Options

Secure Login?

UselesswarriorUselesswarrior Registered User regular
I hope this is the right place for it, please move if needed.

Is there anyway to log into the forums securely over https? I get nervous about logging whenever I am on a public network as it is fairly trivial to snoop that stuff.

Hey I made a game, check it out @ http://ifallingrobot.com/. (Or don't, your call)
Uselesswarrior on

Posts

  • Options
    TossrockTossrock too weird to live too rare to dieRegistered User regular
    edited January 2009
    I'm pretty sure there's not.

    Tossrock on
    sig.png
  • Options
    WillethWilleth Registered User regular
    edited January 2009
    Unfortunately not that I'm aware - just don't post anything you're not comfortable with being out there under this name and don'tuse a password you use for anything else.

    Willeth on
    @vgreminders - Don't miss out on timed events in gaming!
    @gamefacts - Totally and utterly true gaming facts on the regular!
  • Options
    ÄlphämönkëyÄlphämönkëy Registered User regular
    edited January 2009
    Full SSL is a chore. I have to maintain a valid cert and it really grinds a server's CPU to do encryption in software.

    Now that said, I don't know if you noticed, but when you submit the login form, your password disappears right before submission. The webpage does a client side hashing of your password and then sends that MD5 sum over the wire instead of your actual password.
    <!-- login form -->
    		<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
    		<script type="text/javascript" src="////clientscript/vbulletin_md5.js?v=367"></script>
    
    I implemented one of these a long time ago in our custom phpBB board.

    Legitimate security concerns:
    • The vBulletin implementation is not salted, thus allowing for a replay attack
    • The vBulletin implementation uses MD5 (SHA256 is recommended and already well implemented in javascript)
    • The vBulletin implementation does follow the challenge/response paradigm for authentication over an untrusted medium

    Getting back to your question, if your browser has javascript support then your password is not being sent in clear text. While their implementation isn't stellar, it gets the job done.

    -alpha

    Älphämönkëy on
  • Options
    UselesswarriorUselesswarrior Registered User regular
    edited January 2009
    Full SSL is a chore. I have to maintain a valid cert and it really grinds a server's CPU to do encryption in software.

    Now that said, I don't know if you noticed, but when you submit the login form, your password disappears right before submission. The webpage does a client side hashing of your password and then sends that MD5 sum over the wire instead of your actual password.
    <!-- login form -->
    		<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
    		<script type="text/javascript" src="/////clientscript/vbulletin_md5.js?v=367"></script>
    
    I implemented one of these a long time ago in our custom phpBB board.

    Legitimate security concerns:
    • The vBulletin implementation is not salted, thus allowing for a replay attack
    • The vBulletin implementation uses MD5 (SHA256 is recommended and already well implemented in javascript)
    • The vBulletin implementation does follow the challenge/response paradigm for authentication over an untrusted medium

    Getting back to your question, if your browser has javascript support then your password is not being sent in clear text. While their implementation isn't stellar, it gets the job done.

    -alpha

    Yeah I did notice that it was MD5 hashed when I was watching it in wireshark. Better then sending it plain text. I've read up on MD5, apparently their are some flaws, like you said SHA256 is recommend.

    Thanks for the response.

    Uselesswarrior on
    Hey I made a game, check it out @ http://ifallingrobot.com/. (Or don't, your call)
Sign In or Register to comment.