Announcement

Collapse
No announcement yet.

Unsafe connection (No HTTPS?)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • charlie
    replied
    HOWEVER, Athos , I didn't realize yesterday that this is still vulnerable to eavesdropping. Although the hash obfuscates the password, an attacker can still use the hash to login. Once the attacker has captured the hash, modifying the script on the client side or modifying the payload of an HTTP packet should be enough to login as the victim. It's not as straightforward as having the password in plaintext, but it's still pretty easy to steal a password (As the hash is in fact the password used).

    SSL/TLS definitely solves this problem. Hope you guys can fix this soon, because this site is awesome!

    Leave a comment:


  • Athos
    replied
    charlie it was a good question to bring up

    Leave a comment:


  • charlie
    replied
    Right. I checked the script and sniffed my packets to check the data. Everything looks as you have explained. Thanks for the good work, Athos

    Leave a comment:


  • charlie
    replied
    phew. Thanks Athos. So you hash & salt the password at client side, am I correct?

    Leave a comment:


  • Athos
    replied
    charlie thank you for your suggestion and the move to an HTTPS environment is something that's being looked at for some time now. HTTPS, applies an SSL/TSL encryption layer over the current standard HTTP protocol that is used to communicate between clients and servers. The SSL layer has 2 main purposes:

    1. Verifying that you are talking directly to the server that you think you are talking to
    2. Ensuring that only the server can read what you send it and only you can read what it sends back

    You are not correct in thinking that the passwords you enter travel across the web as plain text. They are currently encrypted using double md5 hask with a salt. making them virtually unreadable and we exercise high database security protocols. Apart from the passwords all other data that is shared here is in the public domain and is visible to browsers whether they are logged in or not, in the forum.

    The HTTPS protocol has, recently gained popularity because of the ranking privileges Google affords it, which is why we are considering the move to it. I hope this has helped answer your question.
    Last edited by Athos; June 23, 2015, 12:19 AM.

    Leave a comment:


  • charlie
    started a topic Unsafe connection (No HTTPS?)

    Unsafe connection (No HTTPS?)

    I recently noticed that there's no way to connect to your servers through HTTPS. This is really unsafe. It means our passwords are traveling the internet in plaintext.

    Guys, it's really important that this issue is solved or otherwise the passwords, session cookies and other user data can be easily stolen

Working...
X