Insecure - Use HTTPS


#1

I just signed up here (finally found out where the UK chowhounders had gone!) and noticed that at the moment all passwords are being transmitted to this site in plain text over HTTP, so everyone’s password is essentially compromised. It would be wise to use HTTPS for any communication involving credentials - this might just be the sign up and login page.

Anyone that used a routine password when they signed up that they share with other sites should consider changing it on on those other sites.


#2

SSL certificates are relatively cheap these days. Maybe we could chip in and buy one for HO.


#3

I already bought one. The last time I tried to enable the SSL it brought the whole site down… Have to figure out what the problem was.

Not downplaying the issue of course, because this issue is important to me, though one thing to point out is that CH, egullet also don’t have https.


#4

Thanks for the heads up! Not a mistake I usually make.


#5

I checked that out of curiosity before I posted. If you use the chrome dev tools the Chowhound login form does submit over https - its just the general site pages that don’t


#6

I can have a look if you’d like, I’m a Security Architect, and I’ve done this type of thing many times before. HTTPS isn’t nearly as secure (anymore) as everyone would like to think, but regardless…


#7

Thanks for the tip. I use an old PW that I use on forums but not on other sites that have sensitive information


#8

Https is enabled. Can someone double check if I get it all correct? Thanks.


#9

BTW, can anyone tell if its the login screen that’s encrypted and nowhere else? Thanks


#10

It’s on the screen where I’m typing now. I haven’t logged out, but I have a browser extension called HTTPS Everywhere that attempts HTTPS, well, everywhere if it can.
Thanks!


#11

Looks like everything is using HTTPS now apart from the Facebook/Twitter image links which appear to be retrieved with HTTP (which results in a redirect to the resource behind HTTPS). The only issue with that is it causes chrome to show a warning next to the padlock on the URL bar, as some of the resources are not considered secure.

Good work!