|Originally posted by Lira |
Out of curiosity, is there any advantage other than being able to making purchases on TA and making sure Macedonian hackers can't post any fake news around here?
Don't know how serious you are with the second point, but HTTPS has little to do with that. Even with HTTPS, on vBulletin it's almost childishly easy to steal a user's unsalted password's MD5 hash. "Cracking" an MD5 hash to get it's original seed is quite a trivial task using any tool specifically designed for that, given the password isn't very complex. HTTPS aims to mitigate (or even eliminate, but never be so sure) the chances of man-in-the-middle attacks.
HTTPS in itself should be mandatory. All sites dealing with any sort of user input outside mouse clicks should use it no matter what, especially with Let's Encrypt doing it all for free now, and with configuring being basically automated with certbot, given you use Apache or Nginx.
What I would direct my attention to really is that vBulletin still stores your unsalted password in an MD5 hash in your cookies. Storing a password in a user's cookies in general is pointless, and with vBulletin being very exposed to XSS type of attacks, it's pointless and dangerous for the user.
Not that any of this matters to anyone I guess, but this is how those huge lists of username/email-password pairs end up in everybody's reach.
Just for fun, try the same email address you use for TA (or well, any of your email addresses) here: https://haveibeenpwned.com/