No SSL for TZT.com?

Discussion in 'Tech Heads' started by Chemosh, Oct 26, 2018.

  1. Chemosh

    Chemosh TZT Addict

    Post Count:
    4,227
    UT, I figured you'd be on top of this, but you're allowing login sessions over HTTP which exposes the user name and password of the individual in clear text.

    Here's an example of the login POST request to TZT.com when I log in which is over HTTP
    login=chemosh&register=0&password=mysupersecretpassword&cookie_check=1&redirect=%2Fbb%2Findex.php&_xfToken=
     
  2. Sear

    Sear TZT Neckbeard Lord

    Post Count:
    30,561
     
  3. Utumno

    Utumno Administrator Staff Member

    Post Count:
    39,317
    I posted about this ages ago - no, I don't have ssl enabled for TZT and it was on my todo list (along w/upgrading the board).

    That said, the only real risk here is if somehow my AWS account was compromised and someone was packetsniffing traffic to the instance for login info. I don't think it's rly likely.

    I really do want to fix this though, especially since paying for an SSL cert isn't strictly necessary anymore. I may take it on during christmas break or something or when I just have free time on a weekend.
     
  4. Chemosh

    Chemosh TZT Addict

    Post Count:
    4,227
    Or if someone was packet sniffing on a user's computer. You can easily set this up with let's encrypt for free and then proxy to port 80 on back end if you setup a proxy
     
  5. Utumno

    Utumno Administrator Staff Member

    Post Count:
    39,317
    YES I KNOW ALL THAT MAN THANKS FOR THE LESSON IN HOW TO RUN WEB SERVICES
     
  6. Utumno

    Utumno Administrator Staff Member

    Post Count:
    39,317
    p.s. regardless of state of tzt encryption, don't use same pwd here as you do for everything else you use because that is a bad idea even though i'm sure tons of ppl do it kthx
     
  7. Jackpanel

    Jackpanel TZT Abuser

    Post Count:
    6,695
    I use your banking pin # as my TZT password.
     
  8. Skars

    Skars I never troll

    Post Count:
    41,500
    My password is KillUtumno feel free to login and POST POST POST
     
  9. Kilinitic

    Kilinitic 6,000 feet beyond man and time

    Post Count:
    15,992
    Wow utumno and to think I thought u were on a roll w/ that Czer thread fix
     
  10. Harper

    Harper encrypted account, pls don't sniff my packet

    Post Count:
    4,956
    utumno please dont let anyone sniff my packet
     
  11. Utumno

    Utumno Administrator Staff Member

    Post Count:
    39,317
    everyone pls don't sniff harper's packet thx
     
  12. Harper

    Harper encrypted account, pls don't sniff my packet

    Post Count:
    4,956
  13. Utumno

    Utumno Administrator Staff Member

    Post Count:
    39,317
    I've added encryption now ARE YOU FUCKING HAPPY CHEMOSH?
     
  14. Chemosh

    Chemosh TZT Addict

    Post Count:
    4,227
  15. Czer

    Czer I'm a poor person. The lambo is my cousin's.

    Post Count:
    20,954
    i just saw this thread, i also told utumno this before (p sure that's why it was fixed)

    [​IMG]
     
  16. Agrul

    Agrul TZT Neckbeard Lord

    Post Count:
    44,931
    reported this thread to the fbi gg utumno you fucked up for the last time son