SSL for logins/site?

**BrickBag** · 03-12-2012, 01:50 PM

Hi guys, I just went to srp on an open wifi and noticed there is no port open for SSL connections. Could it be possible you get a really cheap certificate so we can have secured logins/sessions?

**HNSB** · 03-12-2012, 02:13 PM

Vbulletin doesn't support SSL login: https://www.vbulletin.com/forum/showthread.php/380120-Need-Info-on-how-to-configure-SSL-(https-)-for-login-pages

Currently, passwords are md5 hashed which makes it much harder (but not impossible) for an eavesdropper to utilize it.

**BrickBag** · 03-13-2012, 10:55 PM

If your webserver does SSL/TLS, the application (vbulletin here) doesn't care about whether it is over SSL or not. The thread you linked is about logins only over SSL, if you get a cookie over SSL and use it on the unsecured pages, the cookie can get sniffed and you gain nothing.

Also, relying on client-side java script support is sketchy (I have it turned off by default). I'm too lazy to find out whether the md5 is salted. But even then (the salt is passed to the client anyway). Also, MD5 isn't considered secure anymore.

I wouldn't mind you guys just saying 'non!', as this isn't an important/high profile website. I was giving food for thought.

Cheers!

**hoglahoo** · 03-14-2012, 03:32 PM

Originally Posted by BrickBag

this isn't an important/high profile website.

What? I can't believe you said that! *sob*

Originally Posted by BrickBag

I was giving food for thought.

At least our md5 is salted

Thread: SSL for logins/site?

LinkBack

Thread Tools

Display

SSL for logins/site?

Posting Permissions