HTTPS?

[Koshinn]

Can m4carbine.net default to https?

I tried https://www.m4carbine.net/ and it doesn't really work. Tons of mixed (non-HTTPS) content including images and scripts, which causes the site to be broken. Plus, all the links from the HTTPS version go to the regular HTTP version of the site.

While I'm asking questions, what about an upgrade to vB5? I'm really not comfortable with vB4's password hash implementation of MD5(MD5($password)+$salt). MD5 has been considered broken since 2010, but has shown problems as early as 1996. And that's not even taking into account key stretching, or rather the lack thereof.

Also, due to the lack of HTTPS, when you log in to the site, your password is locally MD5 hashed, then sent along with your username. That makes anyone using M4Carbine.net on public internet vulnerable to a pass-the-hash attack, and the md5 hash can be stored for later cracking or lookup via rainbow table. HTTPS more or less solves all of this, if implemented correctly.

Mods, feel free to delete this and reply via PM if you want to discuss further