BMW 1-Series Forum (F20) 135i - 1Addicts.com > BIMMERPOST Universal Forums > Site Related Announcements - Suggestions - Feedback - Questions > Site security.
Post Reply
 
Thread Tools Search this Thread
      08-27-2017, 04:14 PM   #1
F32Fleet
Lieutenant General
F32Fleet's Avatar
United_States
3540
Rep
10,329
Posts

Drives: 2015 435i
Join Date: May 2005
Location: Southeastern US

iTrader: (0)

Site security.

When will the website be upgraded to HTTPS? Jason Mark
__________________
"Drive more, worry less. "

435i, MPPK, MPE, M-Sport Line
Appreciate 0
      08-27-2017, 10:05 PM   #2
The Wind Breezes
Lieutenant Colonel
912
Rep
1,850
Posts

Drives: 135i N55 DCT
Join Date: Apr 2015
Location: USA

iTrader: (0)

You're right. I just performed a packet capture of the site and login credentials are sent in plaintext although the username is hashed to md5. Not so good, and worse, it's hash WITHOUT A SALT! So it would be really easy to decode most user's passwords if you could grab their traffic. Or someone could insert their own page.
Appreciate 1
F32Fleet3539.50
      08-29-2017, 09:14 PM   #3
F32Fleet
Lieutenant General
F32Fleet's Avatar
United_States
3540
Rep
10,329
Posts

Drives: 2015 435i
Join Date: May 2005
Location: Southeastern US

iTrader: (0)

Quote:
Originally Posted by The Wind Breezes
You're right. I just performed a packet capture of the site and login credentials are sent in plaintext although the username is hashed to md5. Not so good, and worse, it's hash WITHOUT A SALT! So it would be really easy to decode most user's passwords if you could grab their traffic. Or someone could insert their own page.
I don't think the admins are interested in commenting about this.
__________________
"Drive more, worry less. "

435i, MPPK, MPE, M-Sport Line
Appreciate 0
      08-29-2017, 09:29 PM   #4
c1pher
Primo Generalissimo
c1pher's Avatar
United_States
4546
Rep
3,995
Posts

Drives: All of them
Join Date: Jun 2009
Location: DC area

iTrader: (0)

Garage List
They have to read up on it......
Appreciate 0
      08-30-2017, 09:02 AM   #5
F32Fleet
Lieutenant General
F32Fleet's Avatar
United_States
3540
Rep
10,329
Posts

Drives: 2015 435i
Join Date: May 2005
Location: Southeastern US

iTrader: (0)

Quote:
Originally Posted by Railgun
There aren?t many that do, and surely, if you?re concerned about security, your username and pw are different on this site to every other one.

Additionally, you’d not have posted anything that IDs you...pics with your plate, real name, etc.

Thus, it’s a non issue.
Others have. IJS
__________________
"Drive more, worry less. "

435i, MPPK, MPE, M-Sport Line
Appreciate 0
      08-30-2017, 03:25 PM   #6
The Wind Breezes
Lieutenant Colonel
912
Rep
1,850
Posts

Drives: 135i N55 DCT
Join Date: Apr 2015
Location: USA

iTrader: (0)

Quote:
Originally Posted by Railgun View Post
your username and pw are different on this site to every other one.
That tends to not be the case in practice. Also SSL certificates are very cheap. The site's owners probably don't care since they haven't had a big issue with fake / hijacked accounts and this site is a minimum-budget venture.
Appreciate 0
Post Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -5. The time now is 06:39 PM.




1addicts
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
1Addicts.com, BIMMERPOST.com, E90Post.com, F30Post.com, M3Post.com, ZPost.com, 5Post.com, 6Post.com, 7Post.com, XBimmers.com logo and trademark are properties of BIMMERPOST