Jump to content



Photo

Neowin needs HTTPS login


  • Please log in to reply
22 replies to this topic

#16 Ames

Ames

    Neowinian

  • Joined: 21-March 04
  • Location: Vancouver, Canada
  • OS: Windows 8.1
  • Phone: Nokia Lumia 920

Posted 28 September 2006 - 17:27

Honestly I think SSL is overkill in this case. A self-signed certificate will give everyone an error everytime they try and login and a trusted signed SSL, while not terribly expensive ($60 for a basic, not wildcard one with virtually no financial backup) would not be money well spent in my opinion.

Then theres the implementation of it into Invision (the forum software Neowin runs)


#17 Mr. Jingles

Mr. Jingles

    This space intentionally left blank.

  • Joined: 20-January 05
  • Location: Glued to the computer chair.

Posted 29 September 2006 - 03:39

vBulletin implemented a Javascript hashing mechanism so that user passwords are hashed before they're sent to the server. That could probably be modded into IPB for much less effort.

#18 kjordan2001

kjordan2001

    Mystery Solver

  • Joined: 27-May 02

Posted 29 September 2006 - 05:25

Do self-signed certificates get along well with browser security? If the browser doesn't trust a certificate's issuer, then it inherintly does not trust the certificate. Self-signed certificates are their own issuer, which causes issues for situations like this.

The browser will prompt you if you trust the self-signed certificate. There's always free signing 3rd parties too like cacert.org. Just import their root certificate and any site signed with that will be trusted.

#19 Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 56
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 29 September 2006 - 19:59

Denied!

#20 vetTim Dorr

Tim Dorr

    -1^0.5 of 53

  • Joined: 03-December 01
  • Location: Atlanta, GA

Posted 29 September 2006 - 20:08

Would it hurt to have an SSL certificate?


Yes, it would. Every time I install an SSL certificate, a server cries just a little bit. Think of the servers, people!

#21 vetJohn

John

    Neowinian Senior

  • Joined: 28-January 02
  • Location: Des Moines, IA

Posted 30 September 2006 - 18:57

vBulletin implemented a Javascript hashing mechanism so that user passwords are hashed before they're sent to the server. That could probably be modded into IPB for much less effort.

So instead of someone sniffing your password, they sniff the password hash, which is just as good as a password... Great solution (Y) Whatever is sent to the server needs to be encrypted so it can't be sniffed. That's the whole point. Sending the server "asdf" instead of "password" does nothing if an anonymous listener can see it on the network.

The browser will prompt you if you trust the self-signed certificate. There's always free signing 3rd parties too like cacert.org. Just import their root certificate and any site signed with that will be trusted.

Yeah, every user would have to import SOME certificate, whether it's Neowin's or cacert.org, or whoever's... That's not a solution. Why do you think people pay so much for Verisign certificates? Because they're trusted. I've never heard of cacert.org and certantly don't trust them to vouch for another website...

#22 dragon2611

dragon2611

    Neowinian Senior

  • Joined: 30-July 04
  • Location: Somewhere in the UK

Posted 30 September 2006 - 19:05

So instead of someone sniffing your password, they sniff the password hash, which is just as good as a password... Great solution (Y) Whatever is sent to the server needs to be encrypted so it can't be sniffed. That's the whole point. Sending the server "asdf" instead of "password" does nothing if an anonymous listener can see it on the network.
Yeah, every user would have to import SOME certificate, whether it's Neowin's or cacert.org, or whoever's... That's not a solution. Why do you think people pay so much for Verisign certificates? Because they're trusted. I've never heard of cacert.org and certantly don't trust them to vouch for another website...


actually i have a starter SSL certificate from namecheap.com setup for cpanel on a server and it cost me a $16 :yes:

its reconised by most browsers, shows up as being signed by Eqifax and works fine with firefox and Ie6+ (maybe older versions of ie also, dont know cus i only run 6 and 7) also works with opera and safari as far as i can remember (dont use them much tend to use firefox all the time)

so no they don't need to cost the earth! ;)

#23 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 26 February 2013 - 15:14

As far as certificates I heard Digicert has some good prices. It's also the same one facebook uses.

www.digicert.com



Click here to login or here to register to remove this ad, it's free!