Toribash
Original Post
https would be broken if we tried due to the fact a lot of the images on the forum and other sources use http, so it'd be there, but it wouldnt show as secured.
[TANG] Member | Programmer | Designer
[sigpic][/sigpic]
It still would be better than the current situation, as login passwords would be encrypted.
pretty sure the passwords aren't stored as plain text lol, their always encrypted, if you mean the data streams containing the passwords, then yeah, they would be.
[TANG] Member | Programmer | Designer
[sigpic][/sigpic]
Originally Posted by Elite View Post
pretty sure the passwords aren't stored as plain text lol, their always encrypted, if you mean the data streams containing the passwords, then yeah, they would be.

i dunno, tbashboii didn't find it too hard to find TB passwords a couple years ago
Originally Posted by Surge View Post
i dunno, tbashboii didn't find it too hard to find TB passwords a couple years ago

Vbulletin encrypts it's passwords, pretty sure he brute forced acxounts
[TANG] Member | Programmer | Designer
[sigpic][/sigpic]
Please add HTTPS, please add HSTS.

Some clarification on password stealing: Essentially every password breach has been via phishing or cross site scripting. The passwords are hashed, and cannot be (trivially) recovered from the database. Logins, however, are almost certainly handled as plain text. Hypothetical, a sort of challenge-authentication setup could be implemented, but it would be of relatively low security compared to just using HTTPS.

The presence of HTTP content does not render HTTPS useless. Most of the content anyone would be served over HTTPS, such as logins, PM conversations, and IP data from staff tools.

Random images hotlinked from a non-HTTPS server is not something we have strict control over, though I guess we could disallow such links in the first place.

I have previously requested this, but the developer who had been working on it had difficulties making it work and eventually left.

I would really, really, really like to see HTTPS on the forum.
Squad Squad Squad lead?
The standardization of Toribash Squad roles may have gone too far!
Originally Posted by suomynona View Post
Please add HTTPS, please add HSTS.

Some clarification on password stealing: Essentially every password breach has been via phishing or cross site scripting. The passwords are hashed, and cannot be (trivially) recovered from the database. Logins, however, are almost certainly handled as plain text. Hypothetical, a sort of challenge-authentication setup could be implemented, but it would be of relatively low security compared to just using HTTPS.

The presence of HTTP content does not render HTTPS useless. Most of the content anyone would be served over HTTPS, such as logins, PM conversations, and IP data from staff tools.

Random images hotlinked from a non-HTTPS server is not something we have strict control over, though I guess we could disallow such links in the first place.

I have previously requested this, but the developer who had been working on it had difficulties making it work and eventually left.

I would really, really, really like to see HTTPS on the forum.

I wasn't saying it'd make it useless, was talking about the lock thingie, when http content is shown on a https site it shows as unsecure when really it is.

And yeah I support this
[TANG] Member | Programmer | Designer
[sigpic][/sigpic]
Originally Posted by Elite View Post
https would be broken if we tried due to the fact a lot of the images on the forum and other sources use http, so it'd be there, but it wouldnt show as secured.

There are free tools to convert content links from http to https, both in the database and on the files host. They run grep like commands and replace.

wonder what kind of difficulties had the devs
Last edited by Hisoka; Feb 9, 2018 at 08:32 PM.
Please take into consideration that Elite was not an actual developer for Toribash forum, and no we didn't try moving to https. Yet.