FWIW https probably would not have prevented this particular problem

It's 2017 guys. Passwords should not be sent over plaintext.

Geez... you would figure 2+2 would have learned the first time......and still no ssl?

It's time this site to implement better security features. They can use https to prevent this kind of hacking. 2+2 is the most talk about on other forum site because of the incident happened.

You don't know that.

from the announcement atop the forums:

https pretty obviously has nothing to do with this breach, any more than not requiring 25 character passwords does.

uh, they aren't, and haven't been at least since the since has been on vB, and probably even before that.

HTTPS adoption has reached the tipping point

https://www.troyhunt.com/https-adopt...tipping-point/

Doesn't google give search result preference to sites that use https?

I have to vote for not adopting https because when I log into public wifi through an https website my phone screams HAX and it doesn't work.

Just logged into 2+2 for 2nd time today. And I notice the site is not https; and in the Chrome address bar it says "connection to the site is not secure".

Any other site I open does not show this.
Better check it out.

I was on a computer with Chrome yesterday, came here several times, and never got that message.

Look in the Chrome address bar. See the little exclamation point in the circle before the 2+2 address? Click on it.

Not sure why, but I don't even need to click on it for 2p2


It's not specific to 2p2; any site that doesn't use ssl/https gets that warning but it usually just shows (i). Sites with ssl/https show "Secure" in the address bar.

Mine looks just like your image (lock with "secure" text) on secure sites, but only the symbol without text on non-secure sites. Maybe a difference in settings or versions -- although I'm pretty sure I'm on the latest version.

There's no such thing as bad publicity.

https woudln't even prevent someone from getting access to the database.

This site is php-based, so upgrading to 5.5, if they aren't already using it, and implementing the safe, standard bcrypt hashing function would prevent the password db getting stolen from mattering.

Is this serious in here?

Are you really arguing why you should not use any form encryption, after this ****ty server gets hacked every other week?

Allright, whoever told you that you need a new server for SSL, who was that and why would you listen to him? The traffic overhead is 2% and the cpu usage is neglectable, especially.

You cheap bastards could get the SSL license for free nowadays.

If anything costs you performance, it's this ****ty version of this ****ty board software.

And all those "meh, ppl being scammed anyhow". What in the heck has that to do, with my passwords being transmitted in clear type?

Also, how, and really, answer this. How do you ever thought, storing passwords in clear type is ok, or legal for that matter?

It's so cute when people get indignant who have no clue about the technologies and threats involved, and what would fix them or not fix them.

Hint: If you think SSL on the website has anything to do with password storage, you have nothing to contribute to the topic.

It's so cute when people jump to conclusions without the proper reading comprehension.

This site is storing passwords in clear text. Storing passwords within a database, not as hash is against any technical standards and ethics.

So, instead of trying to avoid the topic by being so easily offended.

What is your arguments against basic encryption?
How do you argue that storing clear text passwords in a database is not shady?

Have we confirmed passwords were not hashed before storage?

Either way, if passwords are sent in clear text then any mod who can see an admin's IP address could easily steal that admin's password. It's like one command in Linux.

How do you know they're stored in plain text?

Regarding SSL/TLS - HTTPS, I think one thing people don't have an understanding of is attack surface. Think of a house; if you have a brick house with only one door, there is a very small attack surface, being the door. The lock could be vulnerable to picking, the wood could be vulnerable to a battering ram, but overall the attack surface for the house is very small. Once you start adding more doors and windows, your attack surface increases.

If they store passwords in plain text, that's an increase in the attack surface. If someone is able to successfully perform SQL injection and dump the database, their work is done and they don't even have to bother with decrypting passwords.

Likewise with not having SSL/TLS - HTTPS, in 2017, what I noticed to be a full eight years after this thread was created, it's an increase in attack surface. Not even the login page is secure, so users logging in via public wifi are vulnerable to a simple man in the middle attack. But even if the login page was secure, but only the login page, users would still be vulnerable to session cookie hijacking.

If the server is running an outdated version of PHP, that's likewise another increase in attack surface.

The problem with trying to defend a web server is like the problem defenses face in American football; the advantage goes to the attacker (offense). The defender has to defend a myriad of different attack vectors, but the attacker just has to successfully exploit one vector. When you have a very large attack surface, there are more opportunities for attackers to find a successful attack vector, so anything and everything you can do to decrease your attack surface is a good thing, and failing to try to decrease the attack surface is negligence.

I wonder what the person who created this thread would say now if they knew 2p2 still wasn't using SSL.

Semi-related:

With the new ISP law basically guaranteed to pass, I'm guessing this forum will see more VPN/VPS traffic. While the Canadian VPN I'm using on my phone works, the one on my desktop appears to be banned.

Doesn't seem like the site is banning all VPNs, but at least some are in there. Any options for that situation?