Page 1 of 1

Re: Username/password Encryption

Posted: September 9th, 2013, 2:03 pm
by dfunk
Exactly what 'packets' are you referring to? Are you talking about posted header vars? Passwords are not stored in plain text, which is why admins can't simply tell you what it is. I don't think I've ever seen an example of any site, big or small, attempt to encrypt login data before it reaches the server.

Re: Username/password Encryption

Posted: September 9th, 2013, 9:51 pm
by snailman153624
Yes, I'm referring to the traffic from a client to the server, not the stored passwords.

As an example, Google recently switched to using SSL encryption for logins, precisely because a 3rd party could snoop packets if they were along the route between a client and the server, or on an unencrypted wireless connection. This scenario is commonly encountered at WiFi hotspots at hotels and airports; anyone with a WiFi card can capture all of the wireless traffic going on around them, then do a simple search for the word "password" in the packets and find login information for lots of sites.

I agree many sites don't encrypt the login process, and I think it's a vulnerability.

Re: Username/password Encryption

Posted: September 13th, 2013, 9:47 am
by dfunk
While I appreciate your concern, I would say that there are a few things to keep in mind -

This site isn't intended to handle any sensitive data other than your email address. There are no financial transactions taking place, no sensitive data exchanges, no linked accounts. You have a responsibility as the account owner and site user to not send/post/PM credit card info, physical addresses, and other personally identifiable information. There's no way we can be held responsible in the event that a user divulges that kind of data. We don't ask for it, don't need it, and never will.

If you're concerned about people sniffing packets on your own network, then it's your job as the network admin/owner to be sure it's locked down. If you're worried about people sniffing packets on public wi-fi spots, I would say that your concerns are legitimate, however, this site isn't as much a target for those types of people when compared to email services, financial institutions, and other commerce related activity. If you're not actually talking packets, but are talking about looking at developer consoles inside the browser, then this is totally different. Just throwing that out there.

In the end, it (mostly) comes down to economics. Does it make sense to pay for the SSL cert every year to encrypt login information to a small forum? At this point, I personally don't think so, but I welcome anyone to chime in. This is, after all, a public forum run for the people that make it up.

Have a nice weekend!