Just figured that our forums are not accessible through https. That’s a little concerning imho... Just thinking about last years conundrum around firesheep and https. The fact that it’s that easy to hijack a session, would it be smart to invest in a godaddy.com or equivalent SSL certificate to get our beloved website a little more secure? Or at least give it a serious thought.
Didn't know where else to put it, didn't figure it belonged in the general forums section.
For those of you that haven't heard of firesheep, here is a couple (http://www.google.com/#q=firesheep)of URLs (http://codebutler.com/firesheep)for you (https://github.com/codebutler/firesheep) :-)
Sounds like a good idea, especially those using wifi hotspots IIRC?
Yep, any user of a open wifi hotspot would be a easy target for session hijacking.
Firesheep is a pain in the ass, yeah I am with Oth here.
This is why I never do any forum admin when I'm out and about on the road. Such as now for instance, as I'm sat in a coffee shop with an open wifi network. Sometimes I get requests from Game Admins to give access to a certain forum to someone. It has to wait till I get home. It would be nice to be able to admin the forum from any location.
As someone who suffered a Gmail account hack last night - I endorse this suggestion.
I suspect someone nabbed my password while I was logged into Gmail on my phone, probably on an open wifi network somewhere. Luckily Google spotted it and shut down my account before they could do any damage.
Dunno about godaddy, but if this is something that is to be considered then I use trustico for SSL certs. This one (http://www.trustico.co.uk/products/rapidssl/cheap-rapidssl-ssl-certificate.php)will suffice I feel.
However, it'd be a global change as we'd need to change the config so everyone will be connecting over SSL and if we have any external API links (google analytics, wowhead spring to mind) then we will get this issue (http://www.vbulletin.com/forum/showthread.php/296821-Mixed-Content-warnings-over-SSL) due to the browser complaining about mixed content warnings.
Mixed content warnings are better than session hijacking imho, and godaddy was just a browser preapproved CA. As long as we post a message while sorting out the external links to sites like GA and wowhead over time, there really shouldn't be a problem. Thats what I think anyways :-)
Just remember that its your session that is hijacked, NOT your password...
Oh and tut, your pw is never transmitted in the clear to google... They enforce secure login. Most likely your pw was brute forced or guessed.