^ Doesn't actually qualify as a BackTrack v2.0 Final feature request, and I don't see the point.Originally Posted by Amlord1
SSL for Remote Exploit forums
I was wondering... Since this site/forum is all about security.. Wouldn't it make sense to have the option for SSL, like the DefCon forums?
I don't know how possible that is on vBulletin. I just thought it was worth mentioning.
Originally Posted by pureh@te
You may think its stupid but when you are posting online sometimes spelling, grammar and thought put into the content of your posts is the only thing people have to measure you by and to determine the level of seriousness they should give you. So with that in mind I'd say "Yes" its pretty important.
^ Doesn't actually qualify as a BackTrack v2.0 Final feature request, and I don't see the point.
dd if=/dev/swc666 of=/dev/wyze
How would this benefit the users or admins?
Are you worried about your password? Did you look at the functionality of the login form?
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
My guess is he/she/it didn't.
@OP, if you're actually referring to transport layer security, then perhaps you'd be willing to vet the funds and resources to compensate for the extra overhead that would be needed to implement this?? Lemme guess -- the check's in the mail
dd if=/dev/swc666 of=/dev/wyze
When you click on the login button your password is md5 hashed and the hash is sent over the wire. Your password is NOT sent in cleartext.
Look at the code in login.php (hint find md5) if you want to see for yourself.
I like the bleeding edge, but I don't like blood loss
A lot of people I interact with who don't work in a security role tend to make overly generalised remarks about "security".
One of my favorites centers around the "secure" website, which is what many people call a website that uses SSL encryption. However, an SSL website only provides "security" against someone viewing or modifying traffic as it passes over a network, or against someone impersonating a web site (and the impersonation protection is really pretty weak). The cost of this security is additional load on the web server to perform the cryptographic operations for SSL, and the cost of a certificate, renewed every few years.
So considering this, a SSL enabled website is only secure (in the proper sense of the word) if the risks you are concerned about involve traffic manipulation or impersonation. And if you aren't at all concerned about these risks, then the additional costs of SSL aren't justified.
This forum may involve a security related topic (a pen testing distro specifically), but I don't think there's a real need for implementation of the "security" provided by SSL. And out of all people, I think its important that the security practitioners (like the ones who frequent this forum) should be able to understand this type of issue, because if we cant understand it then we shouldn't expect anyone else to. Happily, from what Ive seen it appears that many people here already do understand this.
Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".
The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.
Things don't always works as expected.
One side note on functionality of the login form code, it relies on javascript to do the hash, if you have javascript disabled, the remote-exploit forms still work fine, but your login password WILL be sent in plaintext as variable vb_login_password (just before the security token).
An example of security measures someone takes that actually reduce security.
My 2 cents.
-bgrimm
While the above may be true the whole point of turning Javascript off is so that one will not wander onto unknown territory without being properly equipped. So given that, the user again is still the weak point. Because the user can make an exception to visit the sight and have javascipt turned on or off.
To be successful here you should read all of the following.
ForumRules
ForumFAQ
If you are new to Back|Track
Back|Track Wiki
Failure to do so will probably get your threads deleted or worse.
IMHO that falls into the category of buyer beware. If you turn off JavaScript you better know what that means for you. If you turn it off and fail to understand the implications then you kind of deserve to be owned.
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Posting Permissions