View Full Version : https login
Dagless
12-11-2010, 01:53 AM
I put forward a suggestion for a secure login system. I know the site doesn't hold any major info, but there is a brothers section etc. and I'm sure many users on here access the site from internet cafes, work, and other such insecure environments.
Rashad, you're always looking for ways to break the si... er... I mean "embrace new technology". This could be one step into the future ;)
Reply
Login/Register to hide ads. Scroll down for more posts
Cabdullahi
12-11-2010, 02:00 AM
before we implement a secure HTTP...i will need all the active users bank account details...its a research im doing....you know...i put things into database and see the correlation and stuff....
Reply
Yanal
12-11-2010, 03:03 AM
Sounds interesting. How would it exactly work though?
Reply
Dagless
12-11-2010, 03:17 AM
format_quote Originally Posted by
Yanal
Sounds interesting. How would it exactly work though?
Normally only the login page has https rather than http. The user would see no real difference. However, I just checked and vbulletin don't support this so the whole site would have to be https. I guess forget it since it doesn't seem to be a common thing on vbulletin forums :(
Reply
Welcome, Guest!
Hey there! Looks like you're enjoying the discussion, but you're not signed up for an account.
When you create an account, you can participate in the discussions and share your thoughts. You also get notifications, here and via email, whenever new posts are made. And you can like posts and make new friends.
Sign Up
'Abd Al-Maajid
12-11-2010, 03:54 AM
That's not gonna happen. It is worthless to to have a secure login page on this forum, even Facebook doesn't use secure login even though you share your personal information there. So forget it! :)
Reply
Yanal
12-11-2010, 08:02 AM
Yes,although a suggestion that could be inmplented into the future:).
Reply
Dagless
12-11-2010, 04:10 PM
format_quote Originally Posted by
abdulmājid
That's not gonna happen. It is worthless to to have a secure login page on this forum, even Facebook doesn't use secure login even though you share your personal information there. So forget it! :)
Facebook does have a secure login page if you type https. Calling something worthless because you thought Facebook didn't have it isn't worth responding to :p
Reply
~Raindrop~
12-11-2010, 04:26 PM
What's the difference between http and https? :><:
Reply
Dagless
12-11-2010, 04:29 PM
format_quote Originally Posted by
Aisha
What's the difference between http and https? :><:
When you are on public networks your username and password is sent via plain text, so it's possible for anyone on that network to read. If it's https it's encrypted/secure.
Reply
~Raindrop~
12-11-2010, 04:30 PM
How about if you use KeyScrambler? Doesn't that jumble all the letters up anyway?
Reply
Dagless
12-11-2010, 04:33 PM
format_quote Originally Posted by
Aisha
How about if you use KeyScrambler? Doesn't that jumble all the letters up anyway?
That's only to protect against keyloggers which are locally on the computer. I am talking about the connection from your pc to islamicboard.com.
Reply
~Raindrop~
12-11-2010, 04:35 PM
Right...ok.
Sorry, i'm not very computer-literate :><:
Reply
Dagless
12-11-2010, 04:47 PM
format_quote Originally Posted by
Aisha
Right...ok.
Sorry, i'm not very computer-literate :><:
Well you are a little more now, but don't worry since nobody seems to think the idea is that important :D
Reply
'Abd Al-Maajid
12-11-2010, 07:35 PM
As you said brother Dagless, there are some sections which need more protection, I rather see it the other way, I believe there is nothing in brother's section for us to feel the need to conceal it if any admin's or user's account is compromised.
Moreover, it requires more $$$ for this, an it's not worth it.
Reply
Dagless
12-11-2010, 07:47 PM
format_quote Originally Posted by
abdulmājid
As you said brother Dagless, there are some sections which need more protection, I rather see it the other way, I believe there is nothing in brother's section for us to feel the need to conceal it if any admin's or user's account is compromised. Moreover, it requires more $$$ for this, I guess.
Thanks bro, that's pretty much the kind of answer I was looking for. I agree, there is nothing to hide (pm or forum). I suppose the reason for restriction is more to stop the trolling which goes on out here than to hide any information.
Not too much $$$. Certs can be bought quite reasonably these days, ~£10.
Reply
:sl:
Logging in involves comparing password hashes; one which is generated when a password is created or changed, with the one generated when the user enters his or her password. The old string comparison system is almost non-existent in the 21st century, although there are cases where its still used. https isn't about using cyphertext; thats a common misconception. https actually uses SSL certification, which is a system of authencitating the connection, not the inputted string. As a standard, SSL uses 128 bit security, which is designed to make it more difficult for a "hacker" to "listen" into the connection.
Can SSL be bypassed? Yes.
Is it easy to bypass? Generally speaking, no.
vBulletin uses MD5 hashes by default, which are reasonably secure for any forum standard. As long as a user doesn't use the password "qwerty", or anything short, simple and "guessable", including dictionary words, then its OK.
:wa:
Reply
:sl:
format_quote Originally Posted by
Dagless
When you are on public networks your username and password is sent via plain text, so it's possible for anyone on that network to read. If it's https it's encrypted/secure.
SSL uses public IP verification; I don't think anymore needs to be discussed on this matter.
:wa: Reply
Dagless
12-11-2010, 11:15 PM
format_quote Originally Posted by
أحمد
:sl:
SSL uses public IP verification; I don't think anymore needs to be discussed on this matter.
:wa:
I don't know what you mean by this.
Reply
:sl:
format_quote Originally Posted by
Dagless
I don't know what you mean by this.
In other terms, the forum is secure enough.
:wa: Reply
Dagless
12-11-2010, 11:32 PM
format_quote Originally Posted by
أحمد
:sl:
In other terms, the forum is secure enough.
:wa:
That doesn't explain "SSL uses public IP verification".
Reply
:sl:
format_quote Originally Posted by
Dagless
That doesn't explain "SSL uses public IP verification".
See post #16.
:wa: Reply
Dagless
12-11-2010, 11:42 PM
format_quote Originally Posted by
أحمد
:sl:
See post #16.
:wa:
Still doesn't make sense.
Reply
:sl:
format_quote Originally Posted by
Dagless
Still doesn't make sense.
In that case, I'm probably not good enough at explaining. Allah knows best.
:wa: Reply
Dagless
12-12-2010, 12:02 AM
format_quote Originally Posted by
أحمد
:sl:
In that case, I'm probably not good enough at explaining. Allah knows best.
:wa:
That is a cop out since it is something you wrote.
format_quote Originally Posted by
أحمد
:sl:
SSL uses public IP verification; I don't think anymore needs to be discussed on this matter.
:wa:
It implies that the first part of the sentence is a strong enough argument to close all discussion on the matter.
However, the first part of the sentence does not really make sense. All websites on the internet would be public ip's. It's the same as saying "ssl is used on the internet; I don't think anymore needs to be discussed on the matter". It's not an argument either way... certainly not one to end debate.
Reply
:sl:
format_quote Originally Posted by
Dagless
That is a cop out since it is something you wrote.
It implies that the first part of the sentence is a strong enough argument to close all discussion on the matter.
However, the first part of the sentence does not really make sense. All websites on the internet would be public ip's. It's the same as saying "ssl is used on the internet; I don't think anymore needs to be discussed on the matter". It's not an argument either way... certainly not one to end debate.
I was stating something, which should be obvious to someone claiming to know about https.
I don't see the point of trying to explain, as its clear, you're not interested in that. Your interest in merely in argument, which I'm not going to entertain.
If you wish to learn more about https, simply use google; it'll save you a lot of guessing time :inshallah
:wa: Reply
Dagless
12-12-2010, 09:03 PM
format_quote Originally Posted by
أحمد
:sl:
I was stating something, which should be obvious to someone claiming to know about https.
I don't see the point of trying to explain, as its clear, you're not interested in that. Your interest in merely in argument, which I'm not going to entertain.
If you wish to learn more about https, simply use google; it'll save you a lot of guessing time :inshallah
:wa:
Asking someone to clarify what they meant is not an argument. You made a statement based upon which you concluded no further discussion was necessary. The statement was not clear in any way. I don't think google will know what you meant any more than you seem to.
Reply
:sl:
format_quote Originally Posted by
Dagless
Asking someone to clarify what they meant is not an argument. You made a statement based upon which you concluded no further discussion was necessary. The statement was not clear in any way. I don't think google will know what you meant any more than you seem to.
Use google to lookup "debate"; you'll be surprised to find "argument" to appear under its definition.
:wa: Reply
Dagless
12-12-2010, 09:45 PM
format_quote Originally Posted by
أحمد
:sl:
Use google to lookup "debate"; you'll be surprised to find "argument" to appear under its definition.
:wa:
"debate" was in regard to the thread. The only thing I asked of you was clarification of your comment. You know this already but see it as another excuse not to answer the question. This can be seen from your numerous posts of avoidance. If you're not going to reply with an answer to the question please don't derail the thread. Just keep in mind for next time to only respond with things you can justify/explain.
edit: lol you left negative rep for this post? really?
Reply
:sl:
format_quote Originally Posted by
Dagless
"debate" was in regard to the thread. The only thing I asked of you was clarification of your comment. You know this already but see it as another excuse not to answer the question. This can be seen from your numerous posts of avoidance. If you're not going to reply with an answer to the question please don't derail the thread. Just keep in mind for next time to only respond with things you can justify/explain.
If you don't understand n explanation, its not my problem. In such a case, ignore my posts.
:wa: Reply
:sl:
Let me break this down, for anyone struggling to understand SSL:
Post #16:
Logging in involves comparing password hashes; one which is generated when a password is created or changed, with the one generated when the user enters his or her password. The old string comparison system is almost non-existent in the 21st century, although there are cases where its still used. https isn't about using cyphertext; thats a common misconception. https actually uses SSL certification, which is a system of authencitating the connection, not the inputted string. As a standard, SSL uses 128 bit security, which is designed to make it more difficult for a "hacker" to "listen" into the connection.
Can SSL be bypassed? Yes.
Is it easy to bypass? Generally speaking, no.
vBulletin uses MD5 hashes by default, which are reasonably secure for any forum standard. As long as a user doesn't use the password "qwerty", or anything short, simple and "guessable", including dictionary words, then its OK.
The bit in red, is where public IP verification comes in. E.g. 84.45.40.98 is a Public IP address, while 192.168.1.8 is a Private IP address.
With me so far?
OK, moving on.
SSL is a socket encryption system, which encrypts the connection; very much like a lock and key structure of "enzyme and substrate". In this case, the packet is the substrate, while the encryption is the enzyme.
I really don't think I can help you, if you don't understand this. Try using google.
:wa: Reply
Dagless
12-13-2010, 12:03 AM
format_quote Originally Posted by
أحمد
:sl:
Let me break this down, for anyone struggling to understand SSL:
Post #16:
The bit in red, is where public IP verification comes in. E.g. 84.45.40.98 is a Public IP address, while 192.168.1.8 is a Private IP address.
With me so far?
OK, moving on.
SSL is a socket encryption system, which encrypts the connection; very much like a lock and key structure of "enzyme and substrate". In this case, the packet is the substrate, while the encryption is the enzyme.
I really don't think I can help you, if you don't understand this. Try using google.
:wa:
Firstly, thank you for finally explaining. I don't see it as significant (or as significant as the initial post suggested) since a public site would be impossible to verify using private ip address anyway, therefore it's moot... but I'm glad this matter came to an end.
Reply
:sl:
format_quote Originally Posted by
Dagless
I'm glad this matter came to an end.
So am I.
:wa: Reply
Hey there! Looks like you're enjoying the discussion, but you're not signed up for an account.
When you create an account, you can participate in the discussions and share your thoughts. You also get notifications, here and via email, whenever new posts are made. And you can like posts and make new friends.
Sign Up
Powered by vBulletin® Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.