When logging into the RFD forums, it would be very nice to submit to an SSL page, so that my authentication credentials are not sent plaintext over the internet. I use open wireless at school, so it's trivial to sniff my RFD password when I log in.

Bump. I want my RFD fix at school!

Just make sure your RFD password isn't the same as other, important passwords (such as online banking).

Problem solved!

Does your school offer VPN?

Actually I believe that the password is hashed before it is sent, so in fact nobody gets your password.

Just make sure you have javascript enabled and you're good to go!

Just make sure your RFD password isn't the same as other, important passwords (such as online banking).

Problem solved! Yup, that's the easiest thing to do.



Actually I believe that the password is hashed before it is sent, so in fact nobody gets your password.

Just make sure you have javascript enabled and you're good to go! No, unfortunately vBulletin doesn't hash the password until it's on the server side and it's ready to be added to the database. (I just checked, by snooping on the login process using Ethereal...)

Yup, that's the easiest thing to do.


No, unfortunately vBulletin doesn't hash the password until it's on the server side and it's ready to be added to the database. (I just checked, by snooping on the login process using Ethereal...)

Ahhh... I forgot. It's not the standard vBulletin login. I'll see if we can port the vB login process over and that way it would get hashed before sending, as long as JS is enabled

If you're on your laptop at school (assuming this from the "open wireless" network you mention) why not just stay logged into the forums on your computer? The cookie it stores stays alive for a pretty long time, up to one year afaik, barring any major upgrades to the forum system. Plus, you have the added benefit of the hashed password being sent from your cookie instead of the plaintext one from the login form.

If you're using a public computer, I'd suggest using a copy of Firefox Portable from a USB drive or something. That way you can keep your cookie information intact and avoid the login issue altogether similar to using your own computer.

Opera password tool thingy for the win!

Opera password tool thingy for the win!

How does that help any?

How does that help any?
It doesn't, he doesn't know what he's talking about.

Anyhow, RFD should do this. It's not like it costs anything, since they can simply create a self-signed certificate (we don't care about real certificate authorities, since the few people who will actually use this feature on RFD will already trust this place).

OpenSSL for the win.

It doesn't, he doesn't know what he's talking about.

Anyhow, RFD should do this. It's not like it costs anything, since they can simply create a self-signed certificate (we don't care about real certificate authorities, since the few people who will actually use this feature on RFD will already trust this place).

OpenSSL for the win.

I think you'd be surprised. Not everyone on this forum even has a clue what a certificate means, and through personal experience I know people get scared off when they see these popups about an untrusted site and such.

The simplest solution would be to hash the password with JS before it's sent. 99% of people on this site surely have JS enabled and they could always enable it JUST to log in if really mattered THAT much to them

Ryan/Derek should pay for the new script protection.. it would be awesome! :D

Ryan/Derek should pay for the new script protection.. it would be awesome! :D

Pay for WHAT new script protection? huh? And just how awesome would it be? :)

SSL certs are cheap (relatively speaking), so if it's more than a few hours worth of work to get the JavaScript hashing code working (I've seen examples of that with vBulletin, LiveJournal and Typo3), maybe it's easier to get a cert and be done with it? Either solution would be satisfactory, though.

And yes, my RFD password is different than my important passwords, but that's beside the point, as the password is still getting sent over the Internet plaintext...

Pay for WHAT new script protection? huh? And just how awesome would it be? :)

SSL Certs.. they cost $100/year

Any more word if this is going to be done? People should be informed not to use an important password that they use for banking sites etc when they register, since the password login is not secure on the RFD site.

some quick questions.
So what if someone sniffs your password?
Are you afraid they are going to run amok and mess up your account send messages to people to mess up your reputation? If so, create a new account.

Is there a risk of you being impacted in any private or financial way? Then I would want to have an SSL, and if they don't put one in then I'd leave. (of which you have a choice to do) But from what I can access and use this site for, I don't have issues with it here. (I don't use the BST, and even then there is a community element of trust between users on feedback)


As mentioned previously and alluded to, dont' use the same password for this type of stuff as you would for banking or other places with sensitive data.
I'd say be responsible and knowledgeable about using the ol interweb.