1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Why doesn't BlackHatWorld use https?

Discussion in 'BlackHat Lounge' started by LaidbackLad, Apr 4, 2016.

  1. LaidbackLad

    LaidbackLad Newbie

    Joined:
    Apr 3, 2016
    Messages:
    13
    Likes Received:
    18
    So I was wondering, BlackHatWorld is such a big reputed site with lots of visitors sharing their personal information. Why not use https to secure the communication two ways? I know it has a little overhead in terms of performance. But shouldn't users' security be favored more than performance? Or are there any plans of using https later in future?
     
    • Thanks Thanks x 1
  2. WebTG

    WebTG Jr. VIP Jr. VIP

    Joined:
    Mar 18, 2015
    Messages:
    554
    Likes Received:
    148
    Because all hackers are respected member of this forum
     
    • Thanks Thanks x 4
  3. LJ Junior

    LJ Junior Regular Member

    Joined:
    Nov 6, 2015
    Messages:
    466
    Likes Received:
    406
    Reputation is build with time. You generally don't consider SSL encryption any significant at early days, especially for a forum. Well, after building reputation, it is one heck of a task to move a site from Http to Https.

    I think they might have given it a thought for a new release now, which might come out pretty soon.. :)
    You got to wait & see!
     
  4. kickthat

    kickthat Jr. VIP Jr. VIP

    Joined:
    Sep 18, 2014
    Messages:
    356
    Likes Received:
    407
    Gender:
    Male
    Location:
    UK
    What 'personal information' do you think users are sharing that needs to be secure? I think it's OTT to use https to protect a users password and email address - or am I missing something? It's more often used for sensitive information which could be used to identify that individual or commit fraud - I'm thinking address and/or credit card details.
     
    • Thanks Thanks x 1
  5. LJ Junior

    LJ Junior Regular Member

    Joined:
    Nov 6, 2015
    Messages:
    466
    Likes Received:
    406
    Private Skype details are shared here but however it's only visible for registered members :)
    So, not much of personal stuff but it's always good to be cautions of malware and other attacks..
     
  6. Sherbert Hoover

    Sherbert Hoover Jr. Executive VIP Jr. VIP

    Joined:
    Dec 26, 2010
    Messages:
    997
    Likes Received:
    8,046
    Occupation:
    ORM - Branding - Content
    Location:
    United States
    Home Page:
    Blackhatworld has never had any data related issues before.

    Oh wait.
     
    • Thanks Thanks x 7
  7. LJ Junior

    LJ Junior Regular Member

    Joined:
    Nov 6, 2015
    Messages:
    466
    Likes Received:
    406
    Damnnn.. Didn't see that coming!
     
  8. RuthSam

    RuthSam Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 19, 2010
    Messages:
    3,812
    Likes Received:
    973
    Gender:
    Male
    Home Page:
    Vbulletin just announced they have moved all their Cloud customers to https that may be the reason for why OP is asking. The idea to protect a forum with SSL is good and should be considered I think.
     
    • Thanks Thanks x 1
  9. qrazy

    qrazy Senior Member

    Joined:
    Mar 19, 2012
    Messages:
    1,115
    Likes Received:
    1,723
    Location:
    Banana Republic
    It has nothing to do with HTTPS.
     
  10. Eternal1912

    Eternal1912 Power Member

    Joined:
    Dec 6, 2014
    Messages:
    621
    Likes Received:
    246
    Gender:
    Male
    Occupation:
    Freelance Writer
    Location:
    Bulgaria
    I think that all hackers are members of the forum <---
     
  11. LaidbackLad

    LaidbackLad Newbie

    Joined:
    Apr 3, 2016
    Messages:
    13
    Likes Received:
    18
    Maybe you're right. We don't share sensitive information here. But still, the site is susceptible to Man in the Middle attacks. They might not get much with our username and password. But what if the user has used the same username/password combo in many sites? One might think the password contains only dots or stars, but it's just on the client side. When you submit the form and the request is intercepted, the attacker might get access to the username/password combo. VBulletin may hash the passwords on the client side with JavaScript, but what if the user has JavaScripting disabled?
     
    • Thanks Thanks x 2
    Last edited: Apr 4, 2016
  12. LaidbackLad

    LaidbackLad Newbie

    Joined:
    Apr 3, 2016
    Messages:
    13
    Likes Received:
    18
    Damn. I'm getting paranoid right now. Lol.
     
  13. LaidbackLad

    LaidbackLad Newbie

    Joined:
    Apr 3, 2016
    Messages:
    13
    Likes Received:
    18
    Nah. I don't know about that. I'm learning about web development right now. Web apps security is a very important issue to address. I just happened to notice it just because I've been dealing with http, https, signing, salting, hashing, TLS handshake all day long.
     
    Last edited: Apr 4, 2016
  14. Sherbert Hoover

    Sherbert Hoover Jr. Executive VIP Jr. VIP

    Joined:
    Dec 26, 2010
    Messages:
    997
    Likes Received:
    8,046
    Occupation:
    ORM - Branding - Content
    Location:
    United States
    Home Page:
    No shit, Sherlock. Thanks for your amazing addition.
     
    • Thanks Thanks x 1
  15. qrazy

    qrazy Senior Member

    Joined:
    Mar 19, 2012
    Messages:
    1,115
    Likes Received:
    1,723
    Location:
    Banana Republic
    Last edited: Apr 5, 2016
  16. Conor

    Conor Jr. VIP Jr. VIP

    Joined:
    Nov 7, 2012
    Messages:
    3,540
    Likes Received:
    5,858
    Gender:
    Male
    Location:
    South Africa
    Home Page:
    Don't be. Clearly these people haven't been on the forum very much, or they would know that hacking is not something we associate ourselves with here.
     
  17. JustUs

    JustUs Power Member

    Joined:
    May 6, 2012
    Messages:
    626
    Likes Received:
    582
  18. qrazy

    qrazy Senior Member

    Joined:
    Mar 19, 2012
    Messages:
    1,115
    Likes Received:
    1,723
    Location:
    Banana Republic
    You don't even have to hack, there are tons of SSL interceptors available in the market that can seamlessly decrypt the data.
     
  19. LaidbackLad

    LaidbackLad Newbie

    Joined:
    Apr 3, 2016
    Messages:
    13
    Likes Received:
    18
    JustUs and grazy:

    True. I didn't really know about this. So unless you're a hacker yourself there's no such thing as security in the interwebs?
     
  20. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,567
    Likes Received:
    11,031
    Occupation:
    Pusillanimous Knitter
    Location:
    Buenos Aires
    You can't get plaintext traffic out of SSL unless:

    a) You have a 0-day crypto attack on the underlying encryption scheme (you don't)
    b) You have a means of generating a trusted certificate (you don't)

    That's it. What you are thinking of works by "downgrading" to HTTP. That assumes that a) the target site uses http as well as https and b) the user will not notice the padlock missing
     
    • Thanks Thanks x 1