Forum logons and SSL

Discussion in 'other security issues & news' started by xxJackxx, Jun 22, 2010.

Thread Status:
Not open for further replies.
  1. xxJackxx

    xxJackxx Registered Member

    I have noticed that most of the forums I see do not use any SSL. Is it unwise to pass these logons in plain text, or are these sites not a target as there is nothing to steal here? On the other hand if someone uses the same logon for all sites... any thoughts on the subject?
  2. katio

    katio Guest

    Private forums (i.e. require registration before you can even view threads) often have a SSL option. Keep in mind SSL increases server load and therefore hosting costs.

    What kind of security do you expect from SSL?
    1) snooping: only of credentials, the content is clear-text anyway
    2) MITM: again, for stealing login data, what else could you use it for on a forum?
    And against whom?
    Mainly other users on the same insecure network.

    But who'd want your wilderssecurity credentials?
    Maybe some flamewar gone wrong, or a personal vendetta by a fellow member.
    That would only make sense in a targeted attack. But what's the chance they control your ISP, DNS or are on the same wlan?

    SSL is good to keep content/conversations private which does not really apply to public sites, to protect credentials for sites that any attacker can make use of and sell on the black market (like email and online banking) and to assure the authenticity of a site if you are for example downloading software or signatures.
    For 99% of the other cases it seems pretty useless to me.

    Using the same password on all sites, well I think you'd deserve to get hacked. If only to learn the basics of common sense.
  3. GlobalForce

    GlobalForce Regular Poster

  4. katio

    katio Guest

    In case you are really worried about logging in on an insecure network (e.g. Tor as mentioned on that thread) keep the cookie and you don't have to provide your password.
    The UID isn't secure, you got 89323 for example ;) but the password itself is hashed, md5 it seems. Well, better than nothing.
  5. xxJackxx

    xxJackxx Registered Member

    I'm not really concerned by it, as I would never be stupid enough to use the same password twice. I just wondered, as my boss has a couple of websites that require users to log on. If someone stole his logon they could take over the entire site. Which would immediately become my problem.
Thread Status:
Not open for further replies.