Pulser
Member
I'm considering ordering XF just now for a migration from vB. One thing I noticed while playing with a demo install on the homepage is that passwords are sent via POST to the Xenforo back-end in plaintext, and then processed there. (you can see this happen using a Firefox addon such as "tamper data")
Now, I understand that I could simply use SSL and this would be much less of an issue. And if it comes to it, I could SSL the logon process (or more likely the entire site to protect the session cookie and identifiers) to get around this.
But this isn't ideal for people who might not want the expense or inconvenience of SSL certificates (sure, we run on dedicated servers with IP addresses available, but people on shared hosting might not be able to get this so easily). At present, I am aware that vB 4 sends user passwords after client-side javascript MD5'ing. Sure, this isn't protection against sniffing and replay, but it prevents anyone from seeing the plaintext password, and ensures plausible deniability for the site operator, as the plaintext password never even travels to the server in a regular install.
So where am I going? Well, I have a Wordpress installation for testing out various things, and one of the plugins I enabled on it provides "semi secure" (as the author terms it) login, by client-side encrypting the login process. It's protected against replay attacks, as there appears to be a form of session token sent to the client, and the Javascript processes the user's submission, POSTing the password back using public/private key RSA encryption.
All this happens transparently to the user. Sure, it requires Javascript, but so do most websites on the internet these days, including most of the rest of Xenforo
So I was wondering if something like this would ever be on the cards for inclusion in Xenforo. At present, I was evaluating the various platforms I could move to, and was dismayed to find that most (if not all) still send the user password in clear-text. With a mobile oriented site, there's a high likelihood our users are accessing our website via a mobile device, particularly over open WiFi connections. This would expose their login passwords to anyone using one of the many readily available WiFi sniffer apps (even for phones). With our current setup, while the MD5 would be available to an attacker, and they could log in using the account, they would not know the actual password, and thus the user would not be at risk if they re-use that (or similar passwords).
As such, while I am really keen to move to XF, I feel this is a major stumbling block for us. I can't bring myself to step back and expose our users to this risk, and do so with a good conscience. Sure, I can use SSL as I mentioned before, but this isn't ideal for everyone.
Tl; dr:
So the suggestion? Is something like http://wordpress.org/extend/plugins/semisecure-login-reimagined/ feasible in XenForo? Worst case, I'd have to buy a licence, and look at trying to plug it into the authentication framework, but I'd prefer to not be buying the software and then immediately starting to adjust something as fundamental as the login system, before it was able to be used. I don't know if my PHP knowledge would be up to it, having been used to modifying vB before, which I'm more familiar with... Also, would this be something involving edits to "critical" files, or could form an "addon"?
Thanks
Pulser
Now, I understand that I could simply use SSL and this would be much less of an issue. And if it comes to it, I could SSL the logon process (or more likely the entire site to protect the session cookie and identifiers) to get around this.
But this isn't ideal for people who might not want the expense or inconvenience of SSL certificates (sure, we run on dedicated servers with IP addresses available, but people on shared hosting might not be able to get this so easily). At present, I am aware that vB 4 sends user passwords after client-side javascript MD5'ing. Sure, this isn't protection against sniffing and replay, but it prevents anyone from seeing the plaintext password, and ensures plausible deniability for the site operator, as the plaintext password never even travels to the server in a regular install.
So where am I going? Well, I have a Wordpress installation for testing out various things, and one of the plugins I enabled on it provides "semi secure" (as the author terms it) login, by client-side encrypting the login process. It's protected against replay attacks, as there appears to be a form of session token sent to the client, and the Javascript processes the user's submission, POSTing the password back using public/private key RSA encryption.
All this happens transparently to the user. Sure, it requires Javascript, but so do most websites on the internet these days, including most of the rest of Xenforo
So I was wondering if something like this would ever be on the cards for inclusion in Xenforo. At present, I was evaluating the various platforms I could move to, and was dismayed to find that most (if not all) still send the user password in clear-text. With a mobile oriented site, there's a high likelihood our users are accessing our website via a mobile device, particularly over open WiFi connections. This would expose their login passwords to anyone using one of the many readily available WiFi sniffer apps (even for phones). With our current setup, while the MD5 would be available to an attacker, and they could log in using the account, they would not know the actual password, and thus the user would not be at risk if they re-use that (or similar passwords).As such, while I am really keen to move to XF, I feel this is a major stumbling block for us. I can't bring myself to step back and expose our users to this risk, and do so with a good conscience. Sure, I can use SSL as I mentioned before, but this isn't ideal for everyone.
Tl; dr:
So the suggestion? Is something like http://wordpress.org/extend/plugins/semisecure-login-reimagined/ feasible in XenForo? Worst case, I'd have to buy a licence, and look at trying to plug it into the authentication framework, but I'd prefer to not be buying the software and then immediately starting to adjust something as fundamental as the login system, before it was able to be used. I don't know if my PHP knowledge would be up to it, having been used to modifying vB before, which I'm more familiar with... Also, would this be something involving edits to "critical" files, or could form an "addon"?
Thanks
Pulser
Upvote
2
