Hi guys, I just went to srp on an open wifi and noticed there is no port open for SSL connections. Could it be possible you get a really cheap certificate so we can have secured logins/sessions?
Printable View
Hi guys, I just went to srp on an open wifi and noticed there is no port open for SSL connections. Could it be possible you get a really cheap certificate so we can have secured logins/sessions?
Vbulletin doesn't support SSL login: https://www.vbulletin.com/forum/showthread.php/380120-Need-Info-on-how-to-configure-SSL-(https-)-for-login-pages
Currently, passwords are md5 hashed which makes it much harder (but not impossible) for an eavesdropper to utilize it.
If your webserver does SSL/TLS, the application (vbulletin here) doesn't care about whether it is over SSL or not. The thread you linked is about logins only over SSL, if you get a cookie over SSL and use it on the unsecured pages, the cookie can get sniffed and you gain nothing.
Also, relying on client-side java script support is sketchy (I have it turned off by default). I'm too lazy to find out whether the md5 is salted. But even then (the salt is passed to the client anyway). Also, MD5 isn't considered secure anymore.
I wouldn't mind you guys just saying 'non!', as this isn't an important/high profile website. I was giving food for thought.
Cheers!