Become a part of the TranceAddict community! Frequently Asked Questions - Please read this if you haven'tSearch the forums
TranceAddict Forums > Main Forums > Chill Out Room > HTTPS on TA
Pages (2): [1] 2 »   Last Thread   Next Thread
Author
Thread    Post A Reply
Swamper
Webmonstah



Registered: Jan 2000
Location: Toronto, Canada
Exclamation HTTPS on TA

I'm moving TA to be https:// only

...still a bunch of things to fix but in case you see some weird things happening, this is why.

Carry on.


___________________

"In a world of illusion you only see what you feel"

Old Post Nov-27-2017 20:02  Canada
Click Here to See the Profile for Swamper Click here to Send Swamper a Private Message Visit Swamper's homepage! Add Swamper to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Mr.Mystery
303 <3 808



Registered: Dec 2001
Location: Vantaa

TA 2.0 confirmed.


___________________
Waking Dream [Electronic Tree]
Afraid to Dream EP [Electronic Tree]
Better Days EP [BWP]
In Search of Anything [Magnetism Digital]

Old Post Nov-27-2017 21:28  Finland
Click Here to See the Profile for Mr.Mystery Click here to Send Mr.Mystery a Private Message Add Mr.Mystery to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Jon_Snow
tranceaddict in training



Registered: Aug 2012
Location: RIP Mrs Brady

Make TA great again!

Last edited by Jon_Snow on Nov-29-2017 at 16:12

Old Post Nov-28-2017 02:57  United States
Click Here to See the Profile for Jon_Snow Click here to Send Jon_Snow a Private Message Add Jon_Snow to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Zoso
Unicorn Cawk!



Registered: Mar 2006
Location: Dirty South, United States

Well, shit...I'm all for security, but this will keep Stu offline even longer.

Old Post Nov-29-2017 00:20  United States
Click Here to See the Profile for Zoso Click here to Send Zoso a Private Message Add Zoso to your buddy list Zoso is online now Report this Post Reply w/Quote Edit/Delete Message
Lira
Be a Good One!



Registered: Nov 2001
Location: Brasilia, Brazil and Manaus, Brazil

Out of curiosity, is there any advantage other than being able to making purchases on TA and making sure Macedonian hackers can't post any fake news around here?


___________________
“All I have learned, I learned from basslines.”

Old Post Nov-29-2017 03:11 
Click Here to See the Profile for Lira Click here to Send Lira a Private Message Visit Lira's homepage! Add Lira to your buddy list Report this Post Reply w/Quote Edit/Delete Message
JEO
Supreme tranceaddict



Registered: Jan 2010
Location: JKL

quote:
Originally posted by Lira
Out of curiosity, is there any advantage other than being able to making purchases on TA and making sure Macedonian hackers can't post any fake news around here?


Don't know how serious you are with the second point, but HTTPS has little to do with that. Even with HTTPS, on vBulletin it's almost childishly easy to steal a user's unsalted password's MD5 hash. "Cracking" an MD5 hash to get it's original seed is quite a trivial task using any tool specifically designed for that, given the password isn't very complex. HTTPS aims to mitigate (or even eliminate, but never be so sure) the chances of man-in-the-middle attacks.

HTTPS in itself should be mandatory. All sites dealing with any sort of user input outside mouse clicks should use it no matter what, especially with Let's Encrypt doing it all for free now, and with configuring being basically automated with certbot, given you use Apache or Nginx.

What I would direct my attention to really is that vBulletin still stores your unsalted password in an MD5 hash in your cookies. Storing a password in a user's cookies in general is pointless, and with vBulletin being very exposed to XSS type of attacks, it's pointless and dangerous for the user.

Not that any of this matters to anyone I guess, but this is how those huge lists of username/email-password pairs end up in everybody's reach.

Just for fun, try the same email address you use for TA (or well, any of your email addresses) here: https://haveibeenpwned.com/

Old Post Nov-29-2017 14:29  Finland
Click Here to See the Profile for JEO Click here to Send JEO a Private Message Add JEO to your buddy list JEO is online now Report this Post Reply w/Quote Edit/Delete Message
Lira
Be a Good One!



Registered: Nov 2001
Location: Brasilia, Brazil and Manaus, Brazil

quote:
Originally posted by JEO
Don't know how serious you are with the second point

Nah, I was just being facetious
quote:
Originally posted by JEO
[Comprehensive explanation]

This was a good read, thanks! I stay logged on TA so I didn't even remember it needed passwords any more
quote:
Originally posted by JEO
Just for fun, try the same email address you use for TA (or well, any of your email addresses) here: https://haveibeenpwned.com/

Dammit, good thing I tend to be creative with passwords, otherwise I'd be really angry at Adobe and Dropbox right now


___________________
“All I have learned, I learned from basslines.”

Old Post Nov-29-2017 15:07 
Click Here to See the Profile for Lira Click here to Send Lira a Private Message Visit Lira's homepage! Add Lira to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Jon_Snow
tranceaddict in training



Registered: Aug 2012
Location: RIP Mrs Brady

http://img4.imagetitan.com/img.php?image=17_edd87520-a4fc-4c56-810c-7e1ef97a42c1.png

I always wanted to pwn Del but 13x this is too much

Old Post Nov-29-2017 15:56  United States
Click Here to See the Profile for Jon_Snow Click here to Send Jon_Snow a Private Message Add Jon_Snow to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Swamper
Webmonstah



Registered: Jan 2000
Location: Toronto, Canada

quote:
Originally posted by JEO
Storing a password in a user's cookies in general is pointless, and with vBulletin being very exposed to XSS type of attacks, it's pointless and dangerous for the user.


Mostly right - except -- the vB TA is running on is so old and patched (mostly by me) that it is safe... trust me, the attacks have been steady for years. A few were quite crafty too, I give them credit.

quote:
Originally posted by Jon_Snow
http://img4.imagetitan.com/img.php?image=17_edd87520-a4fc-4c56-810c-7e1ef97a42c1.png

I always wanted to pwn Del but 13x this is too much


haha yes but who cares - I've never used the same password on sites that matter. Also, most of those were from days long before password managers were a thing.


___________________

"In a world of illusion you only see what you feel"

Old Post Nov-29-2017 20:38  Canada
Click Here to See the Profile for Swamper Click here to Send Swamper a Private Message Visit Swamper's homepage! Add Swamper to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Jon_Snow
tranceaddict in training



Registered: Aug 2012
Location: RIP Mrs Brady

quote:
Originally posted by Swamper
haha yes but who cares - I've never used the same password on sites that matter. Also, most of those were from days long before password managers were a thing.

That wasn’t meant to be an endorsement of JEO rant on you. Nothing worse than some know it all lecturing you on the internet. I was just having a little fun.

Oh look Someone signed up for Lord of the Rings Online *points.

Last edited by Jon_Snow on Nov-29-2017 at 22:11

Old Post Nov-29-2017 22:05  United States
Click Here to See the Profile for Jon_Snow Click here to Send Jon_Snow a Private Message Add Jon_Snow to your buddy list Report this Post Reply w/Quote Edit/Delete Message
JEO
Supreme tranceaddict



Registered: Jan 2010
Location: JKL

quote:
Originally posted by Jon_Snow
That wasn’t meant to be an endorsement of JEO rant on you. Nothing worse than some know it all lecturing you on the internet. I was just having a little fun.


Oh, IGK. It wasn't a rant, nor was I lecturing. It's just a post on a topic I find interesting. I bet the only reason we don't tend to see posts longer than two sentences from you is that there aren't any threads about molesting kids or child porn screaming for your input. I understand how it might all be very boring to you in this thread, but even you benefit from HTTPS and an otherwise secure forum, especially with you having garnered some quite undesirable associations to your name here.

And I think there are things far worse here than being lectured by someone; for example your seemingly everlasting presence on these forums and the fact that you still come here on a daily basis, although you've been the pissing post of virtually all of the "original members" since who knows how long. Didn't even that Ukrainian paedo somehow resent you? Guess there's some sort of hiearchy even in those circles, and it does seem your position isn't awfully high in it.

Also, you seem to be the type who "won't care" when a whole forum keeps calling you a paedophile, because that just makes you relevant in your opinion. Gladly accepting that kind of exposure tells me all I need to know about you, you fucking shit-smoothie. You're like that kid who tags along even when the other kids smear your face with dogshit every once in a while.

quote:
Originally posted by Jon_Snow
Oh look Someone signed up for Lord of the Rings Online *points.


I don't know what you're saying with this, which is often the case with your humor (excluding the obvious fucking half-pun dad jokes), but if you're implying that I signed up for .. "Lord of the Rings Online" points – what did you sign up for? To get called a paedophile every day?

Old Post Nov-30-2017 12:05  Finland
Click Here to See the Profile for JEO Click here to Send JEO a Private Message Add JEO to your buddy list JEO is online now Report this Post Reply w/Quote Edit/Delete Message
bamski
snuoq ou



Registered: Mar 2006
Location: I am merely here

quote:
Originally posted by JEO
Oh, IGK you fucking shit-smoothie. You're like that kid who tags along even when the other kids smear your face with dogshit every once in a while.



I don't know what you're saying with this, which is often the case with your humor (excluding the obvious fucking half-pun dad jokes), but if you're implying that I signed up for .. "Lord of the Rings Online" points – what did you sign up for? To get called a paedophile every day?


Perfect.

Old Post Nov-30-2017 13:32 
Click Here to See the Profile for bamski Click here to Send bamski a Private Message Add bamski to your buddy list Report this Post Reply w/Quote Edit/Delete Message

TranceAddict Forums > Main Forums > Chill Out Room > HTTPS on TA
Post New Thread    Post A Reply

Pages (2): [1] 2 »  
Last Thread   Next Thread
Show Printable Version | Subscribe to this Thread

Forum Jump:

All times are GMT. The time now is 17:06.

Forum Rules:
You may not post new threads
You may not post replies
You may not edit your posts
HTML code is ON
vB code is ON
[IMG] code is ON
 
Search this Thread:

 
Contact Us - return to tranceaddict

Powered by: Trance Music & vBulletin Forums
Copyright ©2000-2017

Privacy Statement / DMCA