hardforum not ssl?

S

serpretetsky

2[H]4U
Joined
Dec 24, 2008
Messages
2,180
im new to this.
is there a particular reason that the hardforum isn't hosted on an https protocol?
too taxing on the server?

i just started playing around with packet tracers and was suprised how clearly your username and password are spelled out in the packet when you login.

I know there are vpn options, etc etc, I'm just wondering why it's not implemented on the server itself.
 
not that many forums really are to be honest

You would normally see

username=username&password=password&login=LoginHTTP/1.1 200 OK

Although its still not that simple to sniff those passwords from outside your network (unless the ISP want to do it that is or there is a hub onlong the way and I doubt that!)

they could do some ARP tricks to get your info but I doubt anyone will be bothered to try and get a users account details though,
 
Let's ask: @Anonymous, @Lulzec, frankly, what would you do with our user accounts' details? ^-^
 
although getting a mods or admins account may cause some problems
 
It has shifted more toward corporate information and financial gain, so a computer hardware community is a very very low target for farming logins.

Although the code writers have gotten better, it is also more worth their time to target the forum software itself, which has had it's fair share of vulnerabilities in the past, and the vulnerabilities will be present across hundreds if not thousands of websites.

SSL, like you said, is a very expensive option. The benefit of using SSL for only login information is limited vs the cost of implementation and ongoing performance, and using SSL for all traffic even more so.

In the case of login information, VPN will do nothing here either, as whatever the last hop to the website will be clear traffic. VPN would be used to hide your originating IP as you browse the forum, but once you log in, you lose the anonymity of using a VPN.

This is also why it is a good idea not to use the same password across forums/social media/etc, if one gets compromised, they all do, especially if you use the same username.
 
We are not handling any data here that is of value and I have never been aware of any reason to do it.
 
Yea, I don't see the point of going through the effort to implement SSL for this site. I'm sure it could be hacked if someone was determined enough but just don't be stupid and use the same password all over the net.
 
vraa said:
ssl is not expensive
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
Click to expand...

Note that article talks about 1024 encryption, not 2048, which is what most certificates are going to be at this point. Earlier this year some providers stopped offering 1024 certificates all together.

Also depending on how you are setup you may have to buy a wildcard certificate which is more expensive than a single named instance. I can buy good 2048 certificates for a single host/name for under $20.

Depending on setup you may need something to offload the SSL transactions that would also add an expense. Or if you are doing load balancing already where do you terminate the SSL connection on the load balancer, on the servers? (Load Balancer is a better idea), but if you are not using a load balancer and are instead using DNS round robin then it is on the web front end boxes.


So you are right, SSL does not have to be expensive, but it is not just as easy as checking a box. It takes time, planning, and for thought to implement.
 
I have never seen forums with SSL.

Capturing this info is harder then most think. The perp would have to either have access at the server's end or your end. In between, the signal is encoded in a way where you can't just plug a laptop into it and listen. Even at the phone line level if someone was to plug a DSL modem it would fight with yours, never both work at once. Once it goes over fiber, good luck tapping into that. There's probably like a million different virtual circuits in there, the odds of isolating a specific one is very slim.

Only thing I'd be semi worried about is the possibility of the info getting captured if on a public network but even then I doubt it would be done for malicius purposes, unless you're using some wifi hot spot that turns out to be a honeypot or something.
 
I use the same username and password for my various government and cia logins, but I feel pretty secure that nobody will figure this out.
 
Red Squirrel said:
Capturing this info is harder then most think. The perp would have to either have access at the server's end or your end. In between, the signal is encoded in a way where you can't just plug a laptop into it and listen. Even at the phone line level if someone was to plug a DSL modem it would fight with yours, never both work at once. Once it goes over fiber, good luck tapping into that. There's probably like a million different virtual circuits in there, the odds of isolating a specific one is very slim.
Click to expand...
Most likely when the connection reaches your ISP it passes over a plain old ethernet network which is pretty trivial to tap into if you can get physical access.

Tapping on the telco infrastructure is likely to be more work but still far from impossible.
 
You must log in or register to reply here.
Back
Top