Ring: Alpha Test Application Form (by Xavier Antoviaque)

We do listen and value your comments. Tell us what you think to what is going on here.
sluggo0
Posts: 132
Joined: Sun Nov 13, 2005 6:27 am

Re: Ring: Alpha Test Application Form (by Xavier Antoviaque)

Post by sluggo0 »

khyle wrote:aye, at least the forum password is hashed (read: "weakly encrypted")
I would say it very likely is not, it's on an HTTP server, the form submission is plain text, the authenticated session token thingy sent back in the cookie header is hashed however, so once you have logged in once, you're dealing with very very moderate encryption.

To actually 'man in the middle' or sniff the password as it is submitted by HTTP you actually have to sit 'on' or fake being on the subnets at either end, you may be able to do that by fooling a router midway.. not too sure to be hones there, so if you use wi-fi at home, you're taking a big chance, NEVER use a wifi hub with no authentication to access anything with username/passwords, unless you know there's encryption involved (HTTPS).

HTTPS is pretty darn secure, usually the stealing of identies isn't done by sniffing or man in the middle as much as it is either bad security on WIFI networks, or phishing.. hmm i was phished by the official site? :( lol just teasin, i figure it's safe enough.. unless someone starts posting as me and saying really weird things about wi-fi encryption or other geekiness i think i'm ok :P .
---


Minou [Karavan] Arispotle
User avatar
khyle
Posts: 466
Joined: Sun Feb 06, 2005 9:53 am

Form security

Post by khyle »

Sorry for dragging this ever more offtopic...
sluggo0 wrote:I would say it very likely is not, it's on an HTTP server, the form submission is plain text, the authenticated session token thingy sent back in the cookie header is hashed however, so once you have logged in once, you're dealing with very very moderate encryption.
The way I read the page source, the forum password is hashed by a script function before it's being sent. Granted, I trusted the JS instead of testing it, but you have to draw the line somewhere ;)
I'd still be much more comfortable if all authentication were over secure http...
Post Reply

Return to “Feedback”