View Single Post
Old 20 Mar 2017, 10:29 PM   #2
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 347
To be fair this isn't as much of a problem as many people think.

Don't get me wrong, it's not a bad thing that folks have been trained nowadays to avoid entering sensitive information on sites that don't use SSL/TLS (aka HTTPS) connections, but forum software packages like vBulletin have long used password hashing algorithms so that your password isn't actually travelling across the wire "in the clear," even if the site isn't using SSL/TLS.

In essence, when you enter your password into EMD (or any other vBulletin forum), an "encrypted" form of your password (known as an MD5 hash in this case) is created in your browser's memory space using JavaScript. This MD5 hash is what gets sent across the wire to EMD's servers, where it's compared to the same hash stored in the vBulletin user database on EMD.

An MD5 hash is a non-reversible cryptographic algorithm, which means that you can turn a password into an MD5 hash, but you can't turn that MD5 hash back into a password. Your password is also stored in the same way in the vBulletin user database( meaning nobody at EMD or any other vBulletin forum will have any way of knowing your password — assuming they haven't modified vBulletin to deliberately capture passwords). When you log in, the two MD5 hashes are simply compared to each other, not the "real" passwords.

The only catch of course is that this assumes you haven't disabled JavaScript in your browser.

Note that you can more or less confirm this yourself by looking at the page source. This is the password submission form on the EMD home page. Note the references to the "md5hash" and the "vbulletin_md5" javascript:

Code:
<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
		<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=3612"></script>
Of course, this again assumes that you're not logging into a site with a deliberately malicious administrator, since of course the "vbulletin_md5.js" JavaScript could really be doing anything they want it to in this case, however the mere use of an SSL/TLS certificate doesn't actually change anything if you don't trust the site you're using in the first place
jhollington is offline   Reply With Quote