No ssl at wilders security forum??

Discussion in 'other security issues & news' started by scott1256ca, Sep 2, 2010.

Thread Status:
Not open for further replies.
  1. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    Does it strike anyone else as odd that a forum about security would not have an ssl option? At least trying https://www.wilderssecurity.com/ brings nothing up and neither did my search seeing if anything was available.

    My understanding is that this means that someone using a packet sniffer on me would see my userid and password in plaintext, which is not very secure. I admit the risk is not that great because I don't use that password for online banking, for example, but I'm sure that many people do use a single password for multiple online sites, including ones that should be secure.

    Just an observation. Anyone care to comment?
     
  2. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    I give my vote for SSL in the near future:)
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    If someone is using the same password for multiple websites period, let alone secure ones, an SSL option isn't going to save them from anything. I don't see SSL being needed here as I have serious doubts anyone here is sharing sensitive information even in PMs. And there certainly aren't any sensitive posts in the public forum. I just think the risk is far too low here to hassle with adding that in, IMHO.
     
  4. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667

    This^.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yes it's outrageous isn't it :D

    Seriously, it wouldn't be a bad idea though :thumb:

    Maybe they could get a self cert etc for free, so no $ = :) all round
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Actually, this has been discussed a few times before. See this last thread for key information about this:

    https://www.wilderssecurity.com/showthread.php?t=218064

    Aside from increasing the cost of providing the forum, we simply view SSL as unnecessary here. This is a public forum. What goes on here is members posting things in public for other people to read. No one is asked to enter any important personal information here. The worst that could happen, as mentioned above, is someone might packet sniff you on your network and see either the hash of your password, which is sent only at logon, or more likely your sessionid hash. With that, they might be able to hijack your session.

    However, in the 8.5 years that we've been operating this forum, no incidents involving session hijacking or compromised accounts have ever been reported.

    Our view of security requirements has always been risk assessment based. The exposure opened by not having SSL access here just doesn't merit the increased costs and overhead needed to provide it.
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    I know this has been discussed before as I started a thread about this a few months ago. I asked about forums in general though, because none of them really use it. Nobody really seems to care, and I don't know that I do either. I use a different password for each site, so if this one gets hacked I lose nothing else. I find it interesting that cost is even mentioned though, as SSL certs really don't cost much. I just checked godaddy and they seem to run about $25 a year.
     
  8. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    Thank you for your responses.
     
  9. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    So passwords are NOT transmitted in cleartext?
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    It's not the certificate cost... it's the server (processing power) and bandwidth. The encryption of all webserver data packets would take a lot of extra hosting resources. It would increase our hosting requirements significantly given our size and activity levels. It's those ongoing, monthly hosting expenses that are the real cost of adding SSL support.
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Not normally. vBulletin uses a client-size Javascript routine to hash the passwords before transmitting them to the server at member login. If you disallow Javascript for this forum then yes, there is no choice but to transmit the actual password to the server for verification. Most people allow that Javascript function, so, it is hashes that are usually transmitted by most members.

    While this hashing doesn't prevent potential session hijacking by someone sniffing packets on your network, it does address the "using the same password on multiple websites" issue noted above. No one will be reversing the hash into your real password, unless: 1. you use a really simple and short password, and 2. they have significant password cracking resources (to reverse the double MD5 with salt routine).
     
  12. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Thanks, I did not know about this, I will allow javascript for forums from now no :p
    I am (pleasantly) surprised that the hashing is with salts :)
     
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    True, but I was thinking in terms of only using it for passing logon data. It would be truly pointless to use it for all traffic on a public forum.

    Also good to know that vBulletin doesn't transmit the passwords in clear text. I guess that really does make the whole thing pointless.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very interesting!

    ----
    rich
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yes i was meaning just for log in as xxJackxx mentioned :thumb:
     
  16. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Short and simple answer: Who cares?:p

    Long answer: I leave it to the forum admins to take care of that...

    But if it's simply for log-in, it isn't a bad idea since it helps to keep spammers down. However, afaik, vBulletin doesn't support such a feature yet but I may be wrong though
     
  17. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Free SSL Certificates
    https://startssl.com/?app=1

    Doesn't cut down on your processing power and bandwidth issues though.
    Are you providing your own servers from DSL? :D
    There are a number of hosting providers that offer unlimited or unmetered bandwidth.
     
    Last edited: Sep 7, 2010
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Interesting, i didn't know that :thumb:

    Forgot to mention this before ;)

    :thumb:
     
Loading...
Thread Status:
Not open for further replies.