Is Afrihost using plaintext or at least password hashing?

[Necuno]

Is Afrihost using plaintext or at least password hashing?

When I look at my cpanel login in I can see this:
https://c-kthanrvv.aserv.co.za/login?pass=<password here>&user=<username here>

AFAIK hashed password can't be reversed as you compare the actual hash.

 

[froot]

Their clientzone logins use hashed passwords.

Ah, but yes, I see where you're going with this.
Ideally you'd hash the passwords before sending them through.

 

[HavocXphere]

AFAIK hashed password can't be reversed as you compare the actual hash.

That would depend on the implementation & hash function used. Specifically whether they are using salted passwords. Without salted passwords, rainbow tables become viable (depending on the next part). On the hash front - you'd need specifically a cryptographic hash...and one that isn't known to be weak.

https://c-kthanvv.aserv.co.za/login?pass=<password here>&user=<username here>

That is a bit of a problem. afaik HTTPs *URLs* are not encrypted...just the contents being sent. Assuming I'm right in that it is a little sketchy...though the risk is reasonably low. Its not something a nooblet can easily exploit. Danger such as key loggers are much more likely to ruin your day.

I suspect AH's security is equal/superior to most ISPs though so a witchhunt is inappropriate imo.

Plus for anyone really freaked out - AH does accept virtual CCs (I tried it).

 

[Necuno]

I witch-hunt if I ask a question

 

[HavocXphere]

I witch-hunt if I ask a question

Was more preemptive than anything else. People get freaked out easily by this stuff so someone hinting (even as a query) about plaintext has potential for getting out of hand.

 

[Necuno]

Was more preemptive than anything else. People get freaked out easily by this stuff so someone hinting (even as a query) about plaintext has potential for getting out of hand.

Oh yeah that. The mouse is feared by the lion

 

[knoop]

That is a bit of a problem. afaik HTTPs *URLs* are not encrypted...just the contents being sent. Assuming I'm right in that it is a little

No incorrect. SSL sits below the HTTP protocol in the network stack. Everything is encrypted.

 

[Necuno]

No incorrect. SSL sits below the HTTP protocol in the network stack. Everything is encrypted.

Even dns requests to resolve the site?

 

[HavocXphere]

No incorrect. SSL sits below the HTTP protocol in the network stack. Everything is encrypted.

I see thanks.

Even dns requests to resolve the site?

Not a risk. Only top level gets sent. (again afaik...I'm in finance so what do I know)

Edit: Actually no that doesn't quite sound right...different subdomains can resolve to diff addresses. Pretty sure the parameters won't get sent to the dns though.

 

[Zertop]

I see thanks.


Not a risk. Only top level gets sent. (again afaik...I'm in finance so what do I know)

Edit: Actually no that doesn't quite sound right...different subdomains can resolve to diff addresses. Pretty sure the parameters won't get sent to the dns though.

Yup - only the https://c-kthanvv.aserv.co.za/ part will go to dns. The rest will be placed in after the IP address is received

 

[Necuno]

Yup - only the https://c-kthanvv.aserv.co.za/ part will go to dns. The rest will be placed in after the IP address is received

I see.