484 posts
  • Bought between 10 and 49 items
  • Contributed a Blog Post
  • Contributed a Tutorial to a Tuts+ Site
  • Exclusive Author
  • Has been a member for 5-6 years
  • Microlancer Beta Tester
  • Referred between 100 and 199 users
  • Sold between 50 000 and 100 000 dollars
+1 more
omarabid says

Sorry, but I have to bump these old threads!

We need SSL across all marketplaces!

Tuts+ Premium Account Security Compromised

+1. Especially that some sellers makes thousands of $$ a month.

32 posts
  • Bought between 1 and 9 items
  • Exclusive Author
  • Has been a member for 3-4 years
  • Referred between 50 and 99 users
  • Sold between 10 000 and 50 000 dollars
  • United States
robocreatif says

SSL won’t protect against a compromised server…

To be honest, I don’t see any need for it except perhaps on the log in page. Unless you log in once every other month, it’s pretty unlikely your account will be drained. There’s a hefty length of time between a request for withdrawal being made and the actual transfer of funds. Even if someone were to gain access to your account, change your email address and make a withdrawal on the last minute of the last day of the month, I’m sure you could still get the withdrawal canceled by contacting support (that is, if it’s acknowledged within two weeks). Even in that case, perhaps it would be better to not allow a change of email address unless it’s confirmed by clicking a validation link in the original email account.

972 posts
  • United Kingdom
  • Attended a Community Meetup
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Sold between 5 000 and 10 000 dollars
  • Has been a member for 3-4 years
  • Microlancer Beta Tester
  • Bought between 100 and 499 items
  • Referred between 10 and 49 users
  • Exclusive Author
aaranmcguire says

Agreed! I know this was a 3rd part thing but who the hell still stores passwords in plain text should be shot. Whats worse is they knew about it before this happened, come one, they have the money to do security but they dont do it.

I have a public project coming up soon (a subscription based webapp) but Im forcing https:// on all pages and Im planning to be come PCI compliant, even though I will not be storing any banking info. Security is a major thing and I would love to say even if we do get hacked passwords will be fine due to the encryption, because alot of people still use 1 or 2 passwords for the same thing, I know I do for mid security things like tuts+

oh, @envato I found this for you, http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/ such a good site dont you think? :sarcasm:

PS, I get a bit bitchy when people user plain text password, its just the inner developer inside me

1026 posts
  • Sold between 100 000 and 250 000 dollars
  • Elite Author
  • France
  • Author had a File in an Envato Bundle
  • Author had a Free File of the Month
  • Contributed a Tutorial to a Tuts+ Site
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
+4 more
Pixelworkshop says

I’ve been using a VPN for quite a long time (HMA) and I have the feeling that it adds a layer of security when browsing but well, I’m more a noob when it comes to technical stuff.

484 posts
  • Bought between 10 and 49 items
  • Contributed a Blog Post
  • Contributed a Tutorial to a Tuts+ Site
  • Exclusive Author
  • Has been a member for 5-6 years
  • Microlancer Beta Tester
  • Referred between 100 and 199 users
  • Sold between 50 000 and 100 000 dollars
+1 more
omarabid says

SSL won’t protect against a compromised server… To be honest, I don’t see any need for it except perhaps on the log in page. Unless you log in once every other month, it’s pretty unlikely your account will be drained. There’s a hefty length of time between a request for withdrawal being made and the actual transfer of funds. Even if someone were to gain access to your account, change your email address and make a withdrawal on the last minute of the last day of the month, I’m sure you could still get the withdrawal canceled by contacting support (that is, if it’s acknowledged within two weeks). Even in that case, perhaps it would be better to not allow a change of email address unless it’s confirmed by clicking a validation link in the original email account.

You are underestimating the dangers. He can delete your files, buy products with your accounts and also ruin your reputation.

32 posts
  • Bought between 1 and 9 items
  • Exclusive Author
  • Has been a member for 3-4 years
  • Referred between 50 and 99 users
  • Sold between 10 000 and 50 000 dollars
  • United States
robocreatif says

You are underestimating the dangers. He can delete your files, buy products with your accounts and also ruin your reputation.

True, but my point still stands: you can add as much browser security as you want, but it’s not going to protect against a server breach.

5 posts
  • Romania
  • Most Wanted Bounty Winner
  • Author had a Free File of the Month
  • Sold between 1 000 and 5 000 dollars
  • Has been a member for 3-4 years
  • Bought between 1 and 9 items
  • Microlancer Beta Tester
  • Exclusive Author
nr913 says

SSL does not protect only login data, but also cookies, wich are sent every request. All the marketplaces should be protected, not just login section.

629 posts
  • Bought between 10 and 49 items
  • Exclusive Author
  • Has been a member for 4-5 years
  • Sold between 100 and 1 000 dollars
Thecodingdude says

After what has happened, I would expect to have SSL security (for a marketplace that deals with money and people’s lives here) within a week or two.

96 posts quanticalabs.com
  • Elite Author
  • Sold between 250 000 and 1 000 000 dollars
  • Author had a File in an Envato Bundle
  • Author had a Free File of the Month
  • Bought between 10 and 49 items
  • Referred between 500 and 999 users
  • Exclusive Author
+2 more
QuanticaLabs says

You are underestimating the dangers. He can delete your files, buy products with your accounts and also ruin your reputation.

It’s even worse. He can change your e-mail address and you are left with nothing.

Anyway what about support.envato.com and plain text passwords? I can not login there anymore!

by
by
by
by
by
by