Results 1 to 9 of 9

Thread: SSL for Remote Exploit forums

  1. #1
    Junior Member Amlord1's Avatar
    Join Date
    Nov 2008
    Posts
    78

    Lightbulb SSL for Remote Exploit forums

    I was wondering... Since this site/forum is all about security.. Wouldn't it make sense to have the option for SSL, like the DefCon forums?

    I don't know how possible that is on vBulletin. I just thought it was worth mentioning.
    Originally Posted by pureh@te
    You may think its stupid but when you are posting online sometimes spelling, grammar and thought put into the content of your posts is the only thing people have to measure you by and to determine the level of seriousness they should give you. So with that in mind I'd say "Yes" its pretty important.

  2. #2
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by Amlord1 View Post
    I was wondering... Since this site/forum is all about security.. Wouldn't it make sense to have the option for SSL, like the DefCon forums?

    I don't know how possible that is on vBulletin. I just thought it was worth mentioning.
    ^ Doesn't actually qualify as a BackTrack v2.0 Final feature request, and I don't see the point.
    dd if=/dev/swc666 of=/dev/wyze

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by Amlord1 View Post
    I was wondering... Since this site/forum is all about security.. Wouldn't it make sense to have the option for SSL, like the DefCon forums?

    I don't know how possible that is on vBulletin. I just thought it was worth mentioning.
    How would this benefit the users or admins?

    Are you worried about your password? Did you look at the functionality of the login form?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by thorin View Post
    How would this benefit the users or admins?

    Are you worried about your password? Did you look at the functionality of the login form?
    My guess is he/she/it didn't.

    @OP, if you're actually referring to transport layer security, then perhaps you'd be willing to vet the funds and resources to compensate for the extra overhead that would be needed to implement this?? Lemme guess -- the check's in the mail
    dd if=/dev/swc666 of=/dev/wyze

  5. #5
    Good friend of the forums
    Join Date
    Jan 2010
    Location
    outside chicago, il
    Posts
    442

    Default

    Quote Originally Posted by Amlord1 View Post
    I was wondering... Since this site/forum is all about security.. Wouldn't it make sense to have the option for SSL, like the DefCon forums?

    I don't know how possible that is on vBulletin. I just thought it was worth mentioning.
    When you click on the login button your password is md5 hashed and the hash is sent over the wire. Your password is NOT sent in cleartext.
    Look at the code in login.php (hint find md5) if you want to see for yourself.
    I like the bleeding edge, but I don't like blood loss

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    A lot of people I interact with who don't work in a security role tend to make overly generalised remarks about "security".

    One of my favorites centers around the "secure" website, which is what many people call a website that uses SSL encryption. However, an SSL website only provides "security" against someone viewing or modifying traffic as it passes over a network, or against someone impersonating a web site (and the impersonation protection is really pretty weak). The cost of this security is additional load on the web server to perform the cryptographic operations for SSL, and the cost of a certificate, renewed every few years.

    So considering this, a SSL enabled website is only secure (in the proper sense of the word) if the risks you are concerned about involve traffic manipulation or impersonation. And if you aren't at all concerned about these risks, then the additional costs of SSL aren't justified.

    This forum may involve a security related topic (a pen testing distro specifically), but I don't think there's a real need for implementation of the "security" provided by SSL. And out of all people, I think its important that the security practitioners (like the ones who frequent this forum) should be able to understand this type of issue, because if we cant understand it then we shouldn't expect anyone else to. Happily, from what Ive seen it appears that many people here already do understand this.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #7
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    4

    Default Things don't always works as expected.

    Quote Originally Posted by bofh28 View Post
    When you click on the login button your password is md5 hashed and the hash is sent over the wire. Your password is NOT sent in cleartext.
    Look at the code in login.php (hint find md5) if you want to see for yourself.
    One side note on functionality of the login form code, it relies on javascript to do the hash, if you have javascript disabled, the remote-exploit forms still work fine, but your login password WILL be sent in plaintext as variable vb_login_password (just before the security token).

    An example of security measures someone takes that actually reduce security.

    My 2 cents.

    -bgrimm

  8. #8
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by bgrimm View Post
    One side note on functionality of the login form code, it relies on javascript to do the hash, if you have javascript disabled, the remote-exploit forms still work fine, but your login password WILL be sent in plaintext as variable vb_login_password (just before the security token).
    An example of security measures someone takes that actually reduce security.
    My 2 cents.
    -bgrimm
    While the above may be true the whole point of turning Javascript off is so that one will not wander onto unknown territory without being properly equipped. So given that, the user again is still the weak point. Because the user can make an exception to visit the sight and have javascipt turned on or off.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by bgrimm View Post
    One side note on functionality of the login form code, it relies on javascript to do the hash, if you have javascript disabled, the remote-exploit forms still work fine, but your login password WILL be sent in plaintext as variable vb_login_password (just before the security token).

    An example of security measures someone takes that actually reduce security.

    My 2 cents.

    -bgrimm
    IMHO that falls into the category of buyer beware. If you turn off JavaScript you better know what that means for you. If you turn it off and fail to understand the implications then you kind of deserve to be owned.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •