Post By Andy
Post By speleomike
Could you please fix the log in security? For some reason the username / password fields aren't encrypted (your browser will tell you this when you go to log in), so passwords are potentially available to be discovered by third parties (i.e. bots) who are so inclined. Not so fussed about the forum login, but when it doubles as the beanbay login with personal details it's not ideal. Should be HTTPS, not HTTP.
Couldn't find a more appropriate forum to post in.
Yep, for 14 years the site has been HTTP and it was never a problem, now suddenly some browsers are having a hissy fit.
The gotcha is that the forum software doesn't support HTTPS and if we enable it on the logon page it will just drop back to HTTP on the next click and your browser will sook again. A later version of the forum software does support HTTPS but it won't upgrade from this version. We are working on a custom upgrade but it's taking some time.
It's all a storm in a tea cup though. We don't keep any financial information and typically have only the same amount of information as your local phone book does. Your phone book listing is blasted all over the internet and delivered to everyone's door, at least ours is hidden behind a logon and the password is encrypted on our server.
We have never held any interesting information. PayPal payments are HTTPS encrypted as are EFT bank payments.
Username and email address are the only things in the forum.
Username, real name, email address and postal address are the only things kept in BeanBay.
I bet you share way more information in your Facebook/Linkedin/twitter/insert everything else here!
Punchline is, I view it as very low risk, nothing interesting to see here and when we can change to SSL/HTTPS to stop browsers complaining we will.
Besides, HTTPS is also insecure but it makes people feel better.
Thanks Andy, good to know you're working on it.
The upgrade will be probably be required quite soon. Already from last October 2017 password fields in http are being marked as "insecure" and from July 2018 Chrome will mark all http only pages as insecure. Eventually Chrome, Firefox and the other browsers will prevent users entering passwords in http sites. The entire world is moving to https. The Forum software should support this, it should be a change to the web server only and a cert. However it not familiar with this Forum software and it may indeed have some problems as Andy suggested.
The problem is that some users use a common password across sites. Even if CoffeeSnobs does not have anything of value some silly users will use the same password for a more important site. The other thing is that https will prevent content being modified between the server and the user thus limiting. Google will also lower rankings for non https sites.
I run a dozen websites and have shifted several over to https using Lets Encrypt https://letsencrypt.org more than a year or so ago as I knew I'd have the same problem - browsers will warn users about http only sites.
You can't protect against stupid.
Originally Posted by speleomike
If you have trouble remembering different pw's over different sites, get something like Dashlane which can keep everything together, create random pw for you, analyse your current autocomplete cache and give you feedback on how good they are, how often you use the same pw etc, etc (it is quite an eye opening experience how much information it can extract from your browser cache) from sites you haven't visited in years.
It is free providing you don't want more convenient features (cloud based replication of pw's for all your devices)
So if the bad guys get one of your pw's they don't have any leverage on any of your other sites which they will try (Apple, Amazon, Ebay, Gmail etc)