No HTTPS on TBN?

   / No HTTPS on TBN? #1  
V

vvanders

Platinum Member
Joined
Oct 15, 2016
Messages
653
Location
Sequim, WA
Tractor
Kubota L4760
What's with the lack of HTTPS on TBN these days? Not cool to be sending passwords and session IDs in the clear. Plenty of great options out there like Let's Encrypt - Free SSL/TLS Certificates.

Heck if it's a cost thing I'd happily pitch in for an SSL cert.
 
   / No HTTPS on TBN? #2  
The passwords are encrypted...even if someone was able to hack or exploit the database the passwords would not be compromised...Even the site owner/administrator cannot see actual passwords...just the encrypted hash...
 
   / No HTTPS on TBN? #3  
In the auth protocol that TBN uses passwords are sent across the network hashed using the MD5 algorithm. That algorithm is deprecated because it's too easy to brute force. Session IDs, cookies, etc do not even have that very trivial protection. Those are what's used for authentication on TBN most of the time (when you click "remember me" on login). You should never use the same password for a site with weak security like TBN as you use for any account that you value. Really you should not re-use the same passwords for any site. Your TBN password should be a good random password, which means you'll need a password manager to remember it for you. There's free ones. TBN should use https (all sites should) but as I follow those security practices and I assume the world will see everything I post here, I'm not too exercised about them not using it.

(A hash is not encryption, though it's a cryptographic algorithm. It's a one way function- its not feasible to calculate the input to the hash when you only know the output. The problem with MD5 is that on modern computers it is so fast that it is feasible to hash a dictionary of likely input values, such as passwords, until you find an output that matches. This is called a "brute force" attack. There's a number of programs out there that have optimized hash routines specifically for doing brute force attacks on password hashes and can check hundreds of thousands per second on a reasonably fast CPU... much more on a commonly available GPU. Sorry for the nerdsplain but cryptography is what I do).
 
   / No HTTPS on TBN? #4  
A point that I didn't make in the last post- since the traffic between your computer and TBN is not encrypted, an attacker who can view the traffic can see the MD5 of your password. They don't even need to brute force the password to use it- they can just send the hash and they're logged into your TBN account. The same is true with the session Id and auth cookie. They can be replayed to gain access to the account.
 
   / No HTTPS on TBN? #5  
ericm979 said:
A point that I didn't make in the last post- since the traffic between your computer and TBN is not encrypted, an attacker who can view the traffic can see the MD5 of your password. They don't even need to brute force the password to use it- they can just send the hash and they're logged into your TBN account. The same is true with the session Id and auth cookie. They can be replayed to gain access to the account.
Click to expand...

In my experience with MYSQL and VB software etc...submitting a password hash rather than the actual language pw...access will be denied...
 
   / No HTTPS on TBN? #7  
John Fitzgerald said:
A TBN account would not be a highly desirable hacker target IMO.
Click to expand...

The biggest draw would be the popularity of the forum and the attraction of the challenge...
You are right that there is really nothing here that would be of interest to a *professional*...(* used in a criminal sense)

Script kiddies that are just out trying to run sql injection and URI manipulator scripts etc., etc...are a different story...

FWIW VB is always improving it's database security...These days most sites that use session cookies also employ scripts that recognize "brute force" assaults...
 
   / No HTTPS on TBN? #8  
John Fitzgerald said:
A TBN account would not be a highly desirable hacker target IMO.
Click to expand...

Someone gaining access your TBN account may not be a big deal. The issue is if a hacker can get an ID and password, it's easy to try that same ID and PW at other sites. If you happen to have the same ID/PW at a shopping site like Amazon, or your bank, you could be compromised pretty quickly.
 
   / No HTTPS on TBN? #9  
LMychajluk said:
Someone gaining access your TBN account may not be a big deal. The issue is if a hacker can get an ID and password, it's easy to try that same ID and PW at other sites. If you happen to have the same ID/PW at a shopping site like Amazon, or your bank, you could be compromised pretty quickly.
Click to expand...

That's what the prior posts are about...Even if someone could see the creds being passed they can't see anyone's actual password...all they could possibly see is the hash...
 
   / No HTTPS on TBN? #10  
The MD5 hash can readily be attacked as I explained above. My latop can do about 2 million MD5s/second. That'll find a lot of passwords. Especially since most people use weak passwords based on words.

At 2 million/sec it would take about 8 hours to check all possible combinations of letters and numbers for a six character password. (on average you'd find the password in half that time). A full search is not needed as most passwords are not random strings of letters and numbers, but are based on words. Password guessers use dictionaries and modification rules to construct likely passwords to try. Such as try the word, then the word with 'l's replaced with '1's, then try with a 1 appended, etc. All based on studies of actual passwords. That greatly narrows and speeds the search. A full brute force search is only needed for truly random passwords.
 
You must log in or register to reply here.
 

Footer Links 1

Top