No they could not use a man in the middle attack, all the packets are encrypted going both directions. The connection to PayPal is its own separate url and it's https at all times. They wouldn't be able to access anything. They were only able to scrape the forums database and all they took was email address and password because lots.. most people use the same pw on too many things The database was only hashed so they used a rainbow table and deciphered 90% of the data in a few min.carstorm wrote: ↑23 Jan 2018, 03:24You realize someone could intercept the paypal button doing a MitM attack right. Also you say no high priority data is being transmitted yet you reset the entire forum because the passwords may have been compromised. They could potentially be getting compromised every time someone hits submit since there is no SSL. Also soon (within 2 years) many browsers will start blocking any non-SSL login page as insecure and eventually any non-SSL page as insecure.InsaneMatt wrote: ↑23 Jan 2018, 00:40 SSL (aka 'http' protocol) integration is something I'd like to have, but honestly don't see justification in actually paying for.
Right now (and even before this 'attack' occured) the website doesn't have any sort of transactions going on which would require a secure connection.
Okay, some may try and argue that the forum's login credentials should be secured.
I'd argue that a forum doesn't need secure connections, provided it's not transmitting any sort of high priority data (such as credit card numbers). As we use PayPal for donations, we honestly don't need SSL / HTTPS protection. It'll be nice to have, but not really required.
Thanks for the suggestion though, tgp1994.
There is the free and open Let's Encrypt that is easy to set up and after setup you don't have to deal with it as it auto renews if configured properly. With this (and other initiatives like it) in today's online world, there is no reason not to have SSL!
The connection to GSM was https as well, that's not the issue here. The issue was a known attack vector that essentially gave them admin rights. An update fixed it but it only effected the forum. Nothing linked off-site could be read as far as payments go.
You could leave a site completely open and unsecured and have a PayPal button and the attacker would never get your paypal data. Just not how it works.
Yes this is old... It's for educational purposes only