I notice that lots of vBulletin installations don't use HTTPS when logging in the user.
I was worried that this meant the user name and password were sent in clear text. I've finally gotten around to do some sniffing to see if that's true, and it appears that it's not. The login button sends a POST to "/login.php?do=login" that includes the user name in plain texr, but doesn't include a plain text password.
It further includes a "securitytoken" and a "vb_login_md5password". Looks like the plain text password is hashed with plain MD5 (but not salted!) and that becomes the md5password.
Is this arrangement secure? Can't an observer intercept the password hash and rainbow it, or otherwise attack it?
I was worried that this meant the user name and password were sent in clear text. I've finally gotten around to do some sniffing to see if that's true, and it appears that it's not. The login button sends a POST to "/login.php?do=login" that includes the user name in plain texr, but doesn't include a plain text password.
It further includes a "securitytoken" and a "vb_login_md5password". Looks like the plain text password is hashed with plain MD5 (but not salted!) and that becomes the md5password.
Is this arrangement secure? Can't an observer intercept the password hash and rainbow it, or otherwise attack it?