Question: Why no SSL option ?

ermik

Elite
Joined
Dec 4, 2006
Posts
4,954
Location
oil rig
Avatar Name
ermik ermik ermik
when will sll be an option ?
 
What for? quick login? security?
 
Well id like to see SSL added as an option, it is indeed possible to do a man in the middle attack towards someone logging in to PCF.
 
To clarify, its possible to login as someone else by doing a man in the middle attack as long as the traffic isn't going over SSL. Just md5 hashing the password with some salt aint gonna keep the black hat out.

site admin can pm me if you want details.

cheers

ermik
 
I've one one or two occasions been able to log in completely skipping GC ... So I'd be scared sitting on a fortune
 
I've one one or two occasions been able to log in completely skipping GC ... So I'd be scared sitting on a fortune

im talking about forum login, not ingame.

havent really looked at ingame login logic yet, mostly cause its forbidden.
 
im talking about forum login, not ingame.

havent really looked at ingame login logic yet, mostly cause its forbidden.

Why would any serious hacker spend time hacking your forum account?
And I don't think a script kiddie would do such stuff, it is 1) not that super easy 2) not entertaining to hack a forum 3) 99,999% of population doesn't know this forum exists.
 
Why would any serious hacker spend time hacking your forum account?
And I don't think a script kiddie would do such stuff, it is 1) not that super easy 2) not entertaining to hack a forum 3) 99,999% of population doesn't know this forum exists.
I believe ark forum was hit not that long ago, so if they know about that one, they know about this one. The only reason for the attack is either to get lucky and find someone who uses the same password on the forum as they do in game, or they are just bored and want to hone their skills on a low level "threat" site.
 
The attack makes it possible to silently log in as someone else without any alarm bells going off, would it not be harmful if someone did this as a targeted attack to be able to read someones PM's in order to gain an advantage in lets say for example a big trade. No need for either a serious hacker or a script kiddie, all you need is motive, the knowledge is not hard to get.

Not arguing why it should be SSL from a threat standpoint, the fact that its RCE and openly exposed to the internet is enough reason to use SSL in my opinion.
 
Without going into too much detail (for risk of providing information to would-be intruders), I can tell you that Planet Calypso Forum utilizes several additional security measures to protect forum member accounts beyond the standard vBulletin systems.

The servers on which PCF is hosted are very secure, and have never been compromised despite a fair number of attempts over the years.

Nevertheless, as a general security precaution it is very important never to use the same username, password or email address that is used for one's Entropia Universe account on other websites or forums, including PCF. And of course, everyone who values their Entropia Universe account should have a Gold Card.

Regarding the thread title: SSL would offer very little benefit in protecting forum member accounts, and would probably result in a slower browsing experience for members.

Most forum-related attack vectors focus on compromising either the web server, or, much more commonly, client browsers or computers, not on intercepting http traffic between client and server. Thus, employing SSL on PCF would offer very little practical benefit.
 
Back
Top