https ?

Discussion in 'Site and Forum Feedback' started by tf_dc, Dec 3, 2016.

Most Liked Posts
  1. tf_dc, Dec 3, 2016

    tf_dc macrumors member

    Joined:
    Feb 16, 2016
    #1
    First, my apologies if this topic was already discussed here, but I didn't find any recent posts/threads about it.

    Is forums.macrumors.com planning to use https?

    Sending usernames/passwords/authentication tokens etc in cleartext over public networks seems a bit strange in year 2016 (soon 2017).

    If the site already supports it, but dumb me didn't find how to connect securely, my apologies again.
     
    share
    + Quote Reply
    CreatorCode and 960design like this.
  2. arn, Dec 3, 2016

    arn macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #2
    No, not yet but it's gonna happen soon.

    arn
     
    share
    + Quote Reply
    rshrugged, CreatorCode, annk and 4 others like this.
  3. ericgtr12, Dec 6, 2016

    ericgtr12 macrumors 65816

    ericgtr12

    Joined:
    Mar 19, 2015
    #3
    Just because the site isn't using SSL doesn't necessarily mean credentials are being sent in plain text. In fact, it's likely that it's all encrypted using salt (one way) on the back end.
     
    share
    + Quote Reply
    rshrugged likes this.
  4. rshrugged, Dec 6, 2016

    rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #4
    share
    + Quote Reply
  5. jeremysteele, Dec 8, 2016

    jeremysteele macrumors 6502

    Joined:
    Jul 13, 2011
    #5
    No doubt it is salted on the DB side. They are talking about client -> server communication (hence the SSL concern).

    plaintext.png
    (Obviously made-up credentials)

    Anything sent without SSL can be easily snatched by a MITM attack. And yes, Xenforo could also hash passwords via JS before sending - but it doesn't, since the relevant data and session IDs could still be snagged and make session hijacking child's play.

    Of course the truly paranoid would also say MITM is very possible even with SSL, but that's another story entirely.
     
    share
    + Quote Reply
(You must log in or sign up to post here.)

Share This Page