1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 MITM question and going HTTPS

Discussion in 'XenForo Questions and Support' started by DarkKitarist, Mar 20, 2016.

  1. DarkKitarist

    DarkKitarist New Member

    Hello again good people at Xenforo, I hope you're having a great Sunday evening/morning/afternoon!

    Anyway today someone from "Anonymous" (not really anonymous but he referenced himself as such and these times everyone does this apparently) used the MITM hack to change our banner on the website. Now the attacked who later revealed himself as an ethical hacker and a brother to someone on the website who we know.

    Anyway is this a sure sign we should go HTTPS? Because the main admin is still adamant we can still stay on HTTP but I kinda disagree...
     
  2. Brogan

    Brogan XenForo Moderator Staff Member

    You should identify the attack vector rather than be looking to switch to HTTPS.

    If the attack vector remains, it won't make any difference.
     
    DarkKitarist and Amaury like this.
  3. DarkKitarist

    DarkKitarist New Member

    Apparently there wasn't even an attack. The brother, who I'm guessing is a gigantic man-child, was actually playing with only the packets on the PC of his brother, so none of us actually saw what he saw but we though it was a legit attack.

    So again the security of our website is A OK :D

    Then again if we have the possibility, should we switch to HTTPS?
     
  4. Brogan

    Brogan XenForo Moderator Staff Member

    That's a personal decision but in general, HTTPS seems to be preferred these days.
     
    Amaury likes this.
  5. xbanker

    xbanker Member

    Apologies if this comment takes discussion too far afield from OP.

    Maybe this is "apples and oranges." But speaking of HTTPS, the new PayPal-mandated security enhancements have this to say:

    IPN Verification Postback to HTTPS
    If you are using PayPal’s Instant Payment Notification (IPN) service, you will need to ensure that HTTPS is used when posting the message back to PayPal for verification. After Sept 30, 2016 HTTP postbacks will no longer be supported.

    Would this requirement alone — for forums using PP anyway — dictate that upgrade to HTTPS isn't optional?

    Thank you.
     
  6. Mike

    Mike XenForo Developer Staff Member

    No, as this is specific to calling to PayPal itself, rather than PayPal calling you.
     
    xbanker likes this.

Share This Page