MrHappyRotter |
07-26-2018 01:15 PM |
The thing about SSL is that it really does protect the users of this site who may not be privy in regards to technology and online security.
Currently the site does not use https (secure http), not even for the login form. This means that your username and password are being passed over the network in a manner that is trivial for someone with malicious intent and access to the network to retrieve. Additionally, any information in your user profile (personal messages, email address, etc) is being transmitted in insecure manner as well, and therefore is subject to snooping by folks with malicious intent.
This opens up a pretty significant vector for attack. For instance, with just a modicum of effort and knowledge, any time you login to this site, it's possible for someone to see your password (because it is transmitted all the way to the server in an easily readable manner). This means anybody with access to your wifi or home network, anybody on the same public network if you're using free wifi, anybody with access to the physical lines to your ISP, various folks at your ISP, anybody that's compromised the network, etc could potentially see your password. The same goes for anything (even private info) in your user profile including your email and private messages that you view. From there, if you happen to have used the same password on another site (such as your social media account or your bank account) then it's pretty trivial for them to gain access to those systems. Or if they're fishing for information about you to use for alternate attack methods, things like knowing your email address or finding your phone number from a private message could come in handy. Https prevents those vectors of attack, even if your online security practices are lacking or if others are not following secure practices with your information.
I do understand that there are financial aspects to this decision. Even though the SSL certificates can be acquired for free, it still takes money and a bit of technical expertise to set-up. And there can often be secondary impacts and costs to switching a site over to https above and beyond just the cost of the cert.
|