• Sign up or login, and you'll have full access to opportunities of forum.

Login Security Warnings

Go to CruxDreams.com

Darkprincess69

High Priestess of Slaanesh
For the last couple of days now I've been receiving security warning every time I try to log in here. I'm getting a box with the message "Your connection is not secure and may be compromised" etc. I tried to use a secure connection but it seems that there is no https version of this site, which is getting a bit uncommon these days.

Has anyone else had this problem, and what can be done about it? (aside from just ignoring the warning and logging in anyway)
 
Yes, I've since 2 or 3 weeks ago, but , in my opinionb, it's not a real problem if you're well protected on your computer ...
I suspect Windows to send this message, trying to sell another anti-virus or something like that !
 
'm getting a box with the message "Your connection is not secure and may be compromised" etc.
suspect Windows to send this message, trying to sell another anti-virus or something like that !

No it's not Windows, happens on Linux too.
It's just that recent versions both of Firefox and Chrome are more upfront about telling users about the risk that they are about to commit login credentials through an insecure channel, and the browsers now show that warning message for any and all login forms that aren't accessed by https.

Simply put if you transmit a login through plain http, that does mean the password could be picked up if someone's 'sniffing' into the connection, that's most likely to happen in situations where you're connecting through a public access point.

It's exacerbated by the fact that Xenforo transmits the password in plain text in the POST request to the server. See here ... https://xenforo.com/community/threads/password-transmitted-in-plaintext-possible-solutions.47417/
Some other systems implement a bit of security there, for instance using a perishable keypair created for the login process.

With Xenforo, seeing this, I guess it's clear the only thing to do is implement HTTPS or continue as usual. (The idea about hashing discussed in the linked thread is nonsense)
There's an addon called LoginSecurity https://xenforo.com/community/resources/loginsecurity.5286/, the one benefit it supplies is 'Users have the option of being emailed when they login with a new IP' i.e. if someone took over your account you would get one warning mail for the attacker's first login before they change your password and remove your email address from the account ;)
 
Last edited:
It's just that recent versions both of Firefox and Chrome are more upfront about telling users about the risk that they are about to commit login credentials through an insecure channel,
And Opera too ...
 
No it's not Windows, happens on Linux too.
It's just that recent versions both of Firefox and Chrome are more upfront about telling users about the risk that they are about to commit login credentials through an insecure channel, and the browsers now show that warning message for any and all login forms that aren't accessed by https.

Simply put if you transmit a login through plain http, that does mean the password could be picked up if someone's 'sniffing' into the connection, that's most likely to happen in situations where you're connecting through a public access point.

It's exacerbated by the fact that Xenforo transmits the password in plain text in the POST request to the server. See here ... https://xenforo.com/community/threads/password-transmitted-in-plaintext-possible-solutions.47417/
Some other systems implement a bit of security there, for instance using a perishable keypair created for the login process.

With Xenforo, seeing this, I guess it's clear the only thing to do is implement HTTPS or continue as usual. (The idea about hashing discussed in the linked thread is nonsense)
There's an addon called LoginSecurity https://xenforo.com/community/resources/loginsecurity.5286/, the one benefit it supplies is 'Users have the option of being emailed when they login with a new IP' i.e. if someone took over your account you would get one warning mail for the attacker's first login before they change your password and remove your email address from the account ;)
Very informative, thank you!
Maybe this issue soluted with the next xenforo update.
 
'https' tells you a site's safe for sending information like bank card details -they'll be encrypted
I always check that's the prefix to the url when I'm ordering and paying for stuff online,
but on CruxForums you'll not be asked for anything like that, so https is unnecessary.

I've had 'not secure' warnings sometimes, from Chrome, but I soon realised that's what they meant,
and haven't worried about them.
 
Yes, I've since 2 or 3 weeks ago, but , in my opinionb, it's not a real problem if you're well protected on your computer ...
I suspect Windows to send this message, trying to sell another anti-virus or something like that !
Well I'm on Linux and I still get this warning so it's obviously not just a windows thing. I think it's to do with the fact that the site doesn't support https logins (frankly after the Heartbleed fiasco a couple of years ago, I thought that all sites were going to move to secure login but apparently not)
 
'https' tells you a site's safe for sending information like bank card details -they'll be encrypted
I always check that's the prefix to the url when I'm ordering and paying for stuff online,
but on CruxForums you'll not be asked for anything like that, so https is unnecessary.

I've had 'not secure' warnings sometimes, from Chrome, but I soon realised that's what they meant,
and haven't worried about them.
Exactelly, so, DP, dont care , it's not important ... ;)
 
Back
Top Bottom