I was wondering... Since this site/forum is all about security.. Wouldn't it make sense to have the option for SSL, like the DefCon forums?
I don't know how possible that is on vBulletin. I just thought it was worth mentioning.
Printable View
I was wondering... Since this site/forum is all about security.. Wouldn't it make sense to have the option for SSL, like the DefCon forums?
I don't know how possible that is on vBulletin. I just thought it was worth mentioning.
^ Doesn't actually qualify as a BackTrack v2.0 Final feature request, and I don't see the point.Quote:
Originally Posted by Amlord1
How would this benefit the users or admins?Quote:
Originally Posted by Amlord1
Are you worried about your password? Did you look at the functionality of the login form?
My guess is he/she/it didn't.Quote:
Originally Posted by thorin
@OP, if you're actually referring to transport layer security, then perhaps you'd be willing to vet the funds and resources to compensate for the extra overhead that would be needed to implement this?? Lemme guess -- the check's in the mail ;)
When you click on the login button your password is md5 hashed and the hash is sent over the wire. Your password is NOT sent in cleartext.Quote:
Originally Posted by Amlord1
Look at the code in login.php (hint find md5) if you want to see for yourself.
A lot of people I interact with who don't work in a security role tend to make overly generalised remarks about "security".
One of my favorites centers around the "secure" website, which is what many people call a website that uses SSL encryption. However, an SSL website only provides "security" against someone viewing or modifying traffic as it passes over a network, or against someone impersonating a web site (and the impersonation protection is really pretty weak). The cost of this security is additional load on the web server to perform the cryptographic operations for SSL, and the cost of a certificate, renewed every few years.
So considering this, a SSL enabled website is only secure (in the proper sense of the word) if the risks you are concerned about involve traffic manipulation or impersonation. And if you aren't at all concerned about these risks, then the additional costs of SSL aren't justified.
This forum may involve a security related topic (a pen testing distro specifically), but I don't think there's a real need for implementation of the "security" provided by SSL. And out of all people, I think its important that the security practitioners (like the ones who frequent this forum) should be able to understand this type of issue, because if we cant understand it then we shouldn't expect anyone else to. Happily, from what Ive seen it appears that many people here already do understand this.
One side note on functionality of the login form code, it relies on javascript to do the hash, if you have javascript disabled, the remote-exploit forms still work fine, but your login password WILL be sent in plaintext as variable vb_login_password (just before the security token).Quote:
Originally Posted by bofh28
An example of security measures someone takes that actually reduce security.
My 2 cents.
-bgrimm
While the above may be true the whole point of turning Javascript off is so that one will not wander onto unknown territory without being properly equipped. So given that, the user again is still the weak point. Because the user can make an exception to visit the sight and have javascipt turned on or off.Quote:
Originally Posted by bgrimm
IMHO that falls into the category of buyer beware. If you turn off JavaScript you better know what that means for you. If you turn it off and fail to understand the implications then you kind of deserve to be owned.Quote:
Originally Posted by bgrimm