Author Topic: AltBinz Login = SSL?  (Read 3584 times)

Offline eternal

  • Contributor
  • ***
  • Posts: 4
AltBinz Login = SSL?
« on: April 05, 2011, 12:39:17 pm »
Hi guys,
I would like to know if my login to AltBinz on program-startup is SSL-encrypted,
so my board-account can't be sniffed (for example through proxy).

Thanks,
eternal

Offline argv[0]

  • Contributor
  • ***
  • Posts: 19
Re: AltBinz Login = SSL?
« Reply #1 on: April 05, 2011, 09:18:26 pm »
I'll have to check again to confirm it, but I do not believe so.

https://www.altbinz.net/forum/index.php?topic=3963.0

Offline argv[0]

  • Contributor
  • ***
  • Posts: 19
Re: AltBinz Login = SSL?
« Reply #2 on: April 06, 2011, 03:29:31 am »
Confirmed; user and uid are sent in the clear, pass and mid are hashed.

POST /auth.php HTTP/1.1  (application/x-www-form-urlencoded)

Cookie: user=username; pass=40-char-hex; mid=32-char-hex; uid=forum-user-id-number

Offline eternal

  • Contributor
  • ***
  • Posts: 4
Re: AltBinz Login = SSL?
« Reply #3 on: April 06, 2011, 11:24:58 am »
After I read your thread and your post here,
I'm not sure if I could use Tor safely?
Would you suggest to do so?
Is the hash randomized now?

Thank you!

Offline argv[0]

  • Contributor
  • ***
  • Posts: 19
Re: AltBinz Login = SSL?
« Reply #4 on: April 06, 2011, 03:58:23 pm »
It's hard to say.

Experimenting with the authentication mechanism is most certainly prohibited.

We'll have to wait for official information.

Offline Megalith

  • Contributor
  • ***
  • Posts: 1
Re: AltBinz Login = SSL?
« Reply #5 on: April 12, 2011, 03:33:38 am »
What exactly are the repercussions of this in terms of security?

That someone will have access to your forum account and ability to use the latest alt.binz versions? Or worse?

The whole login process that occurs when you start up alt.binz has me a little bit paranoid, to be honest.


Offline Rdl

  • Administrator
  • *****
  • Posts: 4073
Re: AltBinz Login = SSL?
« Reply #6 on: April 12, 2011, 09:36:21 am »
Password is not sent. Only password hash is sent.

Offline Hecks

  • Contributor
  • ***
  • Posts: 2011
  • naughty cop
Re: AltBinz Login = SSL?
« Reply #7 on: April 13, 2011, 12:36:47 am »
The security implications are limited, as discussed in the other thread. Although it's unlikely to happen, some protection from anyone trying to foobar a user's authentication by the server would be welcome (beyond the obvious evidence of the logs). But this is a problem no matter if sent over SSL or not, as long as real user names and uids are used ...