EmailDiscussions.com  

Go Back   EmailDiscussions.com > Miscellaneous > About this site...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

About this site... Do you have any thoughts, suggestions or comments about this site? Post them here...

Reply
 
Thread Tools
Old 8 Mar 2017, 02:39 PM   #1
rusl
Member
 
Join Date: Mar 2015
Posts: 78
EMD security, HTTPS?

Hi,

This forum doesn't seem to support SSL/TLS (HTTPS). I've always acknowledged this and I don't re-use my EMD password on other sites. Not everyone uses unique passwords everywhere though.

Today, the newest Firefox version just came out and it draws attention to password fields on insecure websites with a warning. Specifically, when you attempt to enter a password on an insecure site (such as EMD) it actually drops a warning down below the password field as you type.

I think insecure websites aren't long for this world, certainly those with logins that deal with personal and sometimes private data and conversations, and today's update to Firefox highlights this. I expect the other major browsers to follow suit if haven't already and then everyone who uses this forum will be seeing security warnings every time they visit.

I'm not the most regular user of this forum so I'm not actually familiar with who owns or runs the site, but I hope they have a long-term plan for a migration towards https.
rusl is offline   Reply With Quote

Old 20 Mar 2017, 10:29 PM   #2
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 268
To be fair this isn't as much of a problem as many people think.

Don't get me wrong, it's not a bad thing that folks have been trained nowadays to avoid entering sensitive information on sites that don't use SSL/TLS (aka HTTPS) connections, but forum software packages like vBulletin have long used password hashing algorithms so that your password isn't actually travelling across the wire "in the clear," even if the site isn't using SSL/TLS.

In essence, when you enter your password into EMD (or any other vBulletin forum), an "encrypted" form of your password (known as an MD5 hash in this case) is created in your browser's memory space using JavaScript. This MD5 hash is what gets sent across the wire to EMD's servers, where it's compared to the same hash stored in the vBulletin user database on EMD.

An MD5 hash is a non-reversible cryptographic algorithm, which means that you can turn a password into an MD5 hash, but you can't turn that MD5 hash back into a password. Your password is also stored in the same way in the vBulletin user database( meaning nobody at EMD or any other vBulletin forum will have any way of knowing your password — assuming they haven't modified vBulletin to deliberately capture passwords). When you log in, the two MD5 hashes are simply compared to each other, not the "real" passwords.

The only catch of course is that this assumes you haven't disabled JavaScript in your browser.

Note that you can more or less confirm this yourself by looking at the page source. This is the password submission form on the EMD home page. Note the references to the "md5hash" and the "vbulletin_md5" javascript:

Code:
<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
		<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=3612"></script>
Of course, this again assumes that you're not logging into a site with a deliberately malicious administrator, since of course the "vbulletin_md5.js" JavaScript could really be doing anything they want it to in this case, however the mere use of an SSL/TLS certificate doesn't actually change anything if you don't trust the site you're using in the first place
jhollington is offline   Reply With Quote
Old 22 Mar 2017, 03:10 PM   #3
Bamb0
Master of the @
 
Join Date: Feb 2005
Location: USA
Posts: 1,233
Some sites DO have an SSL layer for those who want it but THEY DO NOT FORCE IT as it can cause problems for some browsers. (You can still use HTTP on thier sites)

Last edited by Bamb0 : 14 Apr 2017 at 05:01 AM.
Bamb0 is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 11:05 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy