Alt.Binz forum
Alt.Binz (English) => Help => Topic started by: eternal on April 05, 2011, 12:39:17 pm
-
Hi guys,
I would like to know if my login to AltBinz on program-startup is SSL-encrypted,
so my board-account can't be sniffed (for example through proxy).
Thanks,
eternal
-
I'll have to check again to confirm it, but I do not believe so.
https://www.altbinz.net/forum/index.php?topic=3963.0
-
Confirmed; user and uid are sent in the clear, pass and mid are hashed.
POST /auth.php HTTP/1.1 (application/x-www-form-urlencoded)
Cookie: user=username; pass=40-char-hex; mid=32-char-hex; uid=forum-user-id-number
-
After I read your thread and your post here,
I'm not sure if I could use Tor safely?
Would you suggest to do so?
Is the hash randomized now?
Thank you!
-
It's hard to say.
Experimenting with the authentication mechanism is most certainly prohibited.
We'll have to wait for official information.
-
What exactly are the repercussions of this in terms of security?
That someone will have access to your forum account and ability to use the latest alt.binz versions? Or worse?
The whole login process that occurs when you start up alt.binz has me a little bit paranoid, to be honest.
-
Password is not sent. Only password hash is sent.
-
The security implications are limited, as discussed in the other thread. Although it's unlikely to happen, some protection from anyone trying to foobar a user's authentication by the server would be welcome (beyond the obvious evidence of the logs). But this is a problem no matter if sent over SSL or not, as long as real user names and uids are used ...