mybroadband.co.za has no ssl certificate?

timog

Active Member
Joined
Sep 16, 2010
Messages
31
I could be wrong but browsing on TBB at the moment and copy paste the url and I get http://mybroadband.co.za/vb/
Considering that TBB has always SSL that means that mybroadband has no ssl certificate and that your password is being sent to the server in plaintext over http. Correct me if I'm wrong.
This is a major problem.
Thanks.
 

DrJohnZoidberg

Honorary Master
Joined
Jul 24, 2006
Messages
22,980
I do agree that any site that accepts username/password combinations should do this over SSL, but it being a "major problem" is maybe just a little overboard.
 

diabolus

Executive Member
Joined
Feb 4, 2005
Messages
6,310
What people don't realise is, this is exactly how hackers get your email + banking details. They hack "easy" sites like these, grab your email address and password and in alot of cases it is identical to your email / banking / apple / amazon / [sitename] . So yes, it's primarily the fault of us users who don't have a unique password for every site, but that's how it works.

While it's a big public outcry when an actual big site gets hacked, most forums don't even know they get hacked. So the best we can do is ensure your password is different than any account that contain further information . An even better way is to use different email aliases also, so that your "account name" (which is often your email address) is also protected.
 

w1z4rd

Karmic Sangoma
Joined
Jan 17, 2005
Messages
49,689
I do agree that any site that accepts username/password combinations should do this over SSL, but it being a "major problem" is maybe just a little overboard.

Without SSL Chinese people cant post here without their government watching. Without SSL anyone on their network can pull their passwords. Not major, but still serious.
 

ShawnStar

Well-Known Member
Joined
Nov 7, 2011
Messages
223
What people don't realise is, this is exactly how hackers get your email + banking details. They hack "easy" sites like these, grab your email address and password and in alot of cases it is identical to your email / banking / apple / amazon / [sitename] . So yes, it's primarily the fault of us users who don't have a unique password for every site, but that's how it works.

While it's a big public outcry when an actual big site gets hacked, most forums don't even know they get hacked. So the best we can do is ensure your password is different than any account that contain further information . An even better way is to use different email aliases also, so that your "account name" (which is often your email address) is also protected.


Jip, if people use the same login details for all sites then it's their own problem. (or rather their own stupidity)
 

eCliPSe

Well-Known Member
Joined
Nov 17, 2010
Messages
266
I could be wrong but browsing on TBB at the moment and copy paste the url and I get http://mybroadband.co.za/vb/
Considering that TBB has always SSL that means that mybroadband has no ssl certificate and that your password is being sent to the server in plaintext over http. Correct me if I'm wrong.
This is a major problem.
Thanks.

Adding an SSL certificate doesnt make it much harder to hack an account with weak passwords anyways.... xD No reall need for SSL cert here :D
 

w1z4rd

Karmic Sangoma
Joined
Jan 17, 2005
Messages
49,689
Adding an SSL certificate doesnt make it much harder to hack an account with weak passwords anyways.... xD No reall need for SSL cert here :D

Of course it does. That passwords are being transmitted plaintext via the internet. Anyone between their PC and mybb can intercept that data.
 

member2204

Senior Member
Joined
Feb 14, 2006
Messages
617
Jip, if people use the same login details for all sites then it's their own problem. (or rather their own stupidity)
Probably the same people that gets bitten by the OOB Shark. Now it's myBB's fault for not educating the users!!
 

eCliPSe

Well-Known Member
Joined
Nov 17, 2010
Messages
266
Of course it does. That passwords are being transmitted plaintext via the internet. Anyone between their PC and mybb can intercept that data.

I bet you 99% of the people here use a very insecure password that you can find in a dictionary. So if i had any desire on hacking an account on MBB I would not intercept data. I would fire up my BT5r3 and "hydra -S -l ghoti -P rockyou.txt www.mybroadband.co.za http" and go make some coffee. xD As intercepting data from the public domain is so much more work. I think if you have ever tried it you would understand the amount of time and effort is just to much for a silly forum account.
 

w1z4rd

Karmic Sangoma
Joined
Jan 17, 2005
Messages
49,689
I bet you 99% of the people here use a very insecure password that you can find in a dictionary.

Irrelevant, dictionary attacks are useless on most websites as they often block an IP after X failed login attempts

So if i had any desire on hacking an account on MBB I would not intercept data. I would fire up my BT5r3 and "hydra -S -l ghoti -P rockyou.txt www.mybroadband.co.za http" and go make some coffee. xD As intercepting data from the public domain is so much more work. I think if you have ever tried it you would understand the amount of time and effort is just to much for a silly forum account.

That would fail after 5 attempts, but you are welcome to have a try at it.

Intercepting data is hard work? I can pull the passwords of everyone on my network in about 5 min using ettercap (with man in the middle arp poisoning).
 

eCliPSe

Well-Known Member
Joined
Nov 17, 2010
Messages
266
Irrelevant, dictionary attacks are useless on most websites as they often block an IP after X failed login attempts



That would fail after 5 attempts, but you are welcome to have a try at it.

Intercepting data is hard work? I can pull the passwords of everyone on my network in about 5 min using ettercap (with man in the middle arp poisoning).

xD LOL yeah it closes the TCP session after 5 attempts. It doesn't block the IP address Sherlock. (0o) as to trying it ummm no it is Illegal.

Yes intercepting data is much more work. It is really not the way someone would go about hacking a forum account.

"ARP poisoning" xD LMFAO.... stop it xD BAWABA BABABABABABABAWABWWBABABA

Please take us through the steps on how you would accomplish that xD

( if you have people packet capturing on your network you should perhaps have that looked at first ;) )
 
Last edited:

SBSP

Senior Member
Joined
Sep 7, 2007
Messages
663
I dont even know what my Broadband password is :)
If my cookies gets deleted i have to reset it again, if i'm not mistaken its the generated password.
 

za_bullet

Active Member
Joined
May 24, 2008
Messages
35
I'd like to resurrect this post in 2016.....do people still feel so nonchalant about a website not running HTTPS?

zb.
 

Arthur

Honorary Master
Joined
Aug 7, 2003
Messages
26,428
Yes. Nonchalant. I have unique username, pw and email for this site. And others.
 
Top