Ok, is this really it?
The admins of this board just hide and act like nothing happened?

This level of sheer technical incompetence should be illegal. No one with that little idea about the industry he's in, should be able to run a business in that particular industry.

Arguing that SSL would be too costly is the most ridiculous thing I ever heard. If you have ancient hardware not being able to handle CPU instructions from 1996, then go ****ing out of business. And if the hardware is newer than that ... when Google made the switch in 2012, they had a 2% traffic overhead.

Given the fact that users of this board exchange private information in PMs, you should ****ing care.

So now, for once, instead of coming up with bull**** excuses.

Show us that you salted and hashed your passwords. I'm eagerly awaiting the SQL report together with Trumps tax returns.

Again, conflating SSL and password hashing issues just discredits the whole movement.

No, not saying one single word and make up excuses discredits the whole site and the management.

So once again, maybe you get it in your 3rd reading attempt.

This website is storing passwords in a database, in clear text. That's shady and fraudulent. I can not be sure that the passwords even were hacked, if you leave the database unencrypted, I have to assume you're just willing to sell your user data to whomever, as there is no steps taken whatsoever to not compromise the data of your users.

Please tell me how installing https on the site would have anything to do with that, genius.

[Citation Needed]

.

Here's that story about how google gives search priority to sites using https (from 3 years ago):

https://search.slashdot.org/story/14...use-encryption

So being secure is now a form of SEO. Bold move to reduce your own web traffic and keep your users and your site at risk as a business strategy.

Even if the passwords were being stored in clear text, I fail to see what would be either shady or fraudulent about that.

What does seem a little...I won't say shady, but questionable...is continually asserting that the passwords are stored in clear text and avoiding peoples' questions about how you know that they are. I mean, I understand that it's entirely possible that you've missed other threads where 2+2 administration has posted that the passwords were encrypted, but I'd think that if you're going to assert that they are stored in clear text, you could share how you know this. Is Mat mistaken?

http://forumserver.twoplustwo.com/29...orums-1648366/

On the issue of SSL, this has come up in the mod forum before, and the last post I've seen from Chuck on the matter said that he was trying to find a solution for login only (he was concerned that implementing sitewide could cause some problems), and hadn't yet been able to find one yet. That was some time ago, so I'll see if he has an update on this.

http://stackoverflow.com/questions/2...site-in-apache

One whole google search.

Also, please tell me mat was confusing hashing with encryption, because if he wasn't then the passwords were basically in clear text.

Just checked. vBulletin uses md5( md5(password) + salt) to store its passwords.

md5 has since been broken open, but "storing in plain text" is hyperbolic.

Have there been attacks aside from collisions? I wouldn't be super worried about collisions given salts were used.

I mean, i know the heads of the crypto world consider md5 dead, but it's still decent protection (read: more than none) for a site like this.

anything i said would have been me repeating something chuck said or i thought he said. i'm going to have him post in this thread addressing anything that needs to be adressed

...8 years later.

waiting for Chuck's first post in this thread for its entire 8 year existence

He said something about salt and then went and smoked some hash.

Chances we hear something this week?

Chances we hear something this month?

June is coming soon.

i'm not exactly sure why Chuck hasn't posted yet, but i do know he is doing something regarding these concerns. i believe he prefers posting after things happen, rather than getting caught up in a conversation about what he is researching/ doing.

https://twitter.com/EFF/status/871139938267430913

Logging in using Opera desktop browser warns me that the username / password fields transmit in plaintext and can be intercepted. See attached. Don't know, but this may be "the hack."

Your web browser is just warning you that the login page is not using SSL/TLS encryption, meaning when you click 'login', your data is sent in plain text over the wire.

If someone were conducting a man in the middle attack against you while you were logging in, they'd be able to get your username and password. Likewise, your ISP could easily get your username and password if they wanted to.

Web browsers have started displaying these warnings, which I think is a really good thing. Hopefully it will force sites that haven't even implemented SSL/TLS on login pages to start to implement encryption.

Yo twoplustwo, EFF's let's encrypt is free. Free certs backed by the Electronic Frontier Foundation. Dead simple to setup.
https://letsencrypt.org/

To those saying "it's super easy guys just do X" here's an interesting article for you to browse: https://nickcraver.com/blog/2017/05/...tack-overflow/


In case anyone was wondering, yes this is the very same Stack Overflow mentioned here:

Amazing they didn't just look on their own message board when the answer was right there


Note - I do of course agree Twoplustwo forums should implement HTTPS asap.

we are actually in the middle of working on this issue. we meaning chuck, not me.