,134
Re: HTTPS support?

I frequent many sites that gives me that message and never been hacked or had my info compromised.

I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic.
Sonic is offline  
Old 05-06-17, 06:28 AM
  #9  
DVD Talk Ultimate Edition
 
Join Date: May 2010
Posts: 4,479
Re: HTTPS support?

Originally Posted by Sonic View Post

I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic.
I get the same warning on another website - I use other browsers for it and I've never gotten cyber attacked. It's not a popular website, so that helps, too.
EinCB is offline  
Old 05-12-17, 01:57 PM
  #10  
Banned by request
Thread Starter
 
Supermallet's Avatar
 
Join Date: Jun 2000
Location: Termite Terrace
Posts: 54,156
Re: HTTPS support?

Originally Posted by Sonic View Post
I frequent many sites that gives me that message and never been hacked or had my info compromised.

I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic.
I also drive my car safely most days but that doesn't mean I'm immune from an accident. HTTPS is a good safety measure that every site should implement.
Supermallet is offline  
Old 05-12-17, 04:22 PM
  #11  
Administrator
 
IBobi's Avatar
 
Join Date: Mar 2011
Posts: 555
Re: HTTPS support?

This is already in the works.
IBobi is offline  
Old 05-12-17, 07:12 PM
  #12  
DVD Talk Legend
 
Join Date: Jun 2000
Location: NYC
Posts: 17,018
Re: HTTPS support?

Originally Posted by Adam Tyner View Post
vBulletin doesn't store passwords in plain text. They're hashed/salted. An md5 hash is made of your password, that hash is concatenated with a random, user-specific three-character "salt", and that string is hashed. So, if your password were "mypassword123" and your forum-assigned salt were "[email protected])", your hashed/salted password would be stored as "9294ea620adbbc95d43142dfea998308". Basically, even if someone were to get their hands on a complete dump of the database, it's not trivial to work backwards and figure out what someone's password is. They would have your email address along with any IP addresses used to register and post.
I mean, it's an Internet forum... but MD5 is cryptographically broken, with or without the 3-byte salt. Modern best practices would use, at a minimum, SHA-256 with a 128-byte salt and a key stretching implementation (running through the hashing function many times using the results of the previous iteration and the salt). Given the lax security, I'd venture it would be fairly trivial to find a hash match for most users in less than a day, given a database dump and a rainbow table built out for each user (salt value).

But, you know, maybe vBulletin has corrected that in the two major versions that have been released since DVD Talk's version. Apparently they updated the password hashing in the next minor version to be slightly better...

Last edited by Breakfast with Girls; 05-12-17 at 07:18 PM.
Breakfast with Girls is offline  
Old 05-17-17, 03:11 AM
  #13  
DVD Talk Limited Edition
 
Join Date: Feb 2000
Location: Sunny Hawaii
Posts: 6,662
Re: HTTPS support?

There's really no reason for HTTPS not to be implemented site-wide. With dedicated crypto instructions in CPU's these days, the processing overhead is negligible.

https://istlsfastyet.com/

I moved all my sites over to Always-On HTTPS a couple years ago, and I feel much better. I'm glad to hear it's in the works here, and hopefully it's deployed fully and correctly soon.
TheBang is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.