Two Plus Two Publishing LLC Two Plus Two Publishing LLC
 

Go Back   Two Plus Two Poker Forums > >

Notices

About the Forums Here's where you post suggestions about the forums and the software that implements them.

Reply
 
Thread Tools Display Modes
Old 04-23-2017, 06:09 PM   #101
wellju
BSOD and racetrack Ninja
 
wellju's Avatar
 
Join Date: Feb 2010
Location: ALL OF THEM
Posts: 5,247
Re: Does this site really not use https, and uses plaintext passwords?

Ok, is this really it?
The admins of this board just hide and act like nothing happened?

This level of sheer technical incompetence should be illegal. No one with that little idea about the industry he's in, should be able to run a business in that particular industry.

Arguing that SSL would be too costly is the most ridiculous thing I ever heard. If you have ancient hardware not being able to handle CPU instructions from 1996, then go ****ing out of business. And if the hardware is newer than that ... when Google made the switch in 2012, they had a 2% traffic overhead.

Given the fact that users of this board exchange private information in PMs, you should ****ing care.

So now, for once, instead of coming up with bull**** excuses.

Show us that you salted and hashed your passwords. I'm eagerly awaiting the SQL report together with Trumps tax returns.
wellju is offline   Reply With Quote
Old 04-24-2017, 09:21 AM   #102
Neil S
King of the sidebar
 
Neil S's Avatar
 
Join Date: Sep 2004
Location: Northern Virginia
Posts: 17,873
Re: Does this site really not use https, and uses plaintext passwords?

Again, conflating SSL and password hashing issues just discredits the whole movement.
Neil S is offline   Reply With Quote
Old 04-30-2017, 07:17 AM   #103
wellju
BSOD and racetrack Ninja
 
wellju's Avatar
 
Join Date: Feb 2010
Location: ALL OF THEM
Posts: 5,247
Re: Does this site really not use https, and uses plaintext passwords?

Quote:
Originally Posted by Neil S View Post
Again, conflating SSL and password hashing issues just discredits the whole movement.
No, not saying one single word and make up excuses discredits the whole site and the management.

So once again, maybe you get it in your 3rd reading attempt.

This website is storing passwords in a database, in clear text. That's shady and fraudulent. I can not be sure that the passwords even were hacked, if you leave the database unencrypted, I have to assume you're just willing to sell your user data to whomever, as there is no steps taken whatsoever to not compromise the data of your users.
wellju is offline   Reply With Quote
Old 04-30-2017, 09:52 AM   #104
Neil S
King of the sidebar
 
Neil S's Avatar
 
Join Date: Sep 2004
Location: Northern Virginia
Posts: 17,873
Re: Does this site really not use https, and uses plaintext passwords?

Please tell me how installing https on the site would have anything to do with that, genius.
Neil S is offline   Reply With Quote
Old 04-30-2017, 12:10 PM   #105
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,171
Re: Does this site really not use https, and uses plaintext passwords?

Quote:
This website is storing passwords in a database, in clear text
[Citation Needed]
Noodle Wazlib is offline   Reply With Quote
Old 04-30-2017, 02:10 PM   #106
Jbrochu
Carpal \'Tunnel
 
Join Date: Jan 2005
Posts: 15,082
Re: Does this site really not use https, and uses plaintext passwords?

Quote:
Originally Posted by Noodle Wazlib View Post
[Citation Needed]

Quote:
Originally Posted by wellju View Post
This website is storing passwords in a database, in clear text.
.
Jbrochu is online now   Reply With Quote
Old 04-30-2017, 02:40 PM   #107
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,171
Re: Does this site really not use https, and uses plaintext passwords?

Noodle Wazlib is offline   Reply With Quote
Old 04-30-2017, 11:09 PM   #108
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,171
Re: Does this site really not use https, and uses plaintext passwords?

Here's that story about how google gives search priority to sites using https (from 3 years ago):

https://search.slashdot.org/story/14...use-encryption

So being secure is now a form of SEO. Bold move to reduce your own web traffic and keep your users and your site at risk as a business strategy.
Noodle Wazlib is offline   Reply With Quote
Old 05-01-2017, 03:13 AM   #109
Bobo Fett
2+2 Ad Man
 
Bobo Fett's Avatar
 
Join Date: May 2006
Location: Canada, eh!
Posts: 44,936
Re: Does this site really not use https, and uses plaintext passwords?

Quote:
Originally Posted by wellju View Post
This website is storing passwords in a database, in clear text. That's shady and fraudulent.
Even if the passwords were being stored in clear text, I fail to see what would be either shady or fraudulent about that.

What does seem a little...I won't say shady, but questionable...is continually asserting that the passwords are stored in clear text and avoiding peoples' questions about how you know that they are. I mean, I understand that it's entirely possible that you've missed other threads where 2+2 administration has posted that the passwords were encrypted, but I'd think that if you're going to assert that they are stored in clear text, you could share how you know this. Is Mat mistaken?

http://forumserver.twoplustwo.com/29...orums-1648366/

On the issue of SSL, this has come up in the mod forum before, and the last post I've seen from Chuck on the matter said that he was trying to find a solution for login only (he was concerned that implementing sitewide could cause some problems), and hadn't yet been able to find one yet. That was some time ago, so I'll see if he has an update on this.
Bobo Fett is offline   Reply With Quote
Old 05-01-2017, 09:55 AM   #110
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,171
Re: Does this site really not use https, and uses plaintext passwords?

http://stackoverflow.com/questions/2...site-in-apache

One whole google search.

Also, please tell me mat was confusing hashing with encryption, because if he wasn't then the passwords were basically in clear text.
Noodle Wazlib is offline   Reply With Quote
Old 05-01-2017, 10:09 AM   #111
Neil S
King of the sidebar
 
Neil S's Avatar
 
Join Date: Sep 2004
Location: Northern Virginia
Posts: 17,873
Re: Does this site really not use https, and uses plaintext passwords?

Just checked. vBulletin uses md5( md5(password) + salt) to store its passwords.

md5 has since been broken open, but "storing in plain text" is hyperbolic.
Neil S is offline   Reply With Quote
Old 05-01-2017, 10:19 AM   #112
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,171
Re: Does this site really not use https, and uses plaintext passwords?

Have there been attacks aside from collisions? I wouldn't be super worried about collisions given salts were used.

I mean, i know the heads of the crypto world consider md5 dead, but it's still decent protection (read: more than none) for a site like this.
Noodle Wazlib is offline   Reply With Quote
Old 05-01-2017, 02:33 PM   #113
Mat Sklansky
Administrator
 
Join Date: Aug 2002
Location: This just seems ridiculous to me
Posts: 8,613
Re: Does this site really not use https, and uses plaintext passwords?

anything i said would have been me repeating something chuck said or i thought he said. i'm going to have him post in this thread addressing anything that needs to be adressed
Mat Sklansky is offline   Reply With Quote
Old 05-02-2017, 12:06 AM   #114
zikzak
Carpal \'Tunnel
 
zikzak's Avatar
 
Join Date: Jul 2009
Posts: 18,737
Re: Does this site really not use https, and uses plaintext passwords?

...8 years later.
zikzak is offline   Reply With Quote
Old 05-03-2017, 04:40 PM   #115
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,171
Re: Does this site really not use https, and uses plaintext passwords?

waiting for Chuck's first post in this thread for its entire 8 year existence
Noodle Wazlib is offline   Reply With Quote
Old 05-03-2017, 05:41 PM   #116
Jbrochu
Carpal \'Tunnel
 
Join Date: Jan 2005
Posts: 15,082
Re: Does this site really not use https, and uses plaintext passwords?

He said something about salt and then went and smoked some hash.
Jbrochu is online now   Reply With Quote
Old 05-08-2017, 08:33 AM   #117
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,171
Re: Does this site really not use https, and uses plaintext passwords?

Chances we hear something this week?
Noodle Wazlib is offline   Reply With Quote
Old 05-22-2017, 10:28 AM   #118
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,171
Re: Does this site really not use https, and uses plaintext passwords?

Chances we hear something this month?
Noodle Wazlib is offline   Reply With Quote
Old 05-28-2017, 10:48 AM   #119
Jbrochu
Carpal \'Tunnel
 
Join Date: Jan 2005
Posts: 15,082
Re: Does this site really not use https, and uses plaintext passwords?

June is coming soon.
Jbrochu is online now   Reply With Quote
Old 05-28-2017, 03:30 PM   #120
Mat Sklansky
Administrator
 
Join Date: Aug 2002
Location: This just seems ridiculous to me
Posts: 8,613
Re: Does this site really not use https, and uses plaintext passwords?

i'm not exactly sure why Chuck hasn't posted yet, but i do know he is doing something regarding these concerns. i believe he prefers posting after things happen, rather than getting caught up in a conversation about what he is researching/ doing.
Mat Sklansky is offline   Reply With Quote
Old 06-04-2017, 10:41 AM   #121
yeSpiff
adept
 
yeSpiff's Avatar
 
Join Date: Dec 2013
Location: ungovernable
Posts: 1,026
Re: Does this site really not use https, and uses plaintext passwords?

yeSpiff is offline   Reply With Quote
Old 07-23-2017, 02:55 PM   #122
Czech_Razor
centurion
 
Join Date: Sep 2003
Location: WY? Because it\'s empty.
Posts: 117
Forum Leaks Passwords

Logging in using Opera desktop browser warns me that the username / password fields transmit in plaintext and can be intercepted. See attached. Don't know, but this may be "the hack."



Czech_Razor is offline   Reply With Quote
Old 07-23-2017, 08:12 PM   #123
AllCowsEatGrass
old hand
 
AllCowsEatGrass's Avatar
 
Join Date: Mar 2017
Posts: 1,498
Re: Does this site really not use https, and uses plaintext passwords?

Your web browser is just warning you that the login page is not using SSL/TLS encryption, meaning when you click 'login', your data is sent in plain text over the wire.

If someone were conducting a man in the middle attack against you while you were logging in, they'd be able to get your username and password. Likewise, your ISP could easily get your username and password if they wanted to.

Web browsers have started displaying these warnings, which I think is a really good thing. Hopefully it will force sites that haven't even implemented SSL/TLS on login pages to start to implement encryption.

Yo twoplustwo, EFF's let's encrypt is free. Free certs backed by the Electronic Frontier Foundation. Dead simple to setup.
https://letsencrypt.org/
AllCowsEatGrass is offline   Reply With Quote
Old 07-23-2017, 08:31 PM   #124
_dave_
_Pooh_Bah_
 
Join Date: Feb 2005
Location: UK (or what remains of it)
Posts: 12,203
Re: Does this site really not use https, and uses plaintext passwords?

To those saying "it's super easy guys just do X" here's an interesting article for you to browse: https://nickcraver.com/blog/2017/05/...tack-overflow/

Quote:
Today, we deployed HTTPS by default on Stack Overflow. All traffic is now redirected to https:// and Google links will change over the next few weeks. The activation of this is quite literally flipping a switch (feature flag), but getting to that point has taken years of work.
Quote:
We began thinking about deploying HTTPS on Stack Overflow back in 2013. So the obvious question: It’s 2017. What the hell took 4 years?

In case anyone was wondering, yes this is the very same Stack Overflow mentioned here:

Quote:
Originally Posted by Noodle Wazlib View Post
Amazing they didn't just look on their own message board when the answer was right there


Note - I do of course agree Twoplustwo forums should implement HTTPS asap.
_dave_ is online now   Reply With Quote
Old 07-23-2017, 09:25 PM   #125
Mat Sklansky
Administrator
 
Join Date: Aug 2002
Location: This just seems ridiculous to me
Posts: 8,613
Re: Does this site really not use https, and uses plaintext passwords?

we are actually in the middle of working on this issue. we meaning chuck, not me.
Mat Sklansky is offline   Reply With Quote

Reply
      

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Forum Jump


All times are GMT -4. The time now is 08:42 AM.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright ę 2008-2010, Two Plus Two Interactive
 
 
Poker Players - Streaming Live Online