Security "problem" with RFD

[kloostec]

When logging into the RFD forums, it would be very nice to submit to an SSL page, so that my authentication credentials are not sent plaintext over the internet. I use open wireless at school, so it's trivial to sniff my RFD password when I log in.

[kloostec]

Bump. I want my RFD fix at school!

[Shaner]

Just make sure your RFD password isn't the same as other, important passwords (such as online banking).

Problem solved!

[Firestorm ZERO]

Does your school offer VPN?

[Kaitlyn]

Actually I believe that the password is hashed before it is sent, so in fact nobody gets your password.

Just make sure you have javascript enabled and you're good to go!

[Rehan]

Just make sure your RFD password isn't the same as other, important passwords (such as online banking).

Problem solved!

Yup, that's the easiest thing to do.

Actually I believe that the password is hashed before it is sent, so in fact nobody gets your password.

Just make sure you have javascript enabled and you're good to go!

No, unfortunately vBulletin doesn't hash the password until it's on the server side and it's ready to be added to the database. (I just checked, by snooping on the login process using Ethereal...)

[Kaitlyn]

Yup, that's the easiest thing to do.


No, unfortunately vBulletin doesn't hash the password until it's on the server side and it's ready to be added to the database. (I just checked, by snooping on the login process using Ethereal...)

Ahhh... I forgot. It's not the standard vBulletin login. I'll see if we can port the vB login process over and that way it would get hashed before sending, as long as JS is enabled

[cka]

If you're on your laptop at school (assuming this from the "open wireless" network you mention) why not just stay logged into the forums on your computer? The cookie it stores stays alive for a pretty long time, up to one year afaik, barring any major upgrades to the forum system. Plus, you have the added benefit of the hashed password being sent from your cookie instead of the plaintext one from the login form.

If you're using a public computer, I'd suggest using a copy of Firefox Portable from a USB drive or something. That way you can keep your cookie information intact and avoid the login issue altogether similar to using your own computer.

[Asad_A203]

Opera password tool thingy for the win!

[Kaitlyn]

Opera password tool thingy for the win!

How does that help any?

[S_G]

How does that help any?

It doesn't, he doesn't know what he's talking about.

Anyhow, RFD should do this. It's not like it costs anything, since they can simply create a self-signed certificate (we don't care about real certificate authorities, since the few people who will actually use this feature on RFD will already trust this place).

OpenSSL for the win.

[Kaitlyn]

It doesn't, he doesn't know what he's talking about.

Anyhow, RFD should do this. It's not like it costs anything, since they can simply create a self-signed certificate (we don't care about real certificate authorities, since the few people who will actually use this feature on RFD will already trust this place).

OpenSSL for the win.

I think you'd be surprised. Not everyone on this forum even has a clue what a certificate means, and through personal experience I know people get scared off when they see these popups about an untrusted site and such.

The simplest solution would be to hash the password with JS before it's sent. 99% of people on this site surely have JS enabled and they could always enable it JUST to log in if really mattered THAT much to them

[aimfox]

Ryan/Derek should pay for the new script protection.. it would be awesome!

[Kaitlyn]

Ryan/Derek should pay for the new script protection.. it would be awesome!

Pay for WHAT new script protection? huh? And just how awesome would it be?

[kloostec]

SSL certs are cheap (relatively speaking), so if it's more than a few hours worth of work to get the JavaScript hashing code working (I've seen examples of that with vBulletin, LiveJournal and Typo3), maybe it's easier to get a cert and be done with it? Either solution would be satisfactory, though.

And yes, my RFD password is different than my important passwords, but that's beside the point, as the password is still getting sent over the Internet plaintext...