mersenneforum.org  

Go Back   mersenneforum.org > Fun Stuff > Lounge

Reply
 
Thread Tools
Old 2016-09-10, 23:48   #1
swl551
 
swl551's Avatar
 
Aug 2012
New Hampshire

23·101 Posts
Default When will the forum use SSL?

Chrome is stepping up its war on the unencrypted web!!!



Chrome is getting serious about websites that don’t use encryption. The next version of Chrome will include a new warning for unencrypted login sites, according to a post today on the Google Security Blog. Chrome 56, which is planned to launch in January, will mark HTTP login pages as "not secure" in a window next to the address bar. Unencrypted HTTP is particularly dangerous for login pages, as it could allow an attacker to intercept passwords as they travel across the network.


http://www.theverge.com/2016/9/8/128...ogle-ssl-https
swl551 is offline   Reply With Quote
Old 2016-09-11, 10:10   #2
Nick
 
Nick's Avatar
 
Dec 2012
The Netherlands

11×151 Posts
Default

Do you think the Mersenne forum sends your password in clear over the Internet?
Have you checked?
Nick is offline   Reply With Quote
Old 2016-09-11, 12:58   #3
yoyo
 
yoyo's Avatar
 
Oct 2006
Berlin, Germany

61210 Posts
Default

Quote:
Originally Posted by Nick View Post
Do you think the Mersenne forum sends your password in clear over the Internet?
Have you checked?
The forum login page sends the password as md5 hash to the server. But nevertheless if the connection is not encrypted I can (as man in the middle) grep the user and md5hash and can resent it later to get a proper login.

yoyo
yoyo is offline   Reply With Quote
Old 2016-09-11, 13:21   #4
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

612410 Posts
Default

Quote:
Originally Posted by swl551 View Post
Unencrypted HTTP is particularly dangerous for login pages, as it could allow an attacker to intercept passwords as they travel across the network.
Passwords are not really the issue. Cookie stealing and initial login hashes can be stored for later use. But unless the site suddenly becomes globally significant then I doubt anyone cares to go to all the effort for rewards that are essentially of very limit value. In short, don't worry about it.

Last fiddled with by retina on 2016-09-11 at 13:22
retina is online now   Reply With Quote
Old 2016-09-11, 15:09   #5
bgbeuning
 
Dec 2014

3×5×17 Posts
Default

One day user prime95 posts a new version of prime95 and says it is lots faster.
It is not in the usual release directory, but oh well Its faster!
Then the next day user prime95 says, that is not me.
In the mean time, 100 users have a nasty new virus on their machines.

Nah, won't happen....
bgbeuning is offline   Reply With Quote
Old 2016-09-11, 16:04   #6
Dubslow
Basketry That Evening!
 
Dubslow's Avatar
 
"Bunslow the Bold"
Jun 2011
40<A<43 -89<O<-88

3·29·83 Posts
Default

Quote:
Originally Posted by retina View Post
Passwords are not really the issue. Cookie stealing and initial login hashes can be stored for later use. But unless the site suddenly becomes globally significant then I doubt anyone cares to go to all the effort for rewards that are essentially of very limit value. In short, don't worry about it.
You are one of the last people I would have expected to say something like "don't worry about it".

At any rate, besides the above posts, md5 hashes aren't exactly uncrackable.
Dubslow is offline   Reply With Quote
Old 2016-09-11, 16:31   #7
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

137548 Posts
Default

Quote:
Originally Posted by Dubslow View Post
You are one of the last people I would have expected to say something like "don't worry about it".
How else can I collect everyone's login hashes and session cookies unless I say it is not a problem.to use ordinary HTTP.
retina is online now   Reply With Quote
Old 2016-09-11, 17:16   #8
henryzz
Just call me Henry
 
henryzz's Avatar
 
"David"
Sep 2007
Cambridge (GMT/BST)

2·29·101 Posts
Default

TLS should be used rather than the crackable SSL.SSL is also not enabled in chrome by default anymore.

Last fiddled with by henryzz on 2016-09-11 at 17:18
henryzz is offline   Reply With Quote
Old 2016-09-11, 17:55   #9
bgbeuning
 
Dec 2014

3×5×17 Posts
Default

Most sites use 1024, 2048, or 4096 bit length RSA keys for SSL/TLS.
Given who we are, I think a 70,000,000 bit key is appropriate.
bgbeuning is offline   Reply With Quote
Old 2016-09-11, 18:45   #10
Mark Rose
 
Mark Rose's Avatar
 
"/X\(‘-‘)/X\"
Jan 2013

3×977 Posts
Default

Quote:
Originally Posted by bgbeuning View Post
Most sites use 1024, 2048, or 4096 bit length RSA keys for SSL/TLS.
Given who we are, I think a 70,000,000 bit key is appropriate.
1024 bit RSA keys are considered insecure, last I heard. 2048 is the minimum recommended. There is a not-insignificant cost to establishing a connection using a larger key.
Mark Rose is offline   Reply With Quote
Old 2016-09-11, 19:32   #11
henryzz
Just call me Henry
 
henryzz's Avatar
 
"David"
Sep 2007
Cambridge (GMT/BST)

2·29·101 Posts
Default

I don't think that is really important as that require significant effort to get a password that isn't worth much. 1024 is enough. We could consider though that we should be an example and choose something above 1024 since we are more knowledgeable about this than the average site.
We probably do need to do something about this at some point. Warnings by google in chrome are often an indication that it won't be supported after a while(although that would break a large amount of the internet).
henryzz is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
DH forum: is it really what it says it is? 10metreh Forum Feedback 29 2017-04-08 14:21
New Sub-forum? R.D. Silverman Forum Feedback 16 2015-11-07 08:29
Need a new sub-forum rogue Forum Feedback 7 2014-09-05 23:57
LMH Forum edorajh Lone Mersenne Hunters 1 2004-01-02 08:30
Forum+Weekends=Dead Forum on Weekends? E_tron Lounge 10 2003-09-03 02:43

All times are UTC. The time now is 17:12.

Tue Apr 20 17:12:46 UTC 2021 up 12 days, 11:53, 1 user, load averages: 3.45, 3.47, 3.20

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.