No HTTPS on TBN?

   / No HTTPS on TBN? #21  
ericm979 said:
The MD5 hash can readily be attacked as I explained above. My latop can do about 2 million MD5s/second.
Click to expand...

After 5 failed attempts you get locked out for 15 minutes. So you could try around 480 per 24 hour day.

We've had plans to change to HTTPS for a while. We're also currently morphing other sites to a new platform and have been working on a number of large scale upgrades to the various parts and pieces of TBN. We're aware that vbulletin is out of date and limited but we're also aware that our members are accustomed to the functionality and layout. Every time we've made a change in the past (we've made four major changes in 20 years), our membership doesn't like it and we see a 30% drop in post activity as a result. That's been one of the reasons for our apprehension to change. The decision to go to another platform or build one ourselves has been a wait and see game. Now that we're dipping our toes in a new platform, we're getting more comfortable with the idea. So when that change happens, we will switch to HTTPS.
 
   / No HTTPS on TBN? #22  
Muhammad said:
After 5 failed attempts you get locked out for 15 minutes. So you could try around 480 per 24 hour day.
Click to expand...

That's not how the attack works. It's an off line attack. The attacker only needs a copy of the hash and a word list of prospective passwords. Then she runs the brute force on machines she controls, hashing each prospective password and checking to see if the result matches the hash she's attacking. There's no connections to TBN (or anywhere else). The limit is purely CPU speed and how many CPUs the attacker's willing to put to work.

Muhammad said:
We've had plans to change to HTTPS for a while. We're also currently morphing other sites to a new platform and have been working on a number of large scale upgrades to the various parts and pieces of TBN. We're aware that vbulletin is out of date and limited but we're also aware that our members are accustomed to the functionality and layout. Every time we've made a change in the past (we've made four major changes in 20 years), our membership doesn't like it and we see a 30% drop in post activity as a result. That's been one of the reasons for our apprehension to change. The decision to go to another platform or build one ourselves has been a wait and see game. Now that we're dipping our toes in a new platform, we're getting more comfortable with the idea. So when that change happens, we will switch to HTTPS.
Click to expand...

Cool. I wrote some early forum softwarein the .com era. From that experience I can say that no matter what you change some people won't like the change. Also, don't roll your own.

/pine, you're misunderstanding how the attacker replays the hash. They write the protocol directly and send the hash in that. They don't use the hash as the password, calling through the library that takes the password and hashes it. They bypass that code.
 
   / No HTTPS on TBN? #23  
.../pine, you're misunderstanding how the attacker replays the hash. They write the protocol directly and send the hash in that. They don't use the hash as the password, calling through the library that takes the password and hashes it. They bypass that code....
Click to expand...
Not misunderstanding...The hash still has to match what is in the database...rather than being passed via the interface it would have to be done through a URI...

It's like I pointed out...the only way anyone could capture the hash is by either compromising the entire database or directly hacking someone's home/office network...
 
   / No HTTPS on TBN?
  • Thread Starter
#24  
Muhammad said:
After 5 failed attempts you get locked out for 15 minutes. So you could try around 480 per 24 hour day.

We've had plans to change to HTTPS for a while. We're also currently morphing other sites to a new platform and have been working on a number of large scale upgrades to the various parts and pieces of TBN. We're aware that vbulletin is out of date and limited but we're also aware that our members are accustomed to the functionality and layout. Every time we've made a change in the past (we've made four major changes in 20 years), our membership doesn't like it and we see a 30% drop in post activity as a result. That's been one of the reasons for our apprehension to change. The decision to go to another platform or build one ourselves has been a wait and see game. Now that we're dipping our toes in a new platform, we're getting more comfortable with the idea. So when that change happens, we will switch to HTTPS.
Click to expand...

:thumbsup: Thanks for the detailed reply, in 100% agreement that changing how TBN works isn't the best idea. If it isn't broken, don't fix it.

Out of curiosity does your hosting provider tie HTTPS to your software deployment? Generally SSL is a separate thing configured at the reverse proxy/load balancer but I'm not privy to all the technical details how TBN is setup.
 
   / No HTTPS on TBN? #25  
Why am I seeing more highlighted links now that when clicked on go to something that has nothing to with the post, is that an http thing? Like in one post I typed in the word> ram and that becomes a highlighted link.
 
   / No HTTPS on TBN? #26  
By 'http' thing, if you mean is it related to http, then yes. If you hover over the link, it says 'Inserted by Vigilink'. Vigilink is a company that provides a snippet of http code that a web site owner can insert into their site to create links on keywords. When someone clicks one of those links, Vigilink gets a commission, and they pass along a % back to the owner of the site. I'm guessing TBN recently signed up w/ Vigilink...

If you use Chrome, there's a Chrome Extension that you can add called Ghostery that can block your browse from creating the Vigilink links (among blocking other ads and tracking tools).
 
   / No HTTPS on TBN? #27  
LMychajluk said:
By 'http' thing, if you mean is it related to http, then yes. If you hover over the link, it says 'Inserted by Vigilink'. Vigilink is a company that provides a snippet of http code that a web site owner can insert into their site to create links on keywords. When someone clicks one of those links, Vigilink gets a commission, and they pass along a % back to the owner of the site. I'm guessing TBN recently signed up w/ Vigilink...

If you use Chrome, there's a Chrome Extension that you can add called Ghostery that can block your browse from creating the Vigilink links (among blocking other ads and tracking tools).
Click to expand...
Or, go to http://www.tractorbynet.com/forums/profile.php?do=editprofile, then scroll down the the bottom of the page and choose "No" for both "Show inserted links" and "Allow inserted links in my posts"

Aaron Z
 
   / No HTTPS on TBN? #30  
aczlan said:
Or, go to http://www.tractorbynet.com/forums/profile.php?do=editprofile, then scroll down the the bottom of the page and choose "No" for both "Show inserted links" and "Allow inserted links in my posts"

Aaron Z
Click to expand...

Ta, Aaron... sure enough, both of those were ticked "yes" in my profile.

I didn't mind the odd idiosyncratic "kubota" link showing up but the recent avalanche of one/two word links was getting downright annoying.
 
   / No HTTPS on TBN? #31  
   / No HTTPS on TBN? #33  
LMychajluk said:
By 'http' thing, if you mean is it related to http, then yes. If you hover over the link, it says 'Inserted by Vigilink'. Vigilink is a company that provides a snippet of http code that a web site owner can insert into their site to create links on keywords. When someone clicks one of those links, Vigilink gets a commission, and they pass along a % back to the owner of the site. I'm guessing TBN recently signed up w/ Vigilink...

If you use Chrome, there's a Chrome Extension that you can add called Ghostery that can block your browse from creating the Vigilink links (among blocking other ads and tracking tools).
Click to expand...
Yes that's exactly what I'm talking about, I had a feeling there'd be a $$$ connection somewhere except for me, might not mind it so much if the highlighted links was something about the post but it's more like forced commercials about something that I have no interest in. Now it's time for counter measures.
 
   / No HTTPS on TBN? #34  
Ram ram ram ram, Kubota kubota Kubota, Bla bla bla...........................
 
   / No HTTPS on TBN? #35  
aczlan said:
True, I run uBlock Origin on my browsers, makes pages load faster.

Aaron Z
Click to expand...
I use Ad Blocker Plus. Works great and in the background. Shows a little icon with how many adds blocked every time a page 'loads'. Some sites will require you to turn it 'off' to navigate their pages but it is simple to use.
 
   / No HTTPS on TBN? #36  
   / No HTTPS on TBN? #37  
dragoneggs said:
I use Ad Blocker Plus. Works great and in the background. Shows a little icon with how many adds blocked every time a page 'loads'. Some sites will require you to turn it 'off' to navigate their pages but it is simple to use.
Click to expand...

Me too but ABP dont stop highlighted links about stuff I don't care about. The way it's going for me, soon it will be hard to tell the difference between someone highlighted link on his post that he wants me or a reader to click on, or could be someone's else advertisement selling whatever from wherever.
 
   / No HTTPS on TBN? #38  
Oldpath05 said:
Me too but ABP dont stop highlighted links about stuff I don't care about. The way it's going for me, soon it will be hard to tell the difference between someone highlighted link on his post that he wants me or a reader to click on, or could be someone's else advertisement selling whatever from wherever.
Click to expand...
Yeah, understand. When I post a link I do it with a line space before and after so people can tell it was me. When it is inline with the text, I tend not to click on it if I can't tell.
 
   / No HTTPS on TBN? #40  
Clarification:

Viglink is an affiliate network that inserts links on pages and then links to product pages for those products. We've tested it a couple times and we're running another test now. It only shows if you are not logged in. As other members have mentioned, and you can also opt out even if you're not logged in.

We have other links as well, for specific tractor-related terms. This was something we implemented years ago and my original idea was to make it a useful link back to pages or manufacturers that are mentioned in posts. There is a limitation of one such link per post, however, so it isn't something that I expect to overwhelm the forum. Also as I said it's been on the site for several years, at least and although people have mentioned it, I haven't seen the feedback as lots of complaints so we just kept it on. Ideally, I will link terms like FEL and box blade to pages that explain more about those topics. On the list.

But back on topic, we have recently updated some of our other sites to HTTPS and TBN is due for the HTTPS upgrade some time this month. :thumbsup:
 
You must log in or register to reply here.

Tractor & Equipment Auctions

John Deere 1025R (A53317)
John Deere 1025R...
  • Clicks: 78
  • Views: 104,496
2019 CUSHMAN HAULER PRO ELECTRIC GOLF CART (A58375)
2019 CUSHMAN...
  • Clicks: 29
  • Views: 45,233
(2) UNUSED 31" X 8 MM EXCAVATOR TRACKS W/ PINS (A60432)
(2) UNUSED 31" X 8...
  • Clicks: 18
  • Views: 3,722
500BBL WHEELED FRAC TANK (A58214)
500BBL WHEELED...
  • Clicks: 45
  • Views: 76,799
GUN BOX FOR TRUCK BED (A60432)
GUN BOX FOR TRUCK...
  • Clicks: 1
  • Views: 617
2006 INTERNATIONAL 7400 6X4 DUMP TRUCK (A52706)
2006 INTERNATIONAL...
  • Clicks: 47
  • Views: 107,787

Here are some similar links:

M
Antonio Carraro for snowblowing
2
Replies
33
Views
9K
MarkFromWA
M
Richard
This Appears to be a "WOW" Moment... (warranty situation)
Replies
5
Views
1K
ponytug
ponytug
freedomlives
HTTPS?
Replies
4
Views
2K
MikeFarm
M
B
Somewhat complicated buying question regarding upgrading my Mahindra 2555 Cab
Replies
1
Views
2K
workinonit
workinonit
R
Kubota L2501 Turbo: A Journey Defined - The Tractor, The Comparison, The Modification, The Results
9 10 11
Replies
218
Views
102K
Rdrcr
R
 

Footer Links 1

Top