HTTP can be sniffed

Youkai · Jun 12, 2015

As I am learning to become an IT guy I started to learn packet sniffer which seem to be VERY easy nowadays ....

Now just for fun I logged into GBATemp while having the packet sniffer running and say what, the Password and Username is send in PLAIN TEXT !
So if you are every connected to an Open W-Lan Hotspot NEVER login to GBATemp !!! it takes about 2 seconds to get your username and Password.

Maybe someone from the Administration Team could fix this and add an encryption ?

TecXero · Jun 12, 2015

I never really thought about the security on here. I use an unique passcode for this site and I don't consider my account or any of its information important. I guess a person could get my email address, but nothing else. I mean, yeah security is important, but this site isn't exactly high priority for me, and I'd assume most other users.

Brewzip · Jun 12, 2015

Use the HTTPS version of the site instead of the HTTP one.

Youkai · Jun 12, 2015

Brewzip said:
Use the HTTPS version of the site instead of the HTTP one.

I never knew there is a https version oO?
why the hell are there two XD

//seems to be secure

at least not as easy as reading some plain text which could do any child.

T-hug · Jun 12, 2015

This is a matter for @Costello and @tj_cool

Duo8 · Jun 12, 2015

Youkai said:
I never knew there is a https version oO?
why the hell are there two XD

//seems to be secure at least not as easy as reading some plain text which could do any child.

Costello was asked about HTTPS once and he said that the login info is not important enough.
Still he added HTTPS some months ago and finished it (all page content) with V5. Though I don't know if HTTPS is the default or not.

Brewzip · Jun 12, 2015

The default one for the site is HTTP.
Probably Costello keeps both because there are some other works to do to V5.

However, I don't think this is that kind of situation. Maybe the current solution is simply not optimized, because it's not considered a priority. For me, it's a bad practice.
In this state, the site has the advantage of compatibility with old browser that doesn't support HTTPS. But having two version is less secure.

I noticed another "bad procedure", not related to security, but SEO.
After so many years, the site can still be visited using two identical versions (www and non www).
One of gbatemp.net and www.gbatemp.net should send a redirect 301 to the other.

The Real Jdbye · Jun 12, 2015

Brewzip said:
The default one for the site is HTTP.
Probably Costello keeps both because there are some other works to do to V5.

However, I don't think this is that kind of situation. Maybe the current solution is simply not optimized, because it's not considered a priority. For me, it's a bad practice.
In this state, the site has the advantage of compatibility with old browser that doesn't support HTTPS. But having two version is less secure.

I noticed another "bad procedure", not related to security, but SEO.
After so many years, the site can still be visited using two identical versions (www and non www).
One of gbatemp.net and www.gbatemp.net should send a redirect 301 to the other.

It's only less secure if you use the HTTP version.
Anyway, it doesn't really matter, it's not the kind of account that's interesting to skiddies

Costello · Jun 12, 2015

that's not even a subject.
HTTP *is* sniffable, no matter how hard you try, if you don't use HTTPS you are exposing yourself.
If you are worried that people on your wifi network might be sniffing your packets, just use the HTTPS version.

HTTP can be sniffed

Demon

Technovert

Well-Known Member

Demon

Always like this.

Well-Known Member

Well-Known Member

*is birb*

Headmaster

Similar threads

Popular threads in this forum

is birb