When will the forum use SSL?

[swl551]

Chrome is stepping up its war on the unencrypted web!!!



Chrome is getting serious about websites that don’t use encryption. The next version of Chrome will include a new warning for unencrypted login sites, according to a post today on the Google Security Blog. Chrome 56, which is planned to launch in January, will mark HTTP login pages as "not secure" in a window next to the address bar. Unencrypted HTTP is particularly dangerous for login pages, as it could allow an attacker to intercept passwords as they travel across the network.


http://www.theverge.com/2016/9/8/128...ogle-ssl-https

[Nick]

Do you think the Mersenne forum sends your password in clear over the Internet?
Have you checked?

[yoyo]

Quote:

Originally Posted by Nick

Do you think the Mersenne forum sends your password in clear over the Internet?
Have you checked?

The forum login page sends the password as md5 hash to the server. But nevertheless if the connection is not encrypted I can (as man in the middle) grep the user and md5hash and can resent it later to get a proper login.

yoyo

[retina]

Quote:

Originally Posted by swl551

Unencrypted HTTP is particularly dangerous for login pages, as it could allow an attacker to intercept passwords as they travel across the network.

Passwords are not really the issue. Cookie stealing and initial login hashes can be stored for later use. But unless the site suddenly becomes globally significant then I doubt anyone cares to go to all the effort for rewards that are essentially of very limit value. In short, don't worry about it.

[bgbeuning]

One day user prime95 posts a new version of prime95 and says it is lots faster.
It is not in the usual release directory, but oh well Its faster!
Then the next day user prime95 says, that is not me.
In the mean time, 100 users have a nasty new virus on their machines.

Nah, won't happen....

[Dubslow]

Quote:

Originally Posted by retina

Passwords are not really the issue. Cookie stealing and initial login hashes can be stored for later use. But unless the site suddenly becomes globally significant then I doubt anyone cares to go to all the effort for rewards that are essentially of very limit value. In short, don't worry about it.

You are one of the last people I would have expected to say something like "don't worry about it".

At any rate, besides the above posts, md5 hashes aren't exactly uncrackable.

[retina]

Quote:

Originally Posted by Dubslow

You are one of the last people I would have expected to say something like "don't worry about it".

How else can I collect everyone's login hashes and session cookies unless I say it is not a problem.to use ordinary HTTP.

[henryzz]

TLS should be used rather than the crackable SSL.SSL is also not enabled in chrome by default anymore.

[bgbeuning]

Most sites use 1024, 2048, or 4096 bit length RSA keys for SSL/TLS.
Given who we are, I think a 70,000,000 bit key is appropriate.

[Mark Rose]

Quote:

Originally Posted by bgbeuning

Most sites use 1024, 2048, or 4096 bit length RSA keys for SSL/TLS.
Given who we are, I think a 70,000,000 bit key is appropriate.

1024 bit RSA keys are considered insecure, last I heard. 2048 is the minimum recommended. There is a not-insignificant cost to establishing a connection using a larger key.

[henryzz]

I don't think that is really important as that require significant effort to get a password that isn't worth much. 1024 is enough. We could consider though that we should be an example and choose something above 1024 since we are more knowledgeable about this than the average site.
We probably do need to do something about this at some point. Warnings by google in chrome are often an indication that it won't be supported after a while(although that would break a large amount of the internet).