You guys should add SSL encryption, well an option for it at least. I've come accross forums that have this option, such as the defcon forums. 2+2 is a poker forum, and there's regularly transactions and transfers and stakes discussed in PMs I'm sure, and it would probably help to combat some of the scamming that goes on.

Option for secure login = good IMO

... plus you'd be (AFAIK) the only poker forum with https and it would be like a middle finger to the competitors amirite.

It's sort of a luxory. Give yourself something nice 2+2, you deserve it!

Please elaborate how https is going to protect people who decide to transfer with 34 post count noobs.

We'd have to upgrade from hamster to at least a medium-sized dog tho, with the extra overhead of traffic this generates.

It would secure the traffic , it wouldn't protect a user persay from a scammer if your dumb enough to fall for that **** there really aint no helping you.
Liv there really hasn't been reports of people intercepting logins and traffic to steal user names and such. While I hate toa gree with DB on anything I'm gonna have to give him the thumbs up here, it would be way to much overhead for this site to handle currently.

his back looks like a tarantulas back. Like a P. Regalis or something.

I look at that picture and say to myself "That is a simple sloth, it is not capable of smiling or looking satisfied, you are anthropomorphizing it" but I can't make my brain see it as anything other than a happy sloth.

lol yeah he's just cruisin.

... I still think it's a good idea though fwiw ... you know, if it's doable and won't affect things negatively, it's just one less possible security vulnerability.

It looks like a flattened, happy wookie face.

lol he is a bit wookieish isn't he.

bump!

(1) Hang a packet sniffer on the Rio's LAN next month.

(2) Slurp up all the 2p2ers' logins and passwords you can.

(3) ????

(4) Profit!

The only practical thing HTTPS is good for is preventing someone from snooping your local wireless or your local LAN, and capturing your traffic there. If you have that concern then make sure you use strong encryption on your home wireless protocol. Beyond that point there is an infinitessimal chance anyone who works on and has access to the Internet transfer pipes would ever be interested in your traffic. Scammers/spammers don't obtain account credentials that way.

Having https is just best practice imo. But so is not storing your passwords in a decryptable format so what do I know.

Is there a reason not to use https? It seems that sniffing for 2p2 passwords at public hotspots like casinos and such could happen.

Hey Bostick! I got the idea to bump this thread when I saw your post in the fish forum!

One of your posts responding to me there many moons ago was very nut imo. Impossible to find though :/

It wasn't my thread, someone asking about reading hands I think, I talked about a flush draw example and you responded talking about like taking a further view and thinking about what all he could have with this line iirc. Can't remember the details though. Wish I would have saved the post.

First thing I tried when 2+2 came back was to see if SSL was now possible. Nope. Security fail.

Second thing I did was reply to a LirvA thread? Oh dear.

It's resource-intensive to do HTTPS. But 2+2 needs to bite that bullet (if ever they get the normal, everyday forum stuff working again reliably).

How resource-intensive is it to use https to process logins but serve up the forum pages in cleartext? What fraction of transactions processed by the server are logins?

Securing just logins and password changes will help, but there's the issue of sniffed auth cookies. Basically, if you do all the work of securing the userid and password, but then set a cookie with seKret stuff in it and pass that in plaintext, you're at least potentially allowing an attacker to see that cookie and use it to spoof that user for the duration of that session.

http://arstechnica.com/business/2011...-web-using-it/

twss

Although there has been mention of 'decrypting passwords' this may not be an accurate description of what happened.

Passwords are usually stored by a method that would more properly be termed 'hashed' than 'encrypted'.

The algorithm used is designed to be non-reversible. This is fairly easy to achieve. It takes the characters of the password and creates an integer (strictly, a certain number of bits), that can be compared. This does mean, however, that if you know the algorithm and the hashed password, whilst you may not be able to determine the actual password, you can reasonably easily find another password that hashes to the same value. Then you can use that password to log in to the account in question.

Yeah, I assumed that they were talking about hashed passwords that got rainbow table'ed. But, there are defenses against rainbow tables that make it impractical to de-hash passwords. They apparently didn't do this so I don't think it's unreasonable to think they wont use SSL either.