Moderator: Community Team
The performance overhead is minorāzippy Gmail, for example, uses HTTPS for everything
By default, Facebook sends your access credentials in the clear, with no encryption whatsoever. Switching to HTTPS is important because a browser extension called Firesheep has made it especially easy for anyone sharing your open wireless networkāat cafe or conference, for exampleāto sniff your credentials and freely access your account. One blogger sitting in a random New York Starbucks was able to steal 20-40 Facebook identities in half an hour. HTTPS solves this longstanding problem by encrypting your login cookies and other data; in fact the inventor of Firesheep made the software to encourage companies like Facebook to finally lock down their systems.
By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades.
Basically, the Tunisian government, through internet service providers, tried to steal the Facebook login info (usernames and passwords) of everyone in Tunisia. They did this through keyloggers, a piece of software that records the keys you hit on your computer.
When Facebook realized this was going on, they quickly switched the entire Tunisian site to https, the encrypted version of the HTTP protocol on which the web is built. (As an aside, we wonder why they don't do this by default for everyone. Https is slower, but it would sitll be more secure.)
Mr_Adams wrote:You should use that to hack into LackAttack's account and change his turtle picture.
bedub1 wrote:For people that seem to know what they are talking about, I'm completely flabbergasted at why people are arguing with me. This is in fact the elephant in the room.
Anybody want to guess what my password was? (I changed it specifically for this test).
Yes...that's right...my password was "securepassword".
I captured this using a program called Wireshark. It used to be called Ethereal. Firesheep is a little program that automates this to make it easier on would be hackers.
Passwords sent over HTTP are NOT secure.
Darwins_Bane wrote:bedub1 wrote:For people that seem to know what they are talking about, I'm completely flabbergasted at why people are arguing with me. This is in fact the elephant in the room.
Anybody want to guess what my password was? (I changed it specifically for this test).
Yes...that's right...my password was "securepassword".
I captured this using a program called Wireshark. It used to be called Ethereal. Firesheep is a little program that automates this to make it easier on would be hackers.
Passwords sent over HTTP are NOT secure.
I would like to see you do that with a computer that is not on the same router as the one where your password is being entered. That has to do with cookies if I'm right. If not, then I would agree that there needs to be a change. All I'm saying is you don't even need to convert to HTTPS to actually secure your password.
Darwins_Bane wrote:My guess would be that on login, when you hit it, the password characters that you type in would immediately use the encryptpass function built in to php. This is a one way function, meaning, that once encrypted, it cannot be unencrypted. What happens is on your first login, the encrypted version of your password is stored in the database, and then every time you try to login, it just checks whether the encryted password is the same one as in the database. This means that, in transit, and at any point along the line, your password is encrypted.
basic_man2010_20 wrote:but what you dont get is SHELLS allow you access to the cpanel wich in turn lets them into the database. acess to that database they could unbann people or give them free preemium for years on end bann people and all that other good stuff. even if its not in a cpanel then they can still upload a shell and get acess to the database.
bedub1 wrote:Darwins_Bane wrote:bedub1 wrote:For people that seem to know what they are talking about, I'm completely flabbergasted at why people are arguing with me. This is in fact the elephant in the room.
Anybody want to guess what my password was? (I changed it specifically for this test).
Yes...that's right...my password was "securepassword".
I captured this using a program called Wireshark. It used to be called Ethereal. Firesheep is a little program that automates this to make it easier on would be hackers.
Passwords sent over HTTP are NOT secure.
I would like to see you do that with a computer that is not on the same router as the one where your password is being entered. That has to do with cookies if I'm right. If not, then I would agree that there needs to be a change. All I'm saying is you don't even need to convert to HTTPS to actually secure your password.
It doesn't have to do with cookies. I ran a network packet stiffer to watch all packet flows.
You want me to hack a router on the path between me and CC? NO. (My tracert runs comcast.net all the way to texas before it hits rackspace's routers)
rackspace-bbr.dfw1.comcast.net [75.149.230.242] <--- Interesting...rackspace uses comcast?
You want me to find an unsecured wireless access point/public hotspot and watch all the traffic and snoop for passwords? NO.
I believe I've successfully proven my point. It's not even hard to deploy...given it's basically ALREADY SETUP. I'm not asking for the entire website to be redesigned in Flash or something. I've been using HTTPS for everything for some time now and I haven't seen any bugs. It's also plenty fast. I use clickable maps and it keeps up just fine.Darwins_Bane wrote:My guess would be that on login, when you hit it, the password characters that you type in would immediately use the encryptpass function built in to php. This is a one way function, meaning, that once encrypted, it cannot be unencrypted. What happens is on your first login, the encrypted version of your password is stored in the database, and then every time you try to login, it just checks whether the encryted password is the same one as in the database. This means that, in transit, and at any point along the line, your password is encrypted.
That's a guess, and an interesting one, but just plain wrong.
blakebowling wrote:basic_man2010_20 wrote:but what you dont get is SHELLS allow you access to the cpanel wich in turn lets them into the database. acess to that database they could unbann people or give them free preemium for years on end bann people and all that other good stuff. even if its not in a cpanel then they can still upload a shell and get acess to the database.
I'll tell you what, send me a PM with my password in it, and I will stop criticizing your "SHELLS in files argument"
basic_man2010_20 wrote:blakebowling wrote:basic_man2010_20 wrote:but what you dont get is SHELLS allow you access to the cpanel wich in turn lets them into the database. acess to that database they could unbann people or give them free preemium for years on end bann people and all that other good stuff. even if its not in a cpanel then they can still upload a shell and get acess to the database.
I'll tell you what, send me a PM with my password in it, and I will stop criticizing your "SHELLS in files argument"
okay so you want me to do this i will try to get incontact with someone i know over in teh jiddle east thats a hacker and hacks mafia sites via shells. i will have him try shells and things for the site see how secure this site really is?
blakebowling wrote:Yes, Yes I do. Send me my exact password in a private message. I'm calling your bluff.
basic_man2010_20 wrote:im w says
hey thanks for adding me. i have a quick question to ask you
Stephen says
alright
Tim w says
okay so ive been playing on an online risk game called conquerclub, there was a suggestion to make the entire site HTTP's instead of just http. i support that and i told them why, as without it shells and things can be uploaded and can get peoples usernames passwords and all that info. now one of teh moderaters/helpers for teh site told me to message him with his password and he will agree with me
so i was wondering would it be possable for you to get that info for me so that they will realize that it is in fact possable
Stephen says
Shell wouldnt be the cause of shells being uploaded to the site. HTTPS is just to secure your details more when purchasing stuff.
Shell would be uploaded probably because of bad coding etc. Is there anything in the game that allow uploads of files?
Tim w says
well i know that it allows for photobucket pics but it dont allow .swf.
Stephen says
Well then the game shoudl be fine from Shell Attacks unless there some scode that isnt filled / uploading.
ill have to sign up in a bit and check around.
Tim w says
okay well teh site is http://www.conquerclub.com
Metsfanmax wrote:basic_man2010_20 wrote:im w says
hey thanks for adding me. i have a quick question to ask you
Stephen says
alright
Tim w says
okay so ive been playing on an online risk game called conquerclub, there was a suggestion to make the entire site HTTP's instead of just http. i support that and i told them why, as without it shells and things can be uploaded and can get peoples usernames passwords and all that info. now one of teh moderaters/helpers for teh site told me to message him with his password and he will agree with me
so i was wondering would it be possable for you to get that info for me so that they will realize that it is in fact possable
Stephen says
Shell wouldnt be the cause of shells being uploaded to the site. HTTPS is just to secure your details more when purchasing stuff.
Shell would be uploaded probably because of bad coding etc. Is there anything in the game that allow uploads of files?
Tim w says
well i know that it allows for photobucket pics but it dont allow .swf.
Stephen says
Well then the game shoudl be fine from Shell Attacks unless there some scode that isnt filled / uploading.
ill have to sign up in a bit and check around.
Tim w says
okay well teh site is http://www.conquerclub.com
Lulz. Is this guy for real?
basic_man2010_20 wrote:im not 100% on where hes from but his names stephan he has a web server actualy. and yes hes for real
Metsfanmax wrote:basic_man2010_20 wrote:im not 100% on where hes from but his names stephan he has a web server actualy. and yes hes for real
I was asking if you are for real. You went on for like two pages about how shell scripts could be used to hack into the CPanel, and then contacted your hacker buddy and he said you were wrong. And you posted that for everyone to see.
Return to Archived Suggestions
Users browsing this forum: No registered users