Quote:
Originally Posted by wellju
This site is storing passwords in clear text.
How do you know they're stored in plain text?
Regarding SSL/TLS - HTTPS, I think one thing people don't have an understanding of is attack surface. Think of a house; if you have a brick house with only one door, there is a very small attack surface, being the door. The lock could be vulnerable to picking, the wood could be vulnerable to a battering ram, but overall the attack surface for the house is very small. Once you start adding more doors and windows, your attack surface increases.
If they store passwords in plain text, that's an increase in the attack surface. If someone is able to successfully perform SQL injection and dump the database, their work is done and they don't even have to bother with decrypting passwords.
Likewise with not having SSL/TLS - HTTPS, in 2017, what I noticed to be a full eight years after this thread was created, it's an increase in attack surface. Not even the login page is secure, so users logging in via public wifi are vulnerable to a simple man in the middle attack. But even if the login page was secure, but only the login page, users would still be vulnerable to session cookie hijacking.
If the server is running an outdated version of PHP, that's likewise another increase in attack surface.
The problem with trying to defend a web server is like the problem defenses face in American football; the advantage goes to the attacker (offense). The defender has to defend a myriad of different attack vectors, but the attacker just has to successfully exploit one vector. When you have a very large attack surface, there are more opportunities for attackers to find a successful attack vector, so anything and everything you can do to decrease your attack surface is a good thing, and failing to try to decrease the attack surface is negligence.