I just signed up here (finally found out where the UK chowhounders had gone!) and noticed that at the moment all passwords are being transmitted to this site in plain text over HTTP, so everyone’s password is essentially compromised. It would be wise to use HTTPS for any communication involving credentials - this might just be the sign up and login page.
Anyone that used a routine password when they signed up that they share with other sites should consider changing it on on those other sites.
I checked that out of curiosity before I posted. If you use the chrome dev tools the Chowhound login form does submit over https - its just the general site pages that don’t
I can have a look if you’d like, I’m a Security Architect, and I’ve done this type of thing many times before. HTTPS isn’t nearly as secure (anymore) as everyone would like to think, but regardless…
It’s on the screen where I’m typing now. I haven’t logged out, but I have a browser extension called HTTPS Everywhere that attempts HTTPS, well, everywhere if it can.
Thanks!
Looks like everything is using HTTPS now apart from the Facebook/Twitter image links which appear to be retrieved with HTTP (which results in a redirect to the resource behind HTTPS). The only issue with that is it causes chrome to show a warning next to the padlock on the URL bar, as some of the resources are not considered secure.