1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

HTTPS on the ContractorUK

Collapse
X
41 to 50 of 73 Previous 1 2 3 4 5 6 7 8 template Next
Collapse
Reply to Thread
  •  
  • Filter
  • Time
  • Show
Clear All
new posts
41 to 50 of 73 Previous 1 2 3 4 5 6 7 8 template Next
    #41
    Originally posted by Fred Bloggs View Post
    Could be wrong, but my own experience with BBS software, phpBB, is that the passwords are encrypted by default. So even those with top tier admin rights can't see the passwords. I'm guessing the same applies here too.
    The passwords may or may not be hashed on disk. Given the age of the forum software, I wouldn't expect them to be hashed well by 2017 standards.

    Either way, that doesn't matter as:
    1. The password is encrypted by the software which runs server side, and thus is sent to the server in plaintext.
    2. Sharing passwords is kinda lame either way, so other than the fact our accounts are trivial to hijack, this isn't really the issue.
    3. Being monitored is the real issue.

    Comment

      #42
      Originally posted by woohoo View Post
      If you are at a clients site. You decide to read or post something negative about the client. The client could be monitoring the network and will see the post in clear text. Just an example but you get my meaning.
      Post on your smartphone using 3G or 4G.

      Then it's not part of their network traffic.

      Obviously if you haven't thought enough data then you are screwed.

      In my case due to a ex-permie employer trying to block every site imaginable whether they were clean or not, I got in the practise of not using their stuff for my private postings or emails long ago.
      "You’re just a bad memory who doesn’t know when to go away" JR

      Comment

        #43
        Originally posted by fool View Post
        The passwords may or may not be hashed on disk. Given the age of the forum software, I wouldn't expect them to be hashed well by 2017 standards.

        Either way, that doesn't matter as:
        1. The password is encrypted by the software which runs server side, and thus is sent to the server in plaintext.
        2. Sharing passwords is kinda lame either way, so other than the fact our accounts are trivial to hijack, this isn't really the issue.
        3. Being monitored is the real issue.
        The passwords are encrypted client side(md5) and the hashed password is sent to the server in plain text.
        Last edited by woohoo; 27 November 2017, 22:14.

        Comment

          #44
          Originally posted by SueEllen View Post
          Post on your smartphone using 3G or 4G.

          Then it's not part of their network traffic.

          Obviously if you haven't thought enough data then you are screwed.

          In my case due to a ex-permie employer trying to block every site imaginable whether they were clean or not, I got in the practise of not using their stuff for my private postings or emails long ago.
          Look you can come up with a whole load of ways around things, vpn, mobile network etc. Truth is people don't do that or understand that. That's why you add ssl, then the url, body are encrypted, so its then not a trivial thing to monitor.

          Comment

            #45
            Originally posted by woohoo View Post
            Look you can come up with a whole load of ways around things, vpn, mobile network etc. Truth is people don't do that or understand that. That's why you add ssl, then the url, body are encrypted, so its then not a trivial thing to monitor.
            So you are just saying people are thick particularly people who work in IT and at least have people who can explain things to them.

            Btw I'm paranoid.
            "You’re just a bad memory who doesn’t know when to go away" JR

            Comment

              #46
              Originally posted by SueEllen View Post
              So you are just saying people are thick particularly people who work in IT and at least have people who can explain things to them.

              Btw I'm paranoid.
              No, I don't think people are thick. I wouldn't expect a dba, project manager or a desktop developer to necessarily understand how htttp/https works (though most probably do nowadays). But people are lazy.

              One day you use the same email/password combo for a trial site as CUK, few months later you signup to it and put in your personal and cc details etc. Then you are open for an attack. It's just human nature.

              Someone posts a negative comment about a client you are working at and you give a bit more juicy detail on CUK and you are walked off site etc.

              You know if I was arguing for some extensive, intrusive security thang that involves tons of effort for little reward then I can see your point. SSL cert, just do it. The very least is stops people like me moaning, incessantly moaning, whinging and whining.

              Comment

                #47
                Originally posted by woohoo View Post
                No, I don't think people are thick. I wouldn't expect a dba, project manager or a desktop developer to necessarily understand how htttp/https works (though most probably do nowadays). But people are lazy.

                One day you use the same email/password combo for a trial site as CUK, few months later you signup to it and put in your personal and cc details etc. Then you are open for an attack. It's just human nature.

                Someone posts a negative comment about a client you are working at and you give a bit more juicy detail on CUK and you are walked off site etc.

                You know if I was arguing for some extensive, intrusive security thang that involves tons of effort for little reward then I can see your point. SSL cert, just do it. The very least is stops people like me moaning, incessantly moaning, whinging and whining.
                Ahh but people need to learn in this age of social media to be careful what they post online in forums.

                Even if this site used HTTPS due to the fact it is free to use, turns up on Google searches, and the fact that loads of nosey people including clients, agents and HMRC- - know it exists whether it is encrypted or not doesn't mean you are not walked off site or whatever.

                I know from what has happened to a couple of posters and it can take from 2 hours to 2 weeks before a reader - agents in these cases - works out it is them.
                "You’re just a bad memory who doesn’t know when to go away" JR

                Comment

                  #48
                  Originally posted by SueEllen View Post
                  Ahh but people need to learn in this age of social media to be careful what they post online in forums.

                  Even if this site used HTTPS due to the fact it is free to use, turns up on Google searches, and the fact that loads of nosey people including clients, agents and HMRC- - know it exists whether it is encrypted or not doesn't mean you are not walked off site or whatever.

                  I know from what has happened to a couple of posters and it can take from 2 hours to 2 weeks before a reader - agents in these cases - works out it is them.
                  Your reasoning is wrong. Just because someone may guess at a posters identity is not a good reason to ignore basic security.
                  Anyway, I've got nothing more to add.

                  Comment

                    #49
                    Originally posted by woohoo View Post
                    The passwords are hashed client side(md5) and the hash is sent to the server in plain text.
                    Hashing a password is not encryption, encryption means you encrypt something that can later be decrypted, hashing is more a validation check, the string x (assuming a salt that is consistent) will always generate the same hash code y. This ensures that the database does not store the plain text password.
                    merely at clientco for the entertainment

                    Comment

                      #50
                      Originally posted by SueEllen View Post
                      Ahh but people need to learn in this age of social media to be careful what they post online in forums.

                      Even if this site used HTTPS due to the fact it is free to use, turns up on Google searches, and the fact that loads of nosey people including clients, agents and HMRC- - know it exists whether it is encrypted or not doesn't mean you are not walked off site or whatever.

                      I know from what has happened to a couple of posters and it can take from 2 hours to 2 weeks before a reader - agents in these cases - works out it is them.
                      The drip feeding of information to the point that people say enough that they become identifiable is nothing new. But that is actually a reason to do slightly more to protect users rather than less.

                      It is, however, irrelevant to the reason why ssl is being introduced - which is more about intermediate steps injecting information and adverts into the request
                      merely at clientco for the entertainment

                      Comment

                      Reply to Thread
                      41 to 50 of 73 Previous 1 2 3 4 5 6 7 8 template Next

                      Advertisers

                      1. Contracting
                        1. General
                          1. Brexit
                        2. Business / Contracts
                          1. Coronavirus Assistance
                        3. Accounting / Legal
                          1. Umbrella Companies
                          2. HMRC Scheme Enquiries
                          3. The Future of Contracting
                          4. IR35 Reform
                        4. Technical
                        5. Welcome / FAQs
                      2. Social
                        1. Light Relief
                        2. Social / Events
                      Working...
                      X