PPRuNe Forums - View Single Post - HTTPS warnings on PPRuNe
Thread: HTTPS warnings on PPRuNe
View Single Post
Old 17th Mar 2017, 00:23
  #3 (permalink)  
jtt
 
Join Date: Feb 2006
Location: Berlin, Germany
Posts: 20
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by flight_mode
Since I updated Chrome I'm getting a warning about PPRuNe being "not secure". Does that mean when I login anyone can capture my credentials? Googling around this article seems to hint that Google are trying to push webmasters into getting their security sorted. Sooner the better I say!
A quick look at the sources of the PPRUNE web pages show that the password doesn't seem to get sent out in clear text. Instead a "hash" value is created from it and that's what is send to the PPRUNE server. A "hash" function is kind of a scrambler for data, with the property that the same data get scrambled into the exact same value each time.

What gets sent out by your computer can be sniffed by any other computer on your local network as well as any machine your message passes through on the way from your computer to the PPRUNE server. So, in principle, a lot of people could get at the data you're sending as long as plain HTTP is used (that's why it's marked as "not secure").

Consequences: everyone that can get at your traffic to PPRUNE can take over your account and e.g. post embarrassing messages that seem to be coming from you. Moreover, if you work for a company and post messages critical of that company from a computer on the network of that company (and make that any device they have issued to you) they may have an easy time of finding out who you are. Thus never ever use any company equipment when slagging them off on PPRUNE if you want to keep your job!

Figuring out the original password from the hash value is (a lot) harder. Unfortunately, the hash function used by PPRUNE, called MD5, isn't considered to be safe anymore. That means that it's not impossible that someone with enough motivation may succeed in getting at your password. And if you use a simple password you may give an attacker an even higher chance. I would strongly recommend not to use your password for PPRUNE for anything else, especially not for any security-sensitive things like online-banking!

And yes, of course, using HTTPS for PPRUNE would be a lot safer since that would ensure that all the traffic between your computer and the PPRUNE server would be encrypted and thus of no value for anyone listening (unless, maybe, it's something like the NSA which may have managed to break the encryption used - but we'll know about that only much later;-)

Best regards, Jens
jtt is offline  
Reply