Hi

Using XOOPS 2.0.18.2, the default login block is conducted over plain, unencrypted, http instead of https.

I know that XOOPS uses the PHP md5crypt() function for converting the string to an MD5 value for storage in the database.

Prior to the string arriving at the server though, the login form can be intercepted? So why is https not used by default for the login block, in the same was as it is for Yahoo and Hotmail logins?

well even md5 is insecure.

but on the regard of https as default..

for the ability to use https, your server needs to have a verified SSL certificate that has been registered with the certificate authorities. and that costs money. not everyone uses it, and it's only really necessary for sites that have dealings with cash or credit card details or confidential information.

but just because you use SSL doesn't mean it's secure.. the transport is encrypted yes, but it doesn't protect you from the middle man if your site has been breeched, as then they will have access to the plain content aswell as the encrypted layer and public keys.

I'm not attacking XOOPS - I'm just asking what the thinking process is behing using plain text logins with very little emphasise being placed on the https option. If you didn't know it was there, you'd struggle to find it. And that is my point really - the option of using HTTPs should be made more obvious.

True - it costs to have a validated certificate, but not a self generating one. That costs nothing.

And yes, https won't protect against a breached server, but it will add a layer of protection to a server that has not been breached and is better than sending passwords down the line in the plain.

Quote:

I dunno, it seems pretty obvious to me. The option to use it is in the first preference page an admin is going to tinker with (admin>system>preferences>General Settings).

How would you make it more obvious?