1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How Secure Is Xenforo compared to VB4?

Discussion in 'XenForo Pre-Sales Questions' started by |Jordan|, Jul 3, 2012.

  1. |Jordan|

    |Jordan| Active Member

    Every few weeks VB4 gets a security fix. How's the security of Xenforo compared to VB4 and other commercial forum scripts?
     
  2. Forsaken

    Forsaken Well-Known Member

    Since launch XF has only had to release a single security fix, and it was for a third party library.
     
  3. DRE

    DRE Well-Known Member

    Vb4 only gets frequent updates because it still has pieces of code from vb2 which is over 10 years old.
     
  4. Robbo

    Robbo Well-Known Member

    It could use better password hashing. However if people get your hashes you would have other more serious problems to deal with. And vb's hashing wouldn't be any better.
     
  5. James

    James Well-Known Member

    Realistically - does it matter which hashing algorithm is used considering the algorithm is already publicly available? As long as they have your hashed password, salt and algorithm it's still the same waiting game.
     
  6. Robbo

    Robbo Well-Known Member

    Yes. Some are designed to be hard to crack by GPUs. The old ones like md5, sha etc never anticipated how powerful GPUs would get, only CPUs. GPUs can process millions of hashes per second.
     
  7. Deebs

    Deebs Well-Known Member

    SHA-256 is still pretty good. Personally I would love to see the adoption of bcrypt for password storage with a configurable number of rounds.
     
  8. Robbo

    Robbo Well-Known Member

  9. Deebs

    Deebs Well-Known Member

    SHA-3 is in the works but almost everyone including certain US Government still use the SHA-2 hashes. TLS, SSL, PGP, SSH, IPsec are other applications based on SHA-2. Do you see those guys scrabbling to change the hash function? There is still a lot of life left in SHA-2.
     
  10. Robbo

    Robbo Well-Known Member

    I'm not saying they should change it. If people have an issue it is because they let people get the hashes, not the hashes themselves. But they are far from secure if the password used isn't long and cryptic in the first place. And don't make me link you to a heap of US Government failings in security... not the best example.

    The fact is it isn't secure. You can't expect it not to get cracked and any user without a good long password will get cracked fast.
     
  11. Deebs

    Deebs Well-Known Member

    Any hash is only secure as the password used, it all depends on what area of the keyspace the brute forces target first, ie lowercase, UPPERcase, numerics etc. The point is that SHA-2 is still regarded as a secure hash and safe for use.
     
    jmurrayhead likes this.
  12. Robbo

    Robbo Well-Known Member

    Which it shouldn't. But people don't want to make themselves more work.
     
  13. DRE

    DRE Well-Known Member

    The biggest risks aren't software related, just user error. Also being on shared hosting sucks because when another site gets hacked or attacked they risk your site going down as well. That happened to my site two weeks ago. They had to change the ip on my site cause some idiot got ddos. I hate being on a shared server.
     
  14. DRE

    DRE Well-Known Member

    Another risk is installing other people's modifications. I'd say the risk is just as significant on vb4 here cause of the amount of noobs on xenforo releasing stuff in the resource manager, including myself. But then I've seen well-established coders release stuff that will screw your site up. If you want to really be secure and careful, test everything on a xampp installation. Matter-of-fact, you should because unlike vbulletin, your xenforo installation will go blank everytime you install or uninstall a skin, language or modification. Your users will think something is wrong with your site and get angry. That's why you need a local installation the most.
     
  15. Robbo

    Robbo Well-Known Member

    Errr... no if you are going to do it properly you would setup a proper staging environment on a VCS and use a deployment system.
     
  16. DRE

    DRE Well-Known Member

    Don't know anything about that. All I know is this works very well.
     
  17. Deebs

    Deebs Well-Known Member

    Currently testing a new addon on my site, it basically converts users imported from vb or ibp to use the stock XF authentication/password mechanism on their login instead of waiting for them to change their password (which would convert them).
     
  18. Brandon Sheley

    Brandon Sheley Well-Known Member

    This isn't really a good comparison.
    Since launch of a brand new script it's had X updates

    Script Y which has been around for years and years will obviously attack more attention.

    With that said, any script is as secure as you make it.
    If you add 20 poorly coded mods, you'll likely be exploited.
     
  19. Disrelation

    Disrelation Active Member

  20. Erik

    Erik Well-Known Member

    Easy solution is to force SSL for your entire site. If you are that serious about security, it's something you should be doing anyway to avoid session cookie theft, etc.

    If the password is already being sniffed, a simple client-side MD5 is going to do little to stop anyone (especially since the salt would by definition be exposed to any attacker).
     

Share This Page