Forum login not secure

[ninthace]

GoogleChrome has started showing a beefed up warning that sites such as this forum are not secure because the site is not using the appropriate security protocols (SSL/TLS) to protect users passwords. The warning takes the form of the words Not Secure where the https:// normally is in the address bar.  Perhaps it would be a good idea for users to ensure that their password for this forum is unique?  I am not sure what the size of risk is - perhaps a bigger geek than me could comment. Can I ask if site admin have plans to migrate to an https:// address for the log in screen?


More info here:
https://www.wordfence.com/blog/2017/01/chrome-56-ssl-https-wordpress/
https://support.google.com/chrome/answer/95617?hl=en-GB

[SplanK]

GoogleChrome has started showing a beefed up warning that sites such as this forum are not secure because the site is not using the appropriate security protocols (SSL/TLS) to protect users passwords. The warning takes the form of the words Not Secure where the https:// normally is in the address bar.  Perhaps it would be a good idea for users to ensure that their password for this forum is unique?  I am not sure what the size of risk is - perhaps a bigger geek than me could comment. Can I ask if site admin have plans to migrate to an https:// address for the log in screen

The 'risk' is that any data submitted, be it username, password, this post I am posting is sent in clear text across the network you are connected to, as well as the wider internet.  Using easily available programs and a bit of knowledge, this data can be 'sniffed' as its transported across a network and contents can be read.

Wifi is particularly vulnerable to this as its much easier to snoop on traffic, especially on open public wifi spots, thus somebodu else would have the ability to see your data sent to the server.  It is so easy to forge a public wifi spot and have phones or devices auto connect to it.  All you need to do is create a wifi point with the same SSID name as a popular zone, such as McDonalds, Tesco, Openzone......

It is *always* advisable regardless to have a different password per site as there is much more to it than just the transport.  It could be that the website is storing your password in 'text' or a reversible encryption, or if you use a password that's popular, a rainbow table can help quickly identify what your password is if the site protects your password with a one way hash.

Turning on TLS is trivial in most cases, and the cert's can be purchased cheap.... but it depends on the hosting platform that is used!

[alewife]

I only get this when I'm staying in hotels etc and using my tablet, not on my home wifi. So I think its the networks that are not secure, rather than the site.(as splank says;I really should read replies before posting mine)

[fernman]

Would a VPN help?

[SplanK]

A VPN would improve the situation by encrypting the data sent from your device to the VPN provider (so increasing protection on public wifi spots, but the VPN has to exit somewhere and from that somewhere, the traffic would then be unencrypted.

[Strider]

I couldn't care less if Russian hackers got into my Walking Forum account, what's the worst they could do?

[SplanK]

To be fair, as long as you don't re-use user/password combo's across sites, then the risk is limited.... if you do then I hope your password is different for your online banking!!! 

[Percy]

I couldn't care less if Russian hackers got into my Walking Forum account, what's the worst they could do?

Post TRs of boring walks round Vladivostok.

[Percy]

To be fair, as long as you don't re-use user/password combo's across sites, then the risk is limited.... if you do then I hope your password is different for your online banking!!! 

Or email/password combos - if they get your password and username for here then they also have your email address.

[ninthace]

Or email/password combos - if they get your password and username for here then they also have your email address.

And any other details in your profile. Yesterday, I received a spearphishing email addressed to me by name acknowledging an order I had not placed with a company I had never heard of. The email directed me to a link giving details of the order where I suspect the payload was waiting. The email had my name right, my address right and my telephone number right. Unfortunately, the telephone number was for a French phone I used to have and an address I no longer lived at. I have no idea how they got these details but I presume that they had somehow managed to hack an old profile from some site I used to use in the days before password managers.

[Innominate Man]

I couldn't care less if Russian hackers got into my Walking Forum account, what's the worst they could do?

 
Nicely disguised joke there Strider 

[fernman]

Or email/password combos - if they get your password and username for here then they also have your email address.

That actually happened to me in August 2015 on another forum, initials OM.
I registered on it to follow and comment on a very lengthy thread, it ran into 35 pages, about the model of tent I have.
One day I received spam sent to the email address I was using on that site and calling me by my username.
There was no other instance at all where I had used that combination of username and email address.
Needless to say, I promptly unregistered.

[John Walker]

I had to use Google Translate (via Chrome) to understand Strider's excellent joke    but probably my security has now been compromised and I'm suspected of being a Putin/Trump fan?  It's a minefield out there!

[Innominate Man]

I had to use Google Translate (via Chrome) to understand Strider's excellent joke    but probably my security has now been compromised and I'm suspected of being a Putin/Trump fan?  It's a minefield out there!

There's me thinking it was copied from the label of a vodka bottle 

[ninthace]

Giving this one a boost, see - https://www.theregister.co.uk/2018/07/03/google_chrome_http/
Does admin have a plan to migrate to https://?
By the way - registration on this site involved the collection of my email address, should there not be a site privacy policy under GDPR?