Since we're entering passwords on this site, there really needs to be TLS configured. I don't like entering passwords on sites where they're sent unencrypted. TLS certificates are relatively inexpensive these days, and it's pretty easy to configure nginx to use them.

Use Password Hasher!

nXIII
Use Password Hasher!

What is that? (i.e. does it send my passwords securely to the site)?

jvvg

nXIII
Use Password Hasher!

What is that? (i.e. does it send my passwords securely to the site)?

Well, it hashes your (master) password with a string derived from the site domain so that you never send your actual password to the main site.

But you're right: we should use TLS.

nXIII

jvvg

nXIII
Use Password Hasher!

What is that? (i.e. does it send my passwords securely to the site)?

Well, it hashes your (master) password with a string derived from the site domain so that you never send your actual password to the main site.

But you're right: we should use TLS.

Could you link me to more info please? I'm interested.

I also once got a TLS certificate for like $10/year through NameCheap, so they're relatively inexpensive.

jvvg

nXIII

jvvg

nXIII
Use Password Hasher!

What is that? (i.e. does it send my passwords securely to the site)?

Well, it hashes your (master) password with a string derived from the site domain so that you never send your actual password to the main site.

But you're right: we should use TLS.

Could you link me to more info please? I'm interested.

I also once got a TLS certificate for like $10/year through NameCheap, so they're relatively inexpensive.

Well, it's mainly a Firefox extension, but I use Chrome so I wrote a Chrome extension with a redesigned UI and a port of the hasher. Here's the site. If you use Chrome I can clean up my extension and give it to you as well.

veggieman001

nXIII

jvvg

nXIII

jvvg

nXIII
Use Password Hasher!

What is that? (i.e. does it send my passwords securely to the site)?

Well, it hashes your (master) password with a string derived from the site domain so that you never send your actual password to the main site.

But you're right: we should use TLS.

Could you link me to more info please? I'm interested.

I also once got a TLS certificate for like $10/year through NameCheap, so they're relatively inexpensive.

Well, it's mainly a Firefox extension, but I use Chrome so I wrote a Chrome extension with a redesigned UI and a port of the hasher. Here's the site. If you use Chrome I can clean up my extension and give it to you as well.

Links don't work, remember?

Oh yeah…

Ah yes, I've discussed this, but there are too many other things to do at the moment. Sorry guys, not a top priority - but after we get things settled down post release, I plan to bring it up again.

dhuls wrote:

ScolderCreations wrote:

So this is resolved?

It's been resolved. This was during a time when Scratch 2.0 was in beta, and the site might not have had TLS/HTTPS. The main 1.4 site probably had TLS (I don't see any reason to not use HTTPS/TLS).

I don't know how to find data on this, but I seem to recall that HTTPS for general use wasn't all that common back then, even as late as 2013 (although I do know that for sensitive use, such as buying things online, it has been in use for a very long time).

As best as I can tell (using the Wayback Machine), the Scratch 1.x website did not use HTTPS.

jvvg wrote:

nXIII wrote:

Use Password Hasher!

What is that? (i.e. does it send my passwords securely to the site)?

No it does not. If the web server is expecting plaintext there is nothing a browser extension can do about it. Passwords are sent security via HTTPS, and sending something hashed over your client doesn't change that it is still readable in plaintext to others (and that whatever is sent to the server can be sent by someone else).

There are a number of other sketchy advertisements claiming to offer security enhancements that do not exist. I do not recommend taking their advice.

HTTPS has been available here for a while now but this topic appears to be before then.

Flowermanvista wrote:

As best as I can tell (using the Wayback Machine), the Scratch 1.x website did not use HTTPS.

If you go to a studio page right now (they still use the Scratch 2 website) and click “add projects”, the template link shown uses HTTP, so I'm guessing that Scratch was moved to HTTPS sometimes between 2013 and 2015 (inclusive).

“If you go to a studio page right now (they still use the Scratch 2 website) and click “add projects”, the template link shown uses HTTP, so I'm guessing that Scratch was moved to HTTPS sometimes between 2013 and 2015 (inclusive).”

Offering HTTPS and requiring HTTPS are separate actions. uploads.scratch.mit.edu still has both available. I would guess HTTPS-only started after the development of Scratch WWW if this is the case.