SSL for login only?

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
morestuff
Registered User
Posts: 816
Joined: Sun Aug 20, 2006 6:19 am

Post by morestuff » Wed Aug 23, 2006 4:28 am

well, apparently, the developers of phpbb and probably many, many other programs do not think it is that much to worry about.

assuming what you describe is true, then you should not access your board from a public wifi network. or you should figure out a way to protect it if it is critical.

you know, if I was to walk outside right now, that tree in my front yard might fall and smash my head. I think I will stay inside for the rest of my life.

sorry, I just can't get over how much people can worry about stuff that is so unlikely to happen that it should not require a moments thought.


yes, If I notice that the tree in my front yard is rotten and likely to fall, I will cut it down.

rant/rant/rant

User avatar
TimG
Registered User
Posts: 121
Joined: Sun Jun 23, 2002 8:52 pm
Location: Germany

Post by TimG » Wed Aug 23, 2006 4:37 am

Morestuff,
morestuff wrote: sorry, I just can't get over how much people can worry about stuff that is so unlikely to happen that it should not require a moments thought.

There's a difference between worrying about things that are extremely unlikely to happen and those that can very easily happen. Packet sniffers are free and easily available. A lot of morons have laptops and hang out in public hotspots. For many of these kiddies, it would be great fun to log into someone else's board and mess it up a little, and there would be no way of tracing who had done it.

I have to work from on the road quite a lot and my board is a support forum that is part of my work -- i.e. my living depends on it. Frequently the only option available is to use a public hotspot. If the above scenario happened I would have a lot of trouble. I would probably be able to rebuild the board, but why should I need to?

I've repeatedly asked whether the phpBB logon credentials are at least hashed before being transmitted and have never received an answer so I can only assume that they are not. So administering the board when I am on the road is potentially very risky and this is something I would like to avoid.

IF the logon credentials are not hashed before transmitting there is nothing paranoid about this at all, it is simply good sense because the risk is very high. If they are, then yes, the risk is very low.
Regards,
Tim

User avatar
Emufarmers
Registered User
Posts: 811
Joined: Tue Jul 18, 2006 11:12 am
Contact:

Post by Emufarmers » Wed Aug 23, 2006 5:14 am

Well, if you're concerned about security, you should upgrade to 2.0.21, first things first. :)

User avatar
TimG
Registered User
Posts: 121
Joined: Sun Jun 23, 2002 8:52 pm
Location: Germany

Post by TimG » Wed Aug 23, 2006 7:16 am

Emufarmers wrote: Well, if you're concerned about security, you should upgrade to 2.0.21, first things first. :)

Just curious: What makes you think I didn't? :roll:
Regards,
Tim

User avatar
Emufarmers
Registered User
Posts: 811
Joined: Tue Jul 18, 2006 11:12 am
Contact:

Post by Emufarmers » Wed Aug 23, 2006 7:44 am

TimG wrote:
Emufarmers wrote:Well, if you're concerned about security, you should upgrade to 2.0.21, first things first. :)

Just curious: What makes you think I didn't? :roll:

Heh, I was responding to the original poster, who said he was using 2.0.19. I didn't realize this was a bumped thread. :)

amir abbas
Registered User
Posts: 113
Joined: Fri Mar 31, 2006 2:26 pm
Contact:

Post by amir abbas » Wed Aug 23, 2006 7:44 am

the latest version of phpBB is secure enough
why do you like to have SSL login

i think having SSL account is possible but its hard to configure

Aquillar
Registered User
Posts: 17
Joined: Tue Nov 08, 2005 3:59 am
Location: Canada
Contact:

Re: SSL for login only?

Post by Aquillar » Fri Jul 27, 2007 8:17 am

I can't believe the lack of ANY regard for security by most of you guys. Every person who has said anything on the side for a secure login is 200% right. I can't believe morestuff is comparing it to a tree falling on your head, there are so many things wrong with that, thank you TimG for explaining things to everyone.

I do not log into my forums (or any insecure site) when I am on a college network or wifi. While it is less likely that a transmission would be intercepted while wired, it is still extremely easy to do. I would not want someone snorting it out of the air.

Paranoid would be more the thoughts of "omg someone on one of the networks my information is travelling through is capturing my packets and watching what I do!" (which isn't really too far off if you remember the AT&T cases with Mark Klein). It is much more likely that any interception affecting you would occur on the immediate network that you're connected to (the kid running ethereal with a gold wifi card) or on the opposite end where the server is (a disgruntled employee).

Why not use a Javascript to encrypt the password through md5, transmit that as "clear text" to the server and have the server just work with that instead of receiving the clear password and then hashing on the server? You could even have the client encode a combination of the session id with the password, do the same on the server and verify that the results on both ends match. Easy. I can't think of how that would be too useful if intercepted. Most kiddies wouldn't waste their time on it anyways. That eliminates the need for a full out SSL setup and cert, although that would be the better way to go.

That's my 2 cents

User avatar
T0ny
Registered User
Posts: 1383
Joined: Sun Jan 29, 2006 8:42 pm
Location: Lancashire
Name: Tony

Re: SSL for login only?

Post by T0ny » Fri Jul 27, 2007 9:44 am

Aquillar wrote: Why not use a Javascript to encrypt the password through md5, transmit that as "clear text" to the server and have the server just work with that instead of receiving the clear password and then hashing on the server?
Intercepting the hash would be functionally identical to intercepting the password
Aquillar wrote: You could even have the client encode a combination of the session id with the password, do the same on the server and verify that the results on both ends match. Easy. I can't think of how that would be too useful if intercepted.
This would only tie the hash to that session ID. As the person intercepting the data would have, and be able to use, the session ID concerned it would provide no extra protection.

The upshot is, if someone is able to intercept your session ID chances are they will be able to do everything you can do. The only way to protect against this is to use SSL for everything.

Aquillar
Registered User
Posts: 17
Joined: Tue Nov 08, 2005 3:59 am
Location: Canada
Contact:

Re: SSL for login only?

Post by Aquillar » Fri Jul 27, 2007 4:46 pm

Yes I know but for the kid who's trying to get myspace passwords, this would be a bitch and he would probably just ignore it. It's better than nothing. The session ID could change immediately after login and then it would be useless to someone who managed to grab the hash. If the session ID doesn't change, then they never sent the right password to begin with. Password is now protected.

User avatar
jwunderly
Registered User
Posts: 5740
Joined: Sun Mar 30, 2003 2:18 pm
Location: Easton, PA (in the groove)

Re: SSL for login only?

Post by jwunderly » Fri Jul 27, 2007 4:51 pm

and your support question is .... ?
John (A cranky old man. "Looking for an echo ...")
using any control-panel install/update is like shooting yourself in the foot. It won't kill you, but you're really going to hobble around until it heals.
Using the wrong tools (Front Page, DreamWeaver) gives the same results
Do not PM me for Support!

Aquillar
Registered User
Posts: 17
Joined: Tue Nov 08, 2005 3:59 am
Location: Canada
Contact:

Re: SSL for login only?

Post by Aquillar » Fri Jul 27, 2007 4:57 pm

Sorry, we're trying to have a security discussion here, theres no support question.

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: SSL for login only?

Post by Phil » Fri Jul 27, 2007 5:01 pm

You do realize this thread is ancient, and this is a support forum...
Moving on, with the wind. | My Corner of the Web

Aquillar
Registered User
Posts: 17
Joined: Tue Nov 08, 2005 3:59 am
Location: Canada
Contact:

Re: SSL for login only?

Post by Aquillar » Fri Jul 27, 2007 5:56 pm

So that means when I find a topic through searching, I'm not allowed to contribute to the discussion, old or not, when the content is still relevant? Stop padding your post counts here and let the grown-ups discuss security.

I'm sure none of you would want someone grabbing your username and password when you harmlessly try to logon to some forums at your favourite wifi hotspot. I'd bet that the password you use on your phpbb account is the same as the password on the email address you registered with.

If you don't have a positive contribution to this discussion, just simply stay out of it.

User avatar
abertoll
Registered User
Posts: 85
Joined: Fri Jan 21, 2005 5:13 am
Contact:

Re: SSL for login only?

Post by abertoll » Fri Jul 27, 2007 6:03 pm

Aquillar wrote:Yes I know but for the kid who's trying to get myspace passwords, this would be a *beep* and he would probably just ignore it. It's better than nothing. The session ID could change immediately after login and then it would be useless to someone who managed to grab the hash. If the session ID doesn't change, then they never sent the right password to begin with. Password is now protected.
I don't really see how the session id is relevant, given if they get the md5 hash of the password, then they can just use that to login themselves. The hash is always the same, so they can just get their own session.

Plus, giving someone an md5 hash of a poorly-chosen password is really extra bad: they can use the hash on their own computer to solve the actual password. This is why your /etc/shadow file is only readable by root. You'd then at least have to enforce some kind of password standard on all your users.

That's why the only good solution is SSL: you really need asymmetric encryption to set up a secure connection. A one-way function just won't cut it.

Anyway, for most people just putting the whole forum in https would work, the only problem is that with sites that have a lot of traffic, it puts an extra load on the server. I didn't want to argue with anyone about how hard it is to have a site that flips between http and https for passwords, because I've never implemented it myself--some problem about the cookies being encrtyped? But other software does this, so I know it's possible.

But I'm glad I'm not alone in thinking this is important.

User avatar
Jim_UK
Former Team Member
Posts: 18478
Joined: Tue Oct 12, 2004 5:36 pm
Location: Darwen N.West UK

Re: SSL for login only?

Post by Jim_UK » Fri Jul 27, 2007 6:36 pm

Aquillar wrote:Sorry, we're trying to have a security discussion here, theres no support question.
Then you had better have a look at the forum title then. This is a support forum and not a discussion one.

Jim
The truth is out there.
Unfortunately they will not let you anywhere near it!

Locked

Return to “2.0.x Support Forum”

cron