jd4200's Avatar
jd4200 is offline jd4200
2011-01-06 , 00:11
Posts: 451 | Thanked: 424 times | Joined on Apr 2010 @ England
#1
Would it be possible to implement a secure SSL login for the forums, or even better a site wide implementation?
Even a self-signed certificate would be great; I don't like passing my login credentials over the air in plain-text (I know they are md5 hashed but they can be fairly trivial to decrypt).
 

The Following User Says Thank You to jd4200 For This Useful Post:
aligatro is offline aligatro
2011-01-06 , 00:49
Posts: 490 | Thanked: 191 times | Joined on May 2010
#2
Originally Posted by jd4200 View Post
Would it be possible to implement a secure SSL login for the forums, or even better a site wide implementation?
Even a self-signed certificate would be great; I don't like passing my login credentials over the air in plain-text (I know they are md5 hashed but they can be fairly trivial to decrypt).
They are hashed on the server-side, not when you type it into the form. And it's not just md5, it's md5 + salt. And +1 for ssl encryption.

[added]
You are right, it is md5 before it sends to server.
Last edited by aligatro; 2011-01-06 at 01:01.
 
jd4200's Avatar
jd4200 is offline jd4200
2011-01-06 , 01:01
Posts: 451 | Thanked: 424 times | Joined on Apr 2010 @ England
#3
Originally Posted by aligatro View Post
They are hashed on the server-side, not when you type it into the form. And it's not just md5, it's md5 + salt. And +1 for ssl encryption.
I just looked through a wireshark log, and it posts my username plain-text but my password is hashed.

Edit: Just saw your edit.

Suppose hashing with salt is good enough, still it's rather easy to hijack the session.
Last edited by jd4200; 2011-01-06 at 01:05.
 
aligatro is offline aligatro
2011-01-06 , 01:04
Posts: 490 | Thanked: 191 times | Joined on May 2010
#4
Originally Posted by jd4200 View Post
I just looked through a wireshark log, and it posts my username plain-text but my password is hashed.
Yea, I just checked it in wireshark too and edited my post.

Originally Posted by jd4200 View Post
I just looked through a wireshark log, and it posts my username plain-text but my password is hashed.

Edit: Just saw your edit.

Suppose hashing with salt is good enough, still it's rather easy to hijack the session.
I meant it's stored in the db as md5 + salt, but the one that is transferred is just md5. (checked by generating it.)
Last edited by aligatro; 2011-01-06 at 01:14.
 

The Following User Says Thank You to aligatro For This Useful Post:
lma is offline lma
2011-01-06 , 05:23
Posts: 2,802 | Thanked: 4,491 times | Joined on Nov 2007
#5
Originally Posted by aligatro View Post
I meant it's stored in the db as md5 + salt, but the one that is transferred is just md5. (checked by generating it.)
Only if you have javascript enabled, and even then only if your browser's user-agent string starts with "Mozilla/" and is version 4 or higher. Otherwise the password is sent as plaintext.

Having said that, if a plain, unsalted md5 sum is accepted by the server, then for all intents and purposed the md5 is a plaintext password. An eavesdropper doesn't have to crack it, they can just send it as-is to authenticate.
 

The Following User Says Thank You to lma For This Useful Post:
jd4200's Avatar
jd4200 is offline jd4200
2011-01-12 , 23:22
Posts: 451 | Thanked: 424 times | Joined on Apr 2010 @ England
#6
Is there no demand for this?

If not I'll let the thread rest until someone else feels the need to bump it.
 
Reply

« Previous Thread | Next Thread »
Thread Tools

 
Forum Jump


All times are GMT. The time now is 16:57.

Contact Us - Home - Archive - Top