https://twitter.com/realnzall/status/471006142349725696
After reading a whole lot of Troy Hunt's posts on website security, I ended up checking the mmo-champion cookies to figure out how security is handled here.
What I found was sobering. As you can see right now in your address bar, MMO-Champion does not support SSL, which means that all your cookies are sent over with every thread you visit. In addition, one of your cookies is... your password, triple hashed with MD5, a hashing algorithm with known flaws which is viewed as outdated for a few years now.
In case this doesn't mean anything to you, I'd like to introduce you to the Wifi Pineapple:
This bad boy acts as an access point spoofer, which literally listens to your device sending out requests for any open wifi it's ever been connected to (like the Apple Genius Store wifi any Apple device has been on) and spoofs that network. I could literally spend 5 minutes with this thing at blizzcon and get the cookies for all of you at blizzcon using this site on your mobile device.
So I thought I'd mention this to Troy Hunt since he loves to RT such things, and CC Chaud. I did this right before I went to bed, and when I checked my twitter feed the next day at work (about 12 hours later), I found a flurry of communications between Troy Hunt, Chaud and Zachery, a support guy from vBulletin (the software mmo-champion runs on). Honestly, I thought this would just be a retweet, maybe a few more RTs and favs, and done. well, that sort of happened. The above discussion also happened. and Troy Hunt wrote a blog post about it (http://www.troyhunt.com/2014/05/why-...tin-forum.html). all in all, a lot more happened than I anticipated. I'm not regretting the whole thing, but I was kinda surprised by what happened.
as an aside, WoWhead and even the official Blizzard site also have no SSL and could in theory be victim to an impersonation attack (although the shop for Blizzard IS using SSL, so your money is sorta safe).