Hi Pixel Ferrets,
I finally decided to create a forum account to (hopefully) contribute to the development of SoG. Upon registration I noticed that neither the registration nor the login forms are sent over https.
You should be aware that this introduces a very real risk of man-in-the-middle attacks on private data of your (potential) customers. Even if there is little sensitive information transferred, and no matter how discouraged re-using passwords is, there is still the risk that people do re-use their SoG forum passwords (or email addresses) elsewhere.
Also since Let's Encrypt is long out of beta there is no real excuse to not deploy tls certificates on your servers. If you plan on using subdomains for different services in the future there is an announcement about introducing wildcard certificates in January of 2018.
I'm posting this in bug reports to highlight the importance of this issue and because nowadays this is a serious security bug (imo).
Best regards,
araqyn
Let's Encrypt "a free, automated, and open Certificate Authority", https://letsencrypt.org/
Announcement of wildcard certificates, https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html
Edit: sorry for clutter in title (wasn't sure if tags would work) but apparently I can't edit the title
I finally decided to create a forum account to (hopefully) contribute to the development of SoG. Upon registration I noticed that neither the registration nor the login forms are sent over https.
You should be aware that this introduces a very real risk of man-in-the-middle attacks on private data of your (potential) customers. Even if there is little sensitive information transferred, and no matter how discouraged re-using passwords is, there is still the risk that people do re-use their SoG forum passwords (or email addresses) elsewhere.
Also since Let's Encrypt is long out of beta there is no real excuse to not deploy tls certificates on your servers. If you plan on using subdomains for different services in the future there is an announcement about introducing wildcard certificates in January of 2018.
I'm posting this in bug reports to highlight the importance of this issue and because nowadays this is a serious security bug (imo).
Best regards,
araqyn
Let's Encrypt "a free, automated, and open Certificate Authority", https://letsencrypt.org/
Announcement of wildcard certificates, https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html
Edit: sorry for clutter in title (wasn't sure if tags would work) but apparently I can't edit the title