Forum log-in not secure

[zer0]

I remember that a while ago, a lot was made of XYplorer installation executable not being signed and that was corrected. However, I wonder how many people know that this forum log-in is not done in a secure manner and their username and password are sent in clear text.

The main forum page is not loaded over HTTPS, so this submit action is not encrypted:

Code: Select all

<input type="submit" name="login" value="Login" class="button2" />

A network sniff has confirmed that credentials are sent in clear text as per...



I know it's just a forum and such and I am not asking for the whole site to be encrypted, but sending the username and password in the clear? Really?

[PeterH]

If it's so, (and I believe it is,) +1

[bdeshi]

Good thing I haven't got sniffers around... FIX IT QUICK!!

[admin]

Hey, write to phpBB, they made it like this.

[bdeshi]

I figure a solution is converting the login page/whole forum domain to https.

[Enternal]

I figure a solution is converting the login page/whole forum domain to https.

Yep! Although that means paying for a SSL certificate and those can be costly.

[zer0]

Hey, write to phpBB, they made it like this.

phpBB made it like that, but it does not meant that you cannot secure user's data, just because phpBB chose not to.

I figure a solution is converting the login page/whole forum domain to https.

Yep! Although that means paying for a SSL certificate and those can be costly.

Whether something is costly or not depends on Don, but there is a great deal of choice as far as CAs is concerned and their offerings.

[zer0]

For the record -- with the thread having gone down like a water off the back of a geese -- Google has started (and may increase in the future) its prioritisation of secure websites in its search results. As such, if Don will get a certificate for the main site (benefits are debatable, but let's park that for now), it should not be that much of a stretch to have one that encompasses the forum as well.

[bdeshi]

Hey Don, Let's Encrypt provides free SSL certificates. Will that be any good for XYplorer homepage+xyfc?

(disclaimer-of-sorts: I just transferred my [test]website to https and it was pretty easy. )

[admin]

Interesting, thanks. But it's just a forum.

[PeterH]

Interesting, thanks. But it's just a forum.

Sorry to say, but regarding security I don't understand your position.

[JLoftus]

Have to agree, with certs being free or nearly free today, and quiet easy to implement, "it's just a forum" is not a good posture.

[Antieve]

It's not really worth it I guess, forum does not contain any sensitive information. so the probability of hacking is reduced to almost zero.
Even if someone decides to use MITM on your side, so what, change password and forget about it

There is only one reason to worry, in the case if you using the same password for all sites, but that is your personal problem

[bdeshi]

Even if someone decides to use MITM on your side, so what, change password and forget about it

Wow.

[TheQwerty]

More concerning than the forum log-in is the fact that without TLS the authenticity and integrity when downloading XYplorer itself cannot be ensured.