Security Risk!

[BashChelik]

Hello fellow web designers,I noticed at this forums, while i was loging in, that sending data is done over simple http protocol and not over https.If i remember good, when i was registering at this forum, sending that form was also done over http protocol.I ask administrators of this forum, how could you make such a mistake, if it is one?Then i must ask you, how can you be so irresponsible?There is no wonder that member Alzable got his account stolen. What wonders me is why there are no more of cases like him.I presume this forum is not so interesting to hijackers out there.

Best of luck,Mirko

[Mencarta]

No, we are not that valuable. They would rather go for a Marry Hopkins forum instead.

[jeffman]

Cost-benefit ratio. I don't know how that dude got his account stolen, but I'm pretty sure eavesdropping is a minimal threat to this forum. Any personal data you've put on the site is already visible. No money gets transferred. I can imagine a nuisance cracker getting interested, but the whole internet is an equally fun target. I wouldn't spend the money on a certificate, either.That's just life. You put a cheaper lock on your bicycle than you do on a bank vault.

[boen_robot]

Hello fellow web designers,I noticed at this forums, while i was loging in, that sending data is done over simple http protocol and not over https.If i remember good, when i was registering at this forum, sending that form was also done over http protocol.I ask administrators of this forum, how could you make such a mistake, if it is one?Then i must ask you, how can you be so irresponsible?There is no wonder that member Alzable got his account stolen. What wonders me is why there are no more of cases like him.I presume this forum is not so interesting to hijackers out there.

Best of luck,Mirko

Would you like to pay for the certificate yourself? PayPal or CC? No, seriously... if you suspect someone may be monitoring the traffic on this forum, simply change your password to one that you never use at other places. Like Deirdre's Dad said already, no money goes through this site, so there is little crackers may gain if they stole your account.As for Alzable... I think the case was that someone he knew got ahold of his account, and then locked him out by changing the password. The mods then demoted him, to avoid any risks. So it wasn't HTTP monitoring, it was more like "oh, look at this piece of paper... I wonder... hmm... wait, what's that in his favorites... bingo!".

[justsomeguy]

This forum has been hacked or attempts have been made several times, but IPS keeps their software up to date enough that they can get the bugs out pretty quickly, and having admins manually validate each new account helps weed out most of the spammers.

I ask administrators of this forum, how could you make such a mistake, if it is one?Then i must ask you, how can you be so irresponsible?

This forum is a hosted service, it is operated by Invision Power Services on their servers. If you notice, this forum is a subdomain of invisionzone.com. I know from experience that setting up a wildcard SSL certificate that will cover all subdomains under a single domain can be a bit problematic. For one, when you set up a new subdomain which needs to use the certificate you need to restart Apache, which kills all of the active sessions. That's probably something they want to avoid doing whenever they create a new account. A wildcard SSL certificate also has a limit of how many subdomains it can apply to, and the popularity of IPS hosted services may have overwhelmed that limit. IPS does not list SSL as an option on any of their community hosting packages:http://www.invisionpower.com/hosting/advanced.phpPresumably one could get a dedicated server and host using their own domain, but that would be a custom service from IPS and not one of their standard or advanced packages.Furthermore, I don't think that man-the-middle SSL attacks are nearly as prevalent as you may think. The fact that you don't routinely hear about login credentials being stolen when a very large number of websites exist which don't encrypt their traffic indicates to me that those attacks are not widespread at all.I've worked at a company for the past 7 years where we host sites for companies, one of our clients has over 80,000 users registered on their site (that's 8 times as many as are registered here). For the vast majority of time I've worked there we haven't encrypted traffic for the client sites, and I haven't heard of a single instance where any traffic has been intercepted.It's a good idea to encrypt, and it's legally required for certain things, but not encrypting traffic does not automatically mean that your site is going to get hacked.

[BashChelik]

OK, i have to apologize for calling you mods irresponsible.That was out of line.I suppose this really is not a commercial forum, neither it contains any critical information which is just for members, so security is not a relevant issue. I guess i was just accustomed to see https when i send forms.Thank you for making me smarter and wiser.

Best of luck,Mirko

[Mencarta]

[ Bows ] Your welcome grasshopper.