Two Plus Two Publishing LLC Two Plus Two Publishing LLC
 

Go Back   Two Plus Two Poker Forums > >

Notices

About the Forums Here's where you post suggestions about the forums and the software that implements them.

Reply
 
Thread Tools Display Modes
Old 01-08-2017, 08:10 PM   #76
pvn
King Emeritus
 
pvn's Avatar
 
Join Date: Jan 2004
Location: De-Green BruceZ for Great Justice
Posts: 65,704
Re: Does this site really not use https, and uses plaintext passwords?

FWIW https probably would not have prevented this particular problem
pvn is offline   Reply With Quote
Old 01-09-2017, 08:16 PM   #77
jonc
stranger
 
Join Date: Mar 2005
Location: San Diego, CA
Posts: 1
Re: Does this site really not use https, and uses plaintext passwords?

It's 2017 guys. Passwords should not be sent over plaintext.
jonc is offline   Reply With Quote
Old 01-09-2017, 09:09 PM   #78
wiggum
grinder
 
wiggum's Avatar
 
Join Date: Jul 2007
Location: ITT
Posts: 430
Re: Does this site really not use https, and uses plaintext passwords?

Geez... you would figure 2+2 would have learned the first time......and still no ssl?
wiggum is offline   Reply With Quote
Old 01-12-2017, 07:13 AM   #79
ProfessorSlot
newbie
 
Join Date: Nov 2016
Posts: 26
Re: Does this site really not use https, and uses plaintext passwords?

It's time this site to implement better security features. They can use https to prevent this kind of hacking. 2+2 is the most talk about on other forum site because of the incident happened.
ProfessorSlot is offline   Reply With Quote
Old 01-12-2017, 09:45 AM   #80
Yakmelk
Carpal \'Tunnel
 
Yakmelk's Avatar
 
Join Date: Jun 2009
Location: Its Professor to you
Posts: 13,159
Re: Does this site really not use https, and uses plaintext passwords?

You don't know that.
Yakmelk is offline   Reply With Quote
Old 01-12-2017, 12:10 PM   #81
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,019
Re: Does this site really not use https, and uses plaintext passwords?

from the announcement atop the forums:

Quote:
It is also our opinion that this was not a problem with the software which runs our forums. We and the vendor (vbulletin) are of the belief that it is safe and secure. Rather it was an issue with some auxiliary software on our servers which are located at Rackspace, INC. Steps have been taken, believed successful, to ensure as much as possible such problems do not reoccur.
https pretty obviously has nothing to do with this breach, any more than not requiring 25 character passwords does.
Noodle Wazlib is offline   Reply With Quote
Old 01-13-2017, 10:00 AM   #82
pvn
King Emeritus
 
pvn's Avatar
 
Join Date: Jan 2004
Location: De-Green BruceZ for Great Justice
Posts: 65,704
Re: Does this site really not use https, and uses plaintext passwords?

Quote:
Originally Posted by jonc View Post
It's 2017 guys. Passwords should not be sent over plaintext.
uh, they aren't, and haven't been at least since the since has been on vB, and probably even before that.
pvn is offline   Reply With Quote
Old 02-01-2017, 05:52 PM   #83
pvn
King Emeritus
 
pvn's Avatar
 
Join Date: Jan 2004
Location: De-Green BruceZ for Great Justice
Posts: 65,704
Re: Does this site really not use https, and uses plaintext passwords?

HTTPS adoption has reached the tipping point

https://www.troyhunt.com/https-adopt...tipping-point/
pvn is offline   Reply With Quote
Old 02-01-2017, 07:34 PM   #84
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,019
Re: Does this site really not use https, and uses plaintext passwords?

Doesn't google give search result preference to sites that use https?
Noodle Wazlib is offline   Reply With Quote
Old 02-06-2017, 11:24 AM   #85
iron81
Carpal \'Tunnel
 
iron81's Avatar
 
Join Date: Sep 2005
Location: Resident Spork
Posts: 16,492
Re: Does this site really not use https, and uses plaintext passwords?

I have to vote for not adopting https because when I log into public wifi through an https website my phone screams HAX and it doesn't work.
iron81 is offline   Reply With Quote
Old 03-02-2017, 06:51 PM   #86
rarerabbit
grinder
 
Join Date: Jun 2004
Posts: 550
2+2 not secure according to Chrome

Just logged into 2+2 for 2nd time today. And I notice the site is not https; and in the Chrome address bar it says "connection to the site is not secure".

Any other site I open does not show this.
Better check it out.
rarerabbit is offline   Reply With Quote
Old 03-04-2017, 10:28 AM   #87
Alternate Identity
journeyman
 
Join Date: Jan 2017
Location: it is all about location
Posts: 386
Re: 2+2 not secure according to Chrome

Quote:
Originally Posted by rarerabbit View Post
Just logged into 2+2 for 2nd time today. And I notice the site is not https; and in the Chrome address bar it says "connection to the site is not secure".

Any other site I open does not show this.
Better check it out.
I was on a computer with Chrome yesterday, came here several times, and never got that message.
Alternate Identity is offline   Reply With Quote
Old 03-04-2017, 02:43 PM   #88
Jbrochu
Carpal \'Tunnel
 
Join Date: Jan 2005
Posts: 14,893
Re: 2+2 not secure according to Chrome

Quote:
Originally Posted by Alternate Identity View Post
I was on a computer with Chrome yesterday, came here several times, and never got that message.
Look in the Chrome address bar. See the little exclamation point in the circle before the 2+2 address? Click on it.
Jbrochu is offline   Reply With Quote
Old 03-04-2017, 03:20 PM   #89
gregorio
Carpal \'Tunnel
 
Join Date: Jan 2007
Posts: 26,585
Re: Does this site really not use https, and uses plaintext passwords?

Not sure why, but I don't even need to click on it for 2p2


It's not specific to 2p2; any site that doesn't use ssl/https gets that warning but it usually just shows (i). Sites with ssl/https show "Secure" in the address bar.
gregorio is offline   Reply With Quote
Old 03-04-2017, 04:36 PM   #90
Jbrochu
Carpal \'Tunnel
 
Join Date: Jan 2005
Posts: 14,893
Re: Does this site really not use https, and uses plaintext passwords?

Mine looks just like your image (lock with "secure" text) on secure sites, but only the symbol without text on non-secure sites. Maybe a difference in settings or versions -- although I'm pretty sure I'm on the latest version.
Jbrochu is offline   Reply With Quote
Old 03-25-2017, 02:14 PM   #91
frumpus
journeyman
 
frumpus's Avatar
 
Join Date: Apr 2008
Location: folding for value
Posts: 346
Re: Does this site really not use https, and uses plaintext passwords?

Quote:
Originally Posted by ProfessorSlot View Post
It's time this site to implement better security features. They can use https to prevent this kind of hacking. 2+2 is the most talk about on other forum site because of the incident happened.
There's no such thing as bad publicity.
frumpus is offline   Reply With Quote
Old 03-25-2017, 03:02 PM   #92
Neil S
King of the sidebar
 
Neil S's Avatar
 
Join Date: Sep 2004
Location: Northern Virginia
Posts: 17,754
Re: Does this site really not use https, and uses plaintext passwords?

https woudln't even prevent someone from getting access to the database.
Neil S is offline   Reply With Quote
Old 03-26-2017, 01:32 PM   #93
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,019
Re: Does this site really not use https, and uses plaintext passwords?

This site is php-based, so upgrading to 5.5, if they aren't already using it, and implementing the safe, standard bcrypt hashing function would prevent the password db getting stolen from mattering.
Noodle Wazlib is offline   Reply With Quote
Old 03-29-2017, 10:10 AM   #94
wellju
BSOD and racetrack Ninja
 
wellju's Avatar
 
Join Date: Feb 2010
Location: ALL OF THEM
Posts: 5,247
Re: Does this site really not use https, and uses plaintext passwords?

Is this serious in here?

Are you really arguing why you should not use any form encryption, after this ****ty server gets hacked every other week?

Allright, whoever told you that you need a new server for SSL, who was that and why would you listen to him? The traffic overhead is 2% and the cpu usage is neglectable, especially.

You cheap bastards could get the SSL license for free nowadays.

If anything costs you performance, it's this ****ty version of this ****ty board software.

And all those "meh, ppl being scammed anyhow". What in the heck has that to do, with my passwords being transmitted in clear type?

Also, how, and really, answer this. How do you ever thought, storing passwords in clear type is ok, or legal for that matter?
wellju is offline   Reply With Quote
Old 03-29-2017, 10:27 AM   #95
Neil S
King of the sidebar
 
Neil S's Avatar
 
Join Date: Sep 2004
Location: Northern Virginia
Posts: 17,754
Re: Does this site really not use https, and uses plaintext passwords?

It's so cute when people get indignant who have no clue about the technologies and threats involved, and what would fix them or not fix them.

Hint: If you think SSL on the website has anything to do with password storage, you have nothing to contribute to the topic.
Neil S is offline   Reply With Quote
Old 03-29-2017, 11:51 AM   #96
wellju
BSOD and racetrack Ninja
 
wellju's Avatar
 
Join Date: Feb 2010
Location: ALL OF THEM
Posts: 5,247
Re: Does this site really not use https, and uses plaintext passwords?

It's so cute when people jump to conclusions without the proper reading comprehension.

This site is storing passwords in clear text. Storing passwords within a database, not as hash is against any technical standards and ethics.

So, instead of trying to avoid the topic by being so easily offended.

What is your arguments against basic encryption?
How do you argue that storing clear text passwords in a database is not shady?
wellju is offline   Reply With Quote
Old 03-29-2017, 04:02 PM   #97
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,019
Re: Does this site really not use https, and uses plaintext passwords?

Have we confirmed passwords were not hashed before storage?

Either way, if passwords are sent in clear text then any mod who can see an admin's IP address could easily steal that admin's password. It's like one command in Linux.
Noodle Wazlib is offline   Reply With Quote
Old 03-29-2017, 04:30 PM   #98
AllCowsEatGrass
adept
 
AllCowsEatGrass's Avatar
 
Join Date: Mar 2017
Posts: 912
Re: Does this site really not use https, and uses plaintext passwords?

Quote:
Originally Posted by wellju View Post
This site is storing passwords in clear text.

How do you know they're stored in plain text?

Regarding SSL/TLS - HTTPS, I think one thing people don't have an understanding of is attack surface. Think of a house; if you have a brick house with only one door, there is a very small attack surface, being the door. The lock could be vulnerable to picking, the wood could be vulnerable to a battering ram, but overall the attack surface for the house is very small. Once you start adding more doors and windows, your attack surface increases.

If they store passwords in plain text, that's an increase in the attack surface. If someone is able to successfully perform SQL injection and dump the database, their work is done and they don't even have to bother with decrypting passwords.

Likewise with not having SSL/TLS - HTTPS, in 2017, what I noticed to be a full eight years after this thread was created, it's an increase in attack surface. Not even the login page is secure, so users logging in via public wifi are vulnerable to a simple man in the middle attack. But even if the login page was secure, but only the login page, users would still be vulnerable to session cookie hijacking.

If the server is running an outdated version of PHP, that's likewise another increase in attack surface.

The problem with trying to defend a web server is like the problem defenses face in American football; the advantage goes to the attacker (offense). The defender has to defend a myriad of different attack vectors, but the attacker just has to successfully exploit one vector. When you have a very large attack surface, there are more opportunities for attackers to find a successful attack vector, so anything and everything you can do to decrease your attack surface is a good thing, and failing to try to decrease the attack surface is negligence.
AllCowsEatGrass is offline   Reply With Quote
Old 03-29-2017, 05:05 PM   #99
gregorio
Carpal \'Tunnel
 
Join Date: Jan 2007
Posts: 26,585
Re: Does this site really not use https, and uses plaintext passwords?

Quote:
Originally Posted by AllCowsEatGrass View Post
Likewise with not having SSL/TLS - HTTPS, in 2017, what I noticed to be a full eight years after this thread was created, it's an increase in attack surface.
I wonder what the person who created this thread would say now if they knew 2p2 still wasn't using SSL.
gregorio is offline   Reply With Quote
Old 03-29-2017, 05:27 PM   #100
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,019
Re: Does this site really not use https, and uses plaintext passwords?

Semi-related:

With the new ISP law basically guaranteed to pass, I'm guessing this forum will see more VPN/VPS traffic. While the Canadian VPN I'm using on my phone works, the one on my desktop appears to be banned.

Doesn't seem like the site is banning all VPNs, but at least some are in there. Any options for that situation?
Noodle Wazlib is offline   Reply With Quote

Reply
      

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Forum Jump


All times are GMT -4. The time now is 12:48 AM.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright ę 2008-2010, Two Plus Two Interactive
 
 
Poker Players - Streaming Live Online