No SSL/TLS login?

Discussion in 'Site and Forum Feedback' started by pocketpenguin, Jan 1, 2014.

  1. pocketpenguin macrumors regular

    Joined:
    Nov 29, 2012
    #1
    Is there no way to login using TLS encryption? I would have thought that would have been one of the first fixes after the break-in this fall.

    Am I missing something?

    As an aside, I ran a high volume website for many years for a major university and the one thing that blocked most attacks was forcing TLS/SSL connections for all pages, not just logins. With modern CPU's there was very little performance hit and we could see the script kiddie attacks bounce right off of us in our logs.
     
  2. arn macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #2
    It's a little complicated because of mixed content warnings. If any non-SSL content is included in the page, then it can pop up a scary dialog to some users.

    - That can happen if anyone includes an external image via the tag.
    - Or from our ad network.

    Solutions to #1, include turning off the [img] tag altogether, so no one can link to an external image. Or, we would have to host a caching proxy for all images linked on the forums.

    There is no quick solution to #2.

    We've been researching it.

    arn
     
  3. wrldwzrd89 macrumors G5

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #3
     
  4. arn macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #4
    Safari handles it silently (but the page is not shown as secure). IE is the main culprit.

    arn
     
  5. pocketpenguin thread starter macrumors regular

    Joined:
    Nov 29, 2012
    #5
    The login page doesn't have any ads that I can see. Couldn't you at least make that page TLS/SSL? Also, it looks like even the little "instant" login form could at least be directed to a TLS URL.

    Actually, you really only need the login form to simply post to an SSL/TLS URL, the forms themselves can be served up unencrypted. The post login page that redirects can still point at non-ssl as well. The user would see a quick switch to ssl then back to plaintext, but there shouldn't be any warnings.

    It isn't critical for me as my Mac rumors password is very different from every one of my other passwords, but others may not be so wise as me ;).
     
  6. arn macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #6
    Serving the login form alone as TLS/SSL doesn't help that much. That might protect your password submission (which is MD5'd before it get submitted), but if the rest of the pages aren't SSL, then they can still grab your session cookie.

    arn
     
  7. IvanX macrumors 6502

    Joined:
    Mar 10, 2012
    #7
    Serving the form unencrypted is a bad security practice and exposes it to Mad in the Middle attack. If the login itself can be done of HTTPS, serving the form over a secure connection should not pose much of a challenge.

    Arn, MD5 is a weak hashing algorithm and is easy to reverse-engineer. Saying that a password gets MD5'd before submission does not alleviate my security concerns.
     
  8. arn macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #8
    It wasn't meant to, I was just describing the system as it stands.

    arn
     
  9. IvanX macrumors 6502

    Joined:
    Mar 10, 2012
    #9
    Fair enough, but the system as it stands is bad and insecure. What, if any, are the plans to improve the situation?
     
  10. LaidBack macrumors member

    LaidBack

    Joined:
    Apr 6, 2011
    Location:
    Mississippi
    #10
    It looks like Google AdSense does support placing ads in https web pages. They say the bids on your ad space will decrease because only the SSL compliant ads will be allowed through. I'm not sure how bad the drop in revenue might be.
     
  11. arn macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #11
    Adsense isn't our only ad network.

    arn
     
  12. redheeler macrumors 603

    redheeler

    Joined:
    Oct 17, 2014
    #12
    Being able to capture a temporary session cookie is still less severe than being able to capture a password, one that may even be used on multiple sites.
     

Share This Page