HTTPS support?
#1
Banned by request
Thread Starter
HTTPS support?
I was trying to log in via Firefox on my Mac and I got a warning that the site was insecure and I should not submit my login credentials. This is a new feature of a Firefox that alerts you to when a site isn't using HTTPS. I went to the address bar and typed in https://forum.dvdtalk.com and got a connection failed error. Same for https://www.dvdtalk.com.
Can we please get HTTPS activated immediately? I'm astonished the site doesn't already have it. And while we're at it, can you also tell us what security measure Internet Brands takes to protect our login information? While I use a unique, randomly generated password for each login I have, I'd still feel better knowing that IB is doing its part to protect its users too.
Thanks!
Can we please get HTTPS activated immediately? I'm astonished the site doesn't already have it. And while we're at it, can you also tell us what security measure Internet Brands takes to protect our login information? While I use a unique, randomly generated password for each login I have, I'd still feel better knowing that IB is doing its part to protect its users too.
Thanks!
#4
DVD Talk Reviewer/ Admin
Join Date: Sep 1999
Location: Greenville, South Cackalack
Posts: 28,820
Received 1,881 Likes
on
1,238 Posts
Re: HTTPS support?
Most of the forums I read aren't behind HTTPS (City-Data.com, AVS Forums, LCVG, NeoGAF, blu-ray.com, Toon Zone). That's definitely not an argument against HTTPS, but it's fair to say that it's not standard practice (yet?) for message boards to be that secure.
I'm sure someone from IB could speak more about security measures, but I know that you can't SSH/FTP into DVD Talk's servers (or presumably access the database directly) outside of IB's network. vBulletin doesn't store passwords in plain text. They're hashed/salted. An md5 hash is made of your password, that hash is concatenated with a random, user-specific three-character "salt", and that string is hashed. So, if your password were "mypassword123" and your forum-assigned salt were "3@)", your hashed/salted password would be stored as "9294ea620adbbc95d43142dfea998308". Basically, even if someone were to get their hands on a complete dump of the database, it's not trivial to work backwards and figure out what someone's password is. They would have your email address along with any IP addresses used to register and post.
I'm sure someone from IB could speak more about security measures, but I know that you can't SSH/FTP into DVD Talk's servers (or presumably access the database directly) outside of IB's network. vBulletin doesn't store passwords in plain text. They're hashed/salted. An md5 hash is made of your password, that hash is concatenated with a random, user-specific three-character "salt", and that string is hashed. So, if your password were "mypassword123" and your forum-assigned salt were "3@)", your hashed/salted password would be stored as "9294ea620adbbc95d43142dfea998308". Basically, even if someone were to get their hands on a complete dump of the database, it's not trivial to work backwards and figure out what someone's password is. They would have your email address along with any IP addresses used to register and post.
#5
Banned by request
Thread Starter
Re: HTTPS support?
Thanks Adam! Too many news stories about sites being hacked end with "and it turns out they were keeping all the login info in a plain text file".
Of course all the hashing and salting doesn't do much if people's logins are being intercepted at the point of entry, hence HTTPS.
Of course all the hashing and salting doesn't do much if people's logins are being intercepted at the point of entry, hence HTTPS.
#6
DVD Talk Reviewer/ Admin
Join Date: Sep 1999
Location: Greenville, South Cackalack
Posts: 28,820
Received 1,881 Likes
on
1,238 Posts
Re: HTTPS support?
Passwords are hashed (but not salted and re-hashed, AFAIK) before being sent over the interwebz. There's some Javascript that does an md5 hash before anything's sent off. While not ideal from a security standpoint, it's not plain-text, at least.
Also, the MD5(CONCAT(MD5(Password), Salt)) is the way vBulletin used to do things, but it may be more advanced now.
Also, the MD5(CONCAT(MD5(Password), Salt)) is the way vBulletin used to do things, but it may be more advanced now.
Last edited by Adam Tyner; 05-05-17 at 09:45 AM.
#7
DVD Talk Ultimate Edition
Re: HTTPS support?
We can't get IB to fix the hijack/redirect issue... I'm sure they will jump right on enabling HTTPS support.
#8
Re: HTTPS support?
I frequent many sites that gives me that message and never been hacked or had my info compromised.
I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic.
I think Firefox went a bit too far adding that new feature on their browser which would send some users into a panic.
#9
Re: HTTPS support?
I get the same warning on another website - I use other browsers for it and I've never gotten cyber attacked. It's not a popular website, so that helps, too.
#10
Banned by request
Thread Starter
Re: HTTPS support?
I also drive my car safely most days but that doesn't mean I'm immune from an accident. HTTPS is a good safety measure that every site should implement.
#12
DVD Talk Legend
Join Date: Jun 2000
Location: NYC
Posts: 17,015
Likes: 0
Received 0 Likes
on
0 Posts
Re: HTTPS support?
vBulletin doesn't store passwords in plain text. They're hashed/salted. An md5 hash is made of your password, that hash is concatenated with a random, user-specific three-character "salt", and that string is hashed. So, if your password were "mypassword123" and your forum-assigned salt were "3@)", your hashed/salted password would be stored as "9294ea620adbbc95d43142dfea998308". Basically, even if someone were to get their hands on a complete dump of the database, it's not trivial to work backwards and figure out what someone's password is. They would have your email address along with any IP addresses used to register and post.
But, you know, maybe vBulletin has corrected that in the two major versions that have been released since DVD Talk's version. Apparently they updated the password hashing in the next minor version to be slightly better...
Last edited by Breakfast with Girls; 05-12-17 at 07:18 PM.
#13
DVD Talk Hall of Fame
Re: HTTPS support?
There's really no reason for HTTPS not to be implemented site-wide. With dedicated crypto instructions in CPU's these days, the processing overhead is negligible.
https://istlsfastyet.com/
I moved all my sites over to Always-On HTTPS a couple years ago, and I feel much better. I'm glad to hear it's in the works here, and hopefully it's deployed fully and correctly soon.
https://istlsfastyet.com/
I moved all my sites over to Always-On HTTPS a couple years ago, and I feel much better. I'm glad to hear it's in the works here, and hopefully it's deployed fully and correctly soon.