No HTTPS on TBN?

   / No HTTPS on TBN? #21  
ericm979 said:
The MD5 hash can readily be attacked as I explained above. My latop can do about 2 million MD5s/second.
Click to expand...

After 5 failed attempts you get locked out for 15 minutes. So you could try around 480 per 24 hour day.

We've had plans to change to HTTPS for a while. We're also currently morphing other sites to a new platform and have been working on a number of large scale upgrades to the various parts and pieces of TBN. We're aware that vbulletin is out of date and limited but we're also aware that our members are accustomed to the functionality and layout. Every time we've made a change in the past (we've made four major changes in 20 years), our membership doesn't like it and we see a 30% drop in post activity as a result. That's been one of the reasons for our apprehension to change. The decision to go to another platform or build one ourselves has been a wait and see game. Now that we're dipping our toes in a new platform, we're getting more comfortable with the idea. So when that change happens, we will switch to HTTPS.
 
   / No HTTPS on TBN? #22  
Muhammad said:
After 5 failed attempts you get locked out for 15 minutes. So you could try around 480 per 24 hour day.
Click to expand...

That's not how the attack works. It's an off line attack. The attacker only needs a copy of the hash and a word list of prospective passwords. Then she runs the brute force on machines she controls, hashing each prospective password and checking to see if the result matches the hash she's attacking. There's no connections to TBN (or anywhere else). The limit is purely CPU speed and how many CPUs the attacker's willing to put to work.

Muhammad said:
We've had plans to change to HTTPS for a while. We're also currently morphing other sites to a new platform and have been working on a number of large scale upgrades to the various parts and pieces of TBN. We're aware that vbulletin is out of date and limited but we're also aware that our members are accustomed to the functionality and layout. Every time we've made a change in the past (we've made four major changes in 20 years), our membership doesn't like it and we see a 30% drop in post activity as a result. That's been one of the reasons for our apprehension to change. The decision to go to another platform or build one ourselves has been a wait and see game. Now that we're dipping our toes in a new platform, we're getting more comfortable with the idea. So when that change happens, we will switch to HTTPS.
Click to expand...

Cool. I wrote some early forum softwarein the .com era. From that experience I can say that no matter what you change some people won't like the change. Also, don't roll your own.

/pine, you're misunderstanding how the attacker replays the hash. They write the protocol directly and send the hash in that. They don't use the hash as the password, calling through the library that takes the password and hashes it. They bypass that code.
 
   / No HTTPS on TBN? #23  
.../pine, you're misunderstanding how the attacker replays the hash. They write the protocol directly and send the hash in that. They don't use the hash as the password, calling through the library that takes the password and hashes it. They bypass that code....
Click to expand...
Not misunderstanding...The hash still has to match what is in the database...rather than being passed via the interface it would have to be done through a URI...

It's like I pointed out...the only way anyone could capture the hash is by either compromising the entire database or directly hacking someone's home/office network...
 
   / No HTTPS on TBN?
  • Thread Starter
#24  
Muhammad said:
After 5 failed attempts you get locked out for 15 minutes. So you could try around 480 per 24 hour day.

We've had plans to change to HTTPS for a while. We're also currently morphing other sites to a new platform and have been working on a number of large scale upgrades to the various parts and pieces of TBN. We're aware that vbulletin is out of date and limited but we're also aware that our members are accustomed to the functionality and layout. Every time we've made a change in the past (we've made four major changes in 20 years), our membership doesn't like it and we see a 30% drop in post activity as a result. That's been one of the reasons for our apprehension to change. The decision to go to another platform or build one ourselves has been a wait and see game. Now that we're dipping our toes in a new platform, we're getting more comfortable with the idea. So when that change happens, we will switch to HTTPS.
Click to expand...

:thumbsup: Thanks for the detailed reply, in 100% agreement that changing how TBN works isn't the best idea. If it isn't broken, don't fix it.

Out of curiosity does your hosting provider tie HTTPS to your software deployment? Generally SSL is a separate thing configured at the reverse proxy/load balancer but I'm not privy to all the technical details how TBN is setup.
 
   / No HTTPS on TBN? #25  
Why am I seeing more highlighted links now that when clicked on go to something that has nothing to with the post, is that an http thing? Like in one post I typed in the word> ram and that becomes a highlighted link.
 
   / No HTTPS on TBN? #26  
By 'http' thing, if you mean is it related to http, then yes. If you hover over the link, it says 'Inserted by Vigilink'. Vigilink is a company that provides a snippet of http code that a web site owner can insert into their site to create links on keywords. When someone clicks one of those links, Vigilink gets a commission, and they pass along a % back to the owner of the site. I'm guessing TBN recently signed up w/ Vigilink...

If you use Chrome, there's a Chrome Extension that you can add called Ghostery that can block your browse from creating the Vigilink links (among blocking other ads and tracking tools).
 
   / No HTTPS on TBN? #27  
LMychajluk said:
By 'http' thing, if you mean is it related to http, then yes. If you hover over the link, it says 'Inserted by Vigilink'. Vigilink is a company that provides a snippet of http code that a web site owner can insert into their site to create links on keywords. When someone clicks one of those links, Vigilink gets a commission, and they pass along a % back to the owner of the site. I'm guessing TBN recently signed up w/ Vigilink...

If you use Chrome, there's a Chrome Extension that you can add called Ghostery that can block your browse from creating the Vigilink links (among blocking other ads and tracking tools).
Click to expand...
Or, go to http://www.tractorbynet.com/forums/profile.php?do=editprofile, then scroll down the the bottom of the page and choose "No" for both "Show inserted links" and "Allow inserted links in my posts"

Aaron Z
 
   / No HTTPS on TBN? #30  
aczlan said:
Or, go to http://www.tractorbynet.com/forums/profile.php?do=editprofile, then scroll down the the bottom of the page and choose "No" for both "Show inserted links" and "Allow inserted links in my posts"

Aaron Z
Click to expand...

Ta, Aaron... sure enough, both of those were ticked "yes" in my profile.

I didn't mind the odd idiosyncratic "kubota" link showing up but the recent avalanche of one/two word links was getting downright annoying.
 
You must log in or register to reply here.

Tractor & Equipment Auctions

2009 CATERPILLAR 420E BACKHOE (A51406)
2009 CATERPILLAR...
  • Clicks: 27
  • Views: 28,770
2015 International DuraStar 4300 Street Sweeper Truck (A50323)
2015 International...
  • Clicks: 59
  • Views: 76,909
CATERPILLAR D6T XL CRAWLER DOZER (A51242)
CATERPILLAR D6T XL...
  • Clicks: 9
  • Views: 3,269
1984 NAVISTAR 1954 CABLE HOIST (A51222)
1984 NAVISTAR 1954...
  • Clicks: 37
  • Views: 55,173
2021 Kubota RTV X900 4x4 Utility Cart (A50322)
2021 Kubota RTV...
  • Clicks: 53
  • Views: 65,757
2016 J&M 1122-20T X-Tended Grain Cart (A50657)
2016 J&M 1122-20T...
  • Clicks: 48
  • Views: 68,256
 

Footer Links 1

Top