Why did we upgrade RFCM?

[Administrator]

After being asked why we upgraded from SMF 2.1 from 2.0, and all the resultant UI queries and comments

The main reasons are

• Password hashing is upgraded to bcrypt
• Unique tokens for forms to help prevent CSRF attacks
• Google Authenticator for two-factor logins
• IPv6 support
• PHP 8 support

From a my point of view the critical one is PHP v7 is now EOL *end of life. As such there will be no more patches - and there will be pressure from ISPs to stop using applications using php 7 (not yet - but its only a matter of time)

BCRYPT is an improved password-hashing mechanism, to hinder dictionary attacks. As such is a good thing.

Finally, the vulnerability to Cross Site Request Forgery. Again, RFCM stores very little data about users, but this is additional protection against those users who have insufficient protection on their browser side. Technically they could harvest IP addresses from RFCM. This isn't a problem in itself, but can result in a wider attack (geolocation ID and physical robbery or device hacking etc.)

Note-  that none of these are related to UI functional improvements. 

So, when you see 'upgrade' it doesn't always mean its about enriching the user experience. But as in this case its about 'watching your back'

thanks
Simon

[martin goddard]

Thanks for dong the work Simon. It is appreciated.
The reasons are exactly what I thought they would be(? )


martin

[Ben Waterhouse]

Thanks Simon, not that I understand three quarters of the words...

[Colonel Kilgore]

Thanks Simon, not that I understand three quarters of the words...

I feel sure that, if you buy Simon C a coffee via the button on this Forum [https://www.buymeacoffee.com/rocketsix], he won't hold it against you 

Simon

[Jimmy James]

Also it looks go-fasta, which I think is always a good proportion of the user experience.Lovely job.

Jimmy