Answered Is this website safe?

[NvivN]

I'm very uneasy having to log in here knowing that my username and password are not encrypted.
Is there a reason why this forum is not using an SSL certificate? I did a try a few search queries for threads before posting this thread,i was hoping to find a thread but i haven't been successful(i'm probably not using the right keywords, used "SSL" and "Certificate").

anyways, i'm hoping someone can link me to a thread or a post about this.
thanks for any input.

 

[uglywolf]

Barely not-safe, in my opinion.
The staff is pretty busy handling stuff right now though, so almost all question will not be truly answered.
At very least, the community here is big. So it's not going to be easy for someone to just hack one's account once you've blended with others here.

 

[NvivN]

I'm more concerned about my privacy than my account being hacked.
I visit AS at work from time to time; while it is totally okay for us to browse the net at work ,I'm not ready to explain why i visited some urls that lead to pages with questionable content.
I guess i'll just have to only log in from home then.
thanks for the reply :)

 

[uglywolf]

I suggest you might want to disguise your connection?
Probably best if you can find software that encrypt everything regardless.
In my case, psiphon3.

 

[Checkmate]

I find it amazing that most people doesn't understand what a SSL do.

SSL encrypts the traffic between you and then it is decrypted when it is at the server the server. Having SSL does not suddenly make you safer on the web, if at all. While we do not have SSL, your password is already encrypted at source before the data is transmit to our server. Your password is also one-way encrypted, meaning that we only store it in its encrypted form. Your password cannot be read or be revealed. The server authenticates you by compare the encryption result whether it is matched.

 

[NvivN]

I'm familiar with how passwords are stored and how SSL works,it happens that CS is my field of study.
I Attached a packet capture I made on my lan network at home with wireshark while sniffing a second computer, i used 'test' as both username and password.

The username is visible in plain text, and the password is also there but md5 hashed.
Dehashing "098f6bcd4621d373cade4e832627b4f6" gives 'test'.

while it's true that the password is encrypted,it's not safe from eavesdropping when you are sharing your network.

I hope you don't misinterpret the purpose of this thread, I'm not doubting or accusing anyone,i'm simply curious and wanted to know if there was a reason since most websites have SSL now.

 

[Checkmate]

Your test made me laugh real hard for CS student. You cannot dehash md5 unless you brute force the hash using a known database of the most common known hash string, like 123456 or test. Such password you use defeats any purpose of encryption or eavesdropping.

To make my point, here is my md5 hashed password: 2681abc2ceacd4e1e8d00a131f50c432 Dehash this and you are free to access my admin account.

I also have a reason not to enable SSL, such reason may be finally fixed in the future.

 

[NvivN]

Your test made me laugh real hard for CS student.

I'm glad It/I did.

Such password you use defeats any purpose of encryption or eavesdropping.

such password was my point for saying it's not always fail proof and in direct reply to "Your password cannot be read or be revealed".
It's hard to believe everyone here is using a strong password, when not even enforcing one on account creation/ password change.

unless you brute force the hash using a known database of the most common known hash string, like 123456 or test.

'test' is just a place holder, not sure what you expected me to use instead..

To make my point, here is my md5 hashed password

I don't have a Database to try, and I probably won't find anything even if I did.
And even so, anyone in a the same network with someone logged in can still forge cookies with a session id and take over without having to dehash or know the original password.

 

[NvivN]

it's not my place to say how you should run your forum since I'm just a mere guest here.
I simply just asked a simple question ,which I quote "Is there a reason why this forum is not using an SSL certificate? " and the only reason behind it is for some privacy and hiding the pages I visit.
at this point I'm happy to have "may be finally fixed in the future" as a reply.

close or even delete this thread since it has fulfilled it's purpose.

 

[corocoro]

Well, it's a lot easier to brute a website with a combo list than to do a MitM attack. So if you have a weak password, you have already lost. :p
And enabling SSL would also not hide the connection from your employer - as it doesn't affect URLs or IPs. ;)

 

[NvivN]

And enabling SSL would also not hide the connection from your employer - as it doesn't affect URLs or IPs

well i don't know about that because i do find them in the rooters log.
like for example there are whole lot of log entries for facebook and instagram visited by others working in this company, but it's just the domain name only,I can never find the rest of the url that was visited because these sites use ssl.
for ASF, it's the full url ,and it's those NSFW keywords in it that are making me uneasy, something like

anime-sharing.com/forum/completed-series-17/720p-%5Bunderwater%5D-[B]panty-stocking-garterbelt[/B]-%5Bdual-audio%5D-%5Bbluray%5D-232820/index2.html#post2146950

but it's alright now, I ended up setting a custom rule to not log anything from anime-sharing.com and its all good :)