Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

tf_dc

macrumors member
Original poster
Feb 16, 2016
87
82
First, my apologies if this topic was already discussed here, but I didn't find any recent posts/threads about it.

Is forums.macrumors.com planning to use https?

Sending usernames/passwords/authentication tokens etc in cleartext over public networks seems a bit strange in year 2016 (soon 2017).

If the site already supports it, but dumb me didn't find how to connect securely, my apologies again.
 

ericgtr12

macrumors 68000
Mar 19, 2015
1,683
11,544
First, my apologies if this topic was already discussed here, but I didn't find any recent posts/threads about it.

Is forums.macrumors.com planning to use https?

Sending usernames/passwords/authentication tokens etc in cleartext over public networks seems a bit strange in year 2016 (soon 2017).

If the site already supports it, but dumb me didn't find how to connect securely, my apologies again.
Just because the site isn't using SSL doesn't necessarily mean credentials are being sent in plain text. In fact, it's likely that it's all encrypted using salt (one way) on the back end.
 
  • Like
Reactions: 997440

jeremysteele

macrumors 6502
Jul 13, 2011
421
162
Just because the site isn't using SSL doesn't necessarily mean credentials are being sent in plain text. In fact, it's likely that it's all encrypted using salt (one way) on the back end.

No doubt it is salted on the DB side. They are talking about client -> server communication (hence the SSL concern).

plaintext.png

(Obviously made-up credentials)

Anything sent without SSL can be easily snatched by a MITM attack. And yes, Xenforo could also hash passwords via JS before sending - but it doesn't, since the relevant data and session IDs could still be snagged and make session hijacking child's play.

Of course the truly paranoid would also say MITM is very possible even with SSL, but that's another story entirely.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.