Page 2 of 2

Re: Ring: Alpha Test Application Form (by Xavier Antoviaque)

Posted: Fri Apr 07, 2006 8:05 pm
by sluggo0
khyle wrote:aye, at least the forum password is hashed (read: "weakly encrypted")
I would say it very likely is not, it's on an HTTP server, the form submission is plain text, the authenticated session token thingy sent back in the cookie header is hashed however, so once you have logged in once, you're dealing with very very moderate encryption.

To actually 'man in the middle' or sniff the password as it is submitted by HTTP you actually have to sit 'on' or fake being on the subnets at either end, you may be able to do that by fooling a router midway.. not too sure to be hones there, so if you use wi-fi at home, you're taking a big chance, NEVER use a wifi hub with no authentication to access anything with username/passwords, unless you know there's encryption involved (HTTPS).

HTTPS is pretty darn secure, usually the stealing of identies isn't done by sniffing or man in the middle as much as it is either bad security on WIFI networks, or phishing.. hmm i was phished by the official site? :( lol just teasin, i figure it's safe enough.. unless someone starts posting as me and saying really weird things about wi-fi encryption or other geekiness i think i'm ok :P .

Form security

Posted: Fri Apr 07, 2006 8:46 pm
by khyle
Sorry for dragging this ever more offtopic...
sluggo0 wrote:I would say it very likely is not, it's on an HTTP server, the form submission is plain text, the authenticated session token thingy sent back in the cookie header is hashed however, so once you have logged in once, you're dealing with very very moderate encryption.
The way I read the page source, the forum password is hashed by a script function before it's being sent. Granted, I trusted the JS instead of testing it, but you have to draw the line somewhere ;)
I'd still be much more comfortable if all authentication were over secure http...