basic_man2010_20 wrote:but what you dont get is SHELLS allow you access to the cpanel wich in turn lets them into the database. acess to that database they could unbann people or give them free preemium for years on end bann people and all that other good stuff. even if its not in a cpanel then they can still upload a shell and get acess to the database.
I'll tell you what, send me a PM with my password in it, and I will stop criticizing your "SHELLS in files argument"
bedub1 wrote: Darwins_Bane wrote: bedub1 wrote:
For people that seem to know what they are talking about, I'm completely flabbergasted at why people are arguing with me. This is in fact the elephant in the room.
Anybody want to guess what my password was? (I changed it specifically for this test).
Yes...that's right...my password was "securepassword".
I captured this using a program called Wireshark. It used to be called Ethereal. Firesheep is a little program that automates this to make it easier on would be hackers.
Passwords sent over HTTP are NOT secure.
I would like to see you do that with a computer that is not on the same router as the one where your password is being entered. That has to do with cookies if I'm right. If not, then I would agree that there needs to be a change. All I'm saying is you don't even need to convert to HTTPS to actually secure your password.
It doesn't have to do with cookies. I ran a network packet stiffer to watch all packet flows.
You want me to hack a router on the path between me and CC? NO. (My tracert runs comcast.net all the way to texas before it hits rackspace's routers)
rackspace-bbr.dfw1.comcast.net [184.108.40.206] <--- Interesting...rackspace uses comcast?
You want me to find an unsecured wireless access point/public hotspot and watch all the traffic and snoop for passwords? NO.
I believe I've successfully proven my point. It's not even hard to deploy...given it's basically ALREADY SETUP. I'm not asking for the entire website to be redesigned in Flash or something. I've been using HTTPS for everything for some time now and I haven't seen any bugs. It's also plenty fast. I use clickable maps and it keeps up just fine.
Darwins_Bane wrote:My guess would be that on login, when you hit it, the password characters that you type in would immediately use the encryptpass function built in to php. This is a one way function, meaning, that once encrypted, it cannot be unencrypted. What happens is on your first login, the encrypted version of your password is stored in the database, and then every time you try to login, it just checks whether the encryted password is the same one as in the database. This means that, in transit, and at any point along the line, your password is encrypted.
That's a guess, and an interesting one, but just plain wrong.
bedub is right. Providing someone has raw access to your packets (which they have whenever they are on the same WIRELESS network as you, or if they re-route traffic across their machine, or a router they control) they are easily able to sniff through those packets and determine any and all information sent to the internet. However, other than aforementioned internet cafe's, and those with unsecured networks, who would ever be on the same wireless network with someone trying to intercept information from them.
Also, passwords are stored using a hash (because encryption is unrealistic and a PITA for server-side encrypting). Some hashes can be very secure, however, none are un-crackable. Hashes can't be reversed, but given enough time, and knowing the hash method used, the password, or other original input can be determined.
Encryption is on the same principal, being that it is used for security. However anything that is encrypted, can be decrypted. It is very easy if you have the encryption key (which, BTW, is sent over the network when the session is created), however it can still be done without the key, just not in a realistic time frame.
The only downside I see for forcing HTTPS is that some mobile carriers have problems with it on their smartphones. My point still remains that if you are smart, your chances of being hacked are virtually the same on HTTP as HTTPS.