Penny Arcade Forums H.Q. Reception Desk
Open call for Board Member and Moderator positions in Coin Return. More information here.
You can now pre-register your username on Coin Return. Check out the instructions here.
Forum Rules Ratification poll is live. Please vote. Open until March 25th.

Secure Login?

UselesswarriorUselesswarrior Registered User regular
edited January 2009 in H.Q. Reception Desk
I hope this is the right place for it, please move if needed.

Is there anyway to log into the forums securely over https? I get nervous about logging whenever I am on a public network as it is fairly trivial to snoop that stuff.

Hey I made a game, check it out @ http://ifallingrobot.com/. (Or don't, your call)
Uselesswarrior on

Posts

  • TossrockTossrock too weird to live too rare to dieRegistered User regular
    edited January 2009
    I'm pretty sure there's not.

    Tossrock on
    sig.png
  • WillethWilleth Registered User regular
    edited January 2009
    Unfortunately not that I'm aware - just don't post anything you're not comfortable with being out there under this name and don'tuse a password you use for anything else.

    Willeth on
    @vgreminders - Don't miss out on timed events in gaming!
    @gamefacts - Totally and utterly true gaming facts on the regular!
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited January 2009
    Full SSL is a chore. I have to maintain a valid cert and it really grinds a server's CPU to do encryption in software.

    Now that said, I don't know if you noticed, but when you submit the login form, your password disappears right before submission. The webpage does a client side hashing of your password and then sends that MD5 sum over the wire instead of your actual password. 
    <!-- login form -->
		<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
		<script type="text/javascript" src="////clientscript/vbulletin_md5.js?v=367"></script>
    I implemented one of these a long time ago in our custom phpBB board.

    Legitimate security concerns:
    • The vBulletin implementation is not salted, thus allowing for a replay attack
    • The vBulletin implementation uses MD5 (SHA256 is recommended and already well implemented in javascript)
    • The vBulletin implementation does follow the challenge/response paradigm for authentication over an untrusted medium

    Getting back to your question, if your browser has javascript support then your password is not being sent in clear text. While their implementation isn't stellar, it gets the job done.

    -alpha

    Älphämönkëy on
  • UselesswarriorUselesswarrior Registered User regular
    edited January 2009
    alphamonkey wrote: »
    Full SSL is a chore. I have to maintain a valid cert and it really grinds a server's CPU to do encryption in software.

    Now that said, I don't know if you noticed, but when you submit the login form, your password disappears right before submission. The webpage does a client side hashing of your password and then sends that MD5 sum over the wire instead of your actual password. 
    <!-- login form -->
		<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
		<script type="text/javascript" src="/////clientscript/vbulletin_md5.js?v=367"></script>
    I implemented one of these a long time ago in our custom phpBB board.

    Legitimate security concerns:
    • The vBulletin implementation is not salted, thus allowing for a replay attack
    • The vBulletin implementation uses MD5 (SHA256 is recommended and already well implemented in javascript)
    • The vBulletin implementation does follow the challenge/response paradigm for authentication over an untrusted medium

    Getting back to your question, if your browser has javascript support then your password is not being sent in clear text. While their implementation isn't stellar, it gets the job done.

    -alpha

    Yeah I did notice that it was MD5 hashed when I was watching it in wireshark. Better then sending it plain text. I've read up on MD5, apparently their are some flaws, like you said SHA256 is recommend.

    Thanks for the response.

    Uselesswarrior on
    Hey I made a game, check it out @ http://ifallingrobot.com/. (Or don't, your call)
Sign In or Register to comment.
Penny Arcade Forums H.Q. Reception Desk