SSL Login
 

Would it be possible to implement a secure SSL login for the forums, or even better a site wide implementation?
Even a self-signed certificate would be great; I don't like passing my login credentials over the air in plain-text (I know they are md5 hashed but they can be fairly trivial to decrypt).

Re: SSL Login
 

They are hashed on the server-side, not when you type it into the form. And it's not just md5, it's md5 + salt. And +1 for ssl encryption.

[added]
You are right, it is md5 before it sends to server.

Re: SSL Login
 

I just looked through a wireshark log, and it posts my username plain-text but my password is hashed. :confused:

Edit: Just saw your edit.

Suppose hashing with salt is good enough, still it's rather easy to hijack the session.

Re: SSL Login
 

Yea, I just checked it in wireshark too and edited my post.

I meant it's stored in the db as md5 + salt, but the one that is transferred is just md5. (checked by generating it.)

Re: SSL Login
 

Only if you have javascript enabled, and even then only if your browser's user-agent string starts with "Mozilla/" and is version 4 or higher. Otherwise the password is sent as plaintext.

Having said that, if a plain, unsalted md5 sum is accepted by the server, then for all intents and purposed the md5 is a plaintext password. An eavesdropper doesn't have to crack it, they can just send it as-is to authenticate.

Re: SSL Login
 

Is there no demand for this?

If not I'll let the thread rest until someone else feels the need to bump it.