Page 1 of 3

Re: Turn HTTP into HTTPS on login (poll created)

PostPosted: Tue Mar 01, 2011 11:17 pm
by bedub1
InsomniaRed wrote:And yes to the login being changed to HTTPS, but not the whole site.

I agree...there is no reason to encrypt the entire site. But you know..it does work just fine. :) I've been using HTTPS ever since I posted this...and since it doesn't redirect me back to HTTP...I browse the entire site in HTTPS...take my turns in HTTPS....post to the forum in HTTPS. I'm posting this via HTTPS. Go encryption!

Re: Turn HTTP into HTTPS on login

PostPosted: Wed Mar 02, 2011 12:17 am
by blakebowling
bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

Re: Turn HTTP into HTTPS on login

PostPosted: Wed Mar 02, 2011 12:45 am
by bedub1
blakebowling wrote:
bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?

Re: Turn HTTP into HTTPS on login

PostPosted: Wed Mar 02, 2011 4:27 pm
by blakebowling
bedub1 wrote:
blakebowling wrote:
bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?

It is also completely pointless. Every good web developer should know that forcing protocols is never good.

Re: Turn HTTP into HTTPS on login

PostPosted: Wed Mar 02, 2011 8:37 pm
by bedub1
blakebowling wrote:
bedub1 wrote:
blakebowling wrote:
bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?

It is also completely pointless. Every good web developer should know that forcing protocols is never good.

Did you just say encryption is completely pointless?

You know what...I don't give a shit anymore. You don't like my good idea...I no longer care. I use HTTPS for all my CC interaction. I use it to login, play my games...I use it to browse the forum, I use it to chat. I'm secure. I haven't noticed any difference in speed. I no longer care if the rest of you are or not. If somebody figures out how to steal lacks insecure password and thrash the server...I'll just laugh and point to this thread and say "I told you so".

Re: Turn HTTP into HTTPS on login

PostPosted: Wed Mar 02, 2011 9:57 pm
by Woodruff
blakebowling wrote:
bedub1 wrote:
blakebowling wrote:
bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?

It is also completely pointless. Every good web developer should know that forcing protocols is never good.


Encryption is pointless?

Re: Turn HTTP into HTTPS on login

PostPosted: Wed Mar 02, 2011 10:05 pm
by stahrgazer
Darwins_Bane wrote:Although I understand where you're coming from, this is a gaming website, there is little to no likelyhood that someone is going to try to steal your password to it.



*cough* right, that's why there have been so many issues with hackers and imposters, like the one that resulted in respectable folks like sam-c812 being reported for cheating... a hacker had taken over another player's logon, set up some speed games to lose them deliberately... anyone remember that from a month or so ago?

There have been other incidents where someone hacked an id. https would help prevent those situations.

Re: Turn HTTP into HTTPS on login

PostPosted: Wed Mar 02, 2011 10:16 pm
by blakebowling
you're misunderstanding the difference between the two, or how the security works.

HTTP, and HTTPS are essentially the same protocol, with the exception of the SSL key in HTTPS. However, the only way for someone to get the information, is for them to take over a router in the path of where you are going. The easiest of those routers to take over would be (in 99% of cases) the one located at your OWN house. If someone were to re-route the flow of packets through another computer, which they proceeded to analyze and determine the value of the field "password" sent to the conquerclub.com login script, then they would have your password. However this is not the way most "hackings" take place.

The majority of the time, the password is obtained from another website which you use the same password for. Essentially, your password is associated with your username, or your email address in their database. Or, even easier than that; the person got the password from you.

Re: Turn HTTP into HTTPS on login

PostPosted: Wed Mar 02, 2011 10:35 pm
by basic_man2010_20
bedub1 wrote:
blakebowling wrote:
basic_man2010_20 wrote:well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack

If I could read this, I might just have something to say about it.

hey now...that's not very polite. Did you consider english might not be his primary language?

"Well actually you saying that this is a gaming website thus nobody will attack it...umm..yeah...how about there are hackers that attack games just to f*ck with people...mafia (mmporg) gaming websites get hacked all the time. I am pretty sure that this site is easy to hack."




well English is my primary language but i suck at typing as i don't pay much attention to the online grammar and crap like that. so tell me dose the site allow for .swf ANYWHERE on the site? if so it can eaisley be hacked. All you have to do is put a shell into the .swf file upload it to the site and you have access to the cpanel (if the site runs on a cpanel) or even the database. they get access to the database they have access to our e-mail password and all that they can easily then go and pretend to be us or even worse pull a herk and hack a persons account of witch they don't like and make a bunch of games and point dump and get the person banned.

Re: Turn HTTP into HTTPS on login

PostPosted: Wed Mar 02, 2011 10:52 pm
by blakebowling
basic_man2010_20 wrote:
bedub1 wrote:
blakebowling wrote:
basic_man2010_20 wrote:well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack

If I could read this, I might just have something to say about it.

hey now...that's not very polite. Did you consider english might not be his primary language?

"Well actually you saying that this is a gaming website thus nobody will attack it...umm..yeah...how about there are hackers that attack games just to f*ck with people...mafia (mmporg) gaming websites get hacked all the time. I am pretty sure that this site is easy to hack."




well English is my primary language but i suck at typing as i don't pay much attention to the online grammar and crap like that. so tell me dose the site allow for .swf ANYWHERE on the site? if so it can eaisley be hacked. All you have to do is put a shell into the .swf file upload it to the site and you have access to the cpanel (if the site runs on a cpanel) or even the database. they get access to the database they have access to our e-mail password and all that they can easily then go and pretend to be us or even worse pull a herk and hack a persons account of witch they don't like and make a bunch of games and point dump and get the person banned.

Most web developers know of the SWF vulnerabilities. And No, SWF can't be used on the site (at least by regular users, Admins and the entertainment team MAY have access to it).

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 12:06 am
by basic_man2010_20
okay and im sure theres probley somewhay to put a shell into the pictures now aint there? either way they cant block shells so accoutns can be hacked

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 2:22 am
by bedub1
If you are on a public hotspot that doesn't have encryption enabled, and login to CC, there is a high probability that another user on the wifi could find your password for CC. And if you use your password for other things, like your bank account, he could get into it. All because CC wouldn't enable encryption.

http://gawker.com/#!5744229/the-faceboo ... s-possible

The performance overhead is minor—zippy Gmail, for example, uses HTTPS for everything

By default, Facebook sends your access credentials in the clear, with no encryption whatsoever. Switching to HTTPS is important because a browser extension called Firesheep has made it especially easy for anyone sharing your open wireless network—at cafe or conference, for example—to sniff your credentials and freely access your account. One blogger sitting in a random New York Starbucks was able to steal 20-40 Facebook identities in half an hour. HTTPS solves this longstanding problem by encrypting your login cookies and other data; in fact the inventor of Firesheep made the software to encourage companies like Facebook to finally lock down their systems.


http://www.theatlantic.com/technology/a ... cks/70044/
By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades.

Basically, the Tunisian government, through internet service providers, tried to steal the Facebook login info (usernames and passwords) of everyone in Tunisia. They did this through keyloggers, a piece of software that records the keys you hit on your computer.

When Facebook realized this was going on, they quickly switched the entire Tunisian site to https, the encrypted version of the HTTP protocol on which the web is built. (As an aside, we wonder why they don't do this by default for everyone. Https is slower, but it would sitll be more secure.)

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 8:52 am
by Darwins_Bane
I think you're being a little over dramatic here. But just so you don't have a heart attack, a couple things to keep in mind. Hacking doesn't work how you all think. It's a lot of hard work to do. I would say greater than 99% of the cases on this website where people are "hacked", are in fact just cases where the person who logged into the account without permission really got the password from someone else. My guess would be that on login, when you hit it, the password characters that you type in would immediately use the encryptpass function built in to php. This is a one way function, meaning, that once encrypted, it cannot be unencrypted. What happens is on your first login, the encrypted version of your password is stored in the database, and then every time you try to login, it just checks whether the encryted password is the same one as in the database. This means that, in transit, and at any point along the line, your password is encrypted. The only way for someone to then hack your account is to be able to get into your router, which is extremely hard to do if you secure it in any way. https can be used if you want, but if you are concerned with your password security, don't be.

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 10:55 am
by basic_man2010_20
but what you dont get is SHELLS allow you access to the cpanel wich in turn lets them into the database. acess to that database they could unbann people or give them free preemium for years on end bann people and all that other good stuff. even if its not in a cpanel then they can still upload a shell and get acess to the database.

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 1:03 pm
by bedub1
For people that seem to know what they are talking about, I'm completely flabbergasted at why people are arguing with me. This is in fact the elephant in the room.

Image

Anybody want to guess what my password was? (I changed it specifically for this test).

Yes...that's right...my password was "securepassword".

I captured this using a program called Wireshark. It used to be called Ethereal. Firesheep is a little program that automates this to make it easier on would be hackers.

Passwords sent over HTTP are NOT secure.

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 1:14 pm
by Mr_Adams
You should use that to hack into LackAttack's account and change his turtle picture. :lol:

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 1:16 pm
by bedub1
Mr_Adams wrote:You should use that to hack into LackAttack's account and change his turtle picture. :lol:

No. I'm not a hacker, I'm a security and network expert. I defend against hackers.

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 1:53 pm
by Darwins_Bane
bedub1 wrote:For people that seem to know what they are talking about, I'm completely flabbergasted at why people are arguing with me. This is in fact the elephant in the room.

Image

Anybody want to guess what my password was? (I changed it specifically for this test).

Yes...that's right...my password was "securepassword".

I captured this using a program called Wireshark. It used to be called Ethereal. Firesheep is a little program that automates this to make it easier on would be hackers.

Passwords sent over HTTP are NOT secure.


I would like to see you do that with a computer that is not on the same router as the one where your password is being entered. That has to do with cookies if I'm right. If not, then I would agree that there needs to be a change. All I'm saying is you don't even need to convert to HTTPS to actually secure your password.

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 1:55 pm
by Metsfanmax
While I'm not impressed by bedub's attempt to hack his own account, I must admit the argument about connections at public hotspots is compelling.

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 2:02 pm
by bedub1
Darwins_Bane wrote:
bedub1 wrote:For people that seem to know what they are talking about, I'm completely flabbergasted at why people are arguing with me. This is in fact the elephant in the room.

Image

Anybody want to guess what my password was? (I changed it specifically for this test).

Yes...that's right...my password was "securepassword".

I captured this using a program called Wireshark. It used to be called Ethereal. Firesheep is a little program that automates this to make it easier on would be hackers.

Passwords sent over HTTP are NOT secure.


I would like to see you do that with a computer that is not on the same router as the one where your password is being entered. That has to do with cookies if I'm right. If not, then I would agree that there needs to be a change. All I'm saying is you don't even need to convert to HTTPS to actually secure your password.

It doesn't have to do with cookies. I ran a network packet stiffer to watch all packet flows.

You want me to hack a router on the path between me and CC? NO. (My tracert runs comcast.net all the way to texas before it hits rackspace's routers)
rackspace-bbr.dfw1.comcast.net [75.149.230.242] <--- Interesting...rackspace uses comcast?

You want me to find an unsecured wireless access point/public hotspot and watch all the traffic and snoop for passwords? NO.

I believe I've successfully proven my point. It's not even hard to deploy...given it's basically ALREADY SETUP. I'm not asking for the entire website to be redesigned in Flash or something. I've been using HTTPS for everything for some time now and I haven't seen any bugs. It's also plenty fast. I use clickable maps and it keeps up just fine.

Darwins_Bane wrote:My guess would be that on login, when you hit it, the password characters that you type in would immediately use the encryptpass function built in to php. This is a one way function, meaning, that once encrypted, it cannot be unencrypted. What happens is on your first login, the encrypted version of your password is stored in the database, and then every time you try to login, it just checks whether the encryted password is the same one as in the database. This means that, in transit, and at any point along the line, your password is encrypted.

That's a guess, and an interesting one, but just plain wrong.

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 5:17 pm
by blakebowling
basic_man2010_20 wrote:but what you dont get is SHELLS allow you access to the cpanel wich in turn lets them into the database. acess to that database they could unbann people or give them free preemium for years on end bann people and all that other good stuff. even if its not in a cpanel then they can still upload a shell and get acess to the database.

I'll tell you what, send me a PM with my password in it, and I will stop criticizing your "SHELLS in files argument"

bedub1 wrote:
Darwins_Bane wrote:
bedub1 wrote:For people that seem to know what they are talking about, I'm completely flabbergasted at why people are arguing with me. This is in fact the elephant in the room.

Image

Anybody want to guess what my password was? (I changed it specifically for this test).

Yes...that's right...my password was "securepassword".

I captured this using a program called Wireshark. It used to be called Ethereal. Firesheep is a little program that automates this to make it easier on would be hackers.

Passwords sent over HTTP are NOT secure.


I would like to see you do that with a computer that is not on the same router as the one where your password is being entered. That has to do with cookies if I'm right. If not, then I would agree that there needs to be a change. All I'm saying is you don't even need to convert to HTTPS to actually secure your password.

It doesn't have to do with cookies. I ran a network packet stiffer to watch all packet flows.

You want me to hack a router on the path between me and CC? NO. (My tracert runs comcast.net all the way to texas before it hits rackspace's routers)
rackspace-bbr.dfw1.comcast.net [75.149.230.242] <--- Interesting...rackspace uses comcast?

You want me to find an unsecured wireless access point/public hotspot and watch all the traffic and snoop for passwords? NO.

I believe I've successfully proven my point. It's not even hard to deploy...given it's basically ALREADY SETUP. I'm not asking for the entire website to be redesigned in Flash or something. I've been using HTTPS for everything for some time now and I haven't seen any bugs. It's also plenty fast. I use clickable maps and it keeps up just fine.

Darwins_Bane wrote:My guess would be that on login, when you hit it, the password characters that you type in would immediately use the encryptpass function built in to php. This is a one way function, meaning, that once encrypted, it cannot be unencrypted. What happens is on your first login, the encrypted version of your password is stored in the database, and then every time you try to login, it just checks whether the encryted password is the same one as in the database. This means that, in transit, and at any point along the line, your password is encrypted.

That's a guess, and an interesting one, but just plain wrong.

bedub is right. Providing someone has raw access to your packets (which they have whenever they are on the same WIRELESS network as you, or if they re-route traffic across their machine, or a router they control) they are easily able to sniff through those packets and determine any and all information sent to the internet. However, other than aforementioned internet cafe's, and those with unsecured networks, who would ever be on the same wireless network with someone trying to intercept information from them.

Also, passwords are stored using a hash (because encryption is unrealistic and a PITA for server-side encrypting). Some hashes can be very secure, however, none are un-crackable. Hashes can't be reversed, but given enough time, and knowing the hash method used, the password, or other original input can be determined.

Encryption is on the same principal, being that it is used for security. However anything that is encrypted, can be decrypted. It is very easy if you have the encryption key (which, BTW, is sent over the network when the session is created), however it can still be done without the key, just not in a realistic time frame.

The only downside I see for forcing HTTPS is that some mobile carriers have problems with it on their smartphones. My point still remains that if you are smart, your chances of being hacked are virtually the same on HTTP as HTTPS.

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 5:43 pm
by bedub1
I can confirm tmobile and the android based Google nexus One works fine with HTTPS and conquerclub. I just successfully logged in via it.

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 7:58 pm
by basic_man2010_20
blakebowling wrote:
basic_man2010_20 wrote:but what you dont get is SHELLS allow you access to the cpanel wich in turn lets them into the database. acess to that database they could unbann people or give them free preemium for years on end bann people and all that other good stuff. even if its not in a cpanel then they can still upload a shell and get acess to the database.

I'll tell you what, send me a PM with my password in it, and I will stop criticizing your "SHELLS in files argument"


okay so you want me to do this i will try to get incontact with someone i know over in teh jiddle east thats a hacker and hacks mafia sites via shells. i will have him try shells and things for the site see how secure this site really is?

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 8:12 pm
by blakebowling
basic_man2010_20 wrote:
blakebowling wrote:
basic_man2010_20 wrote:but what you dont get is SHELLS allow you access to the cpanel wich in turn lets them into the database. acess to that database they could unbann people or give them free preemium for years on end bann people and all that other good stuff. even if its not in a cpanel then they can still upload a shell and get acess to the database.

I'll tell you what, send me a PM with my password in it, and I will stop criticizing your "SHELLS in files argument"


okay so you want me to do this i will try to get incontact with someone i know over in teh jiddle east thats a hacker and hacks mafia sites via shells. i will have him try shells and things for the site see how secure this site really is?

Yes, Yes I do. Send me my exact password in a private message. I'm calling your bluff.

Re: Turn HTTP into HTTPS on login

PostPosted: Thu Mar 03, 2011 8:14 pm
by basic_man2010_20
yes i have just hit a perosn up on msn and he will be on later to look around.