Posted on: 02/10/12 10:00PM
A troll might consider it worth doing, if they could do it easily. People might not appreciate being perma-banned and having to come back with a different identity. Mod accounts are worth more internet points, and there are at least 14 of those to choose from, including mods in training. Do any of them use Gelbooru from their mobile phone?
Gelbooru uses two cookies for authentication - user_id and pass_hash. The password hash is the same every time you log in, and the cookies are sent as plaintext to the server on every HTTP request you make while logged in, so all an attacker needs to do is sniff one request and they can impersonate you to the server until you change your password, which many people can't do because they didn't enter an email.
The server could instead assign a random session password and save that until the user logged out or logged in again; then stolen cookies would at least only work for the duration of the session.
Better yet, the server could use https, which people have found to be cost-effective on modern computer hardware (e.g.
www.imperialviolet.org/2010/06/25/overclocking-ssl.html ) and which would also prevent your ISP from snooping on your Gelbooru surfing. Mod and admin sessions at least should be forced to https, with the secure attribute set on the cookie so it won't be sent via unsecured http.
[edit] Bonus link:
blogs.wsj.com/digits/2010...0-gawker-media-passwords/