Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Trading Discussion
Re: Question!
by
fitty
on 24/07/2011, 10:23:31 UTC
Quote from: error on July 23, 2011, 05:34:53 PM
Quote from: makomk on July 23, 2011, 10:49:27 AM
Quote from: error on July 22, 2011, 01:38:40 AM
Fixed. Smiley
Nope, fitty had it right the first time. The login is over https and this stops anyone sniffing your password (so long as you check it is actually https and not http before you enter it), but viewing topics and posting is done over unencrypted http. This means that the cookie used to authenticate you after you've logged in is also sent unencrypted over http and anyone who's sniffing your traffic can clone your cookie and gain access to your account.

This is exactly what the infamous Firesheep extension for Firefox allows an attacker to do; a lot of sites have this issue.

I don't know how you're doing that. Every single access I make to the forum is through https.

Because your bookmark is https.

Google bitcoin forum. Click the http:// link. If you set "remember me" when you logged it, you're on the forum, logged in, on http. The only way to get https is by going through a https link back to the forum.

The forum should force https plain and simple. With the amount of attacks, trojans, wallet stealers, it's a pretty simple fix. The extra load on the server is minor and it gives a lot of security. Global SSL cert is like 195 bucks a year.

Crypto virtual currency network and the wallet/website are unencrypted.