Insecure - Use HTTPS

Lex · October 16, 2015, 10:37pm

I just signed up here (finally found out where the UK chowhounders had gone!) and noticed that at the moment all passwords are being transmitted to this site in plain text over HTTP, so everyone’s password is essentially compromised. It would be wise to use HTTPS for any communication involving credentials - this might just be the sign up and login page.

Anyone that used a routine password when they signed up that they share with other sites should consider changing it on on those other sites.

ernie_in_berkeley · October 16, 2015, 10:41pm

SSL certificates are relatively cheap these days. Maybe we could chip in and buy one for HO.

hungryonion · October 16, 2015, 10:43pm

I already bought one. The last time I tried to enable the SSL it brought the whole site down… Have to figure out what the problem was.

Not downplaying the issue of course, because this issue is important to me, though one thing to point out is that CH, egullet also don’t have https.

StoneSoup · October 16, 2015, 10:56pm

Thanks for the heads up! Not a mistake I usually make.

Lex · October 16, 2015, 10:57pm

I checked that out of curiosity before I posted. If you use the chrome dev tools the Chowhound login form does submit over https - its just the general site pages that don’t

anon68628887 · October 17, 2015, 12:45am

I can have a look if you’d like, I’m a Security Architect, and I’ve done this type of thing many times before. HTTPS isn’t nearly as secure (anymore) as everyone would like to think, but regardless…

Scubadoo97 · October 17, 2015, 11:21am

Thanks for the tip. I use an old PW that I use on forums but not on other sites that have sensitive information

hungryonion · October 20, 2015, 7:39am

Https is enabled. Can someone double check if I get it all correct? Thanks.

hungryonion · October 20, 2015, 7:42am

BTW, can anyone tell if its the login screen that’s encrypted and nowhere else? Thanks

ernie_in_berkeley · October 20, 2015, 4:41pm

It’s on the screen where I’m typing now. I haven’t logged out, but I have a browser extension called HTTPS Everywhere that attempts HTTPS, well, everywhere if it can.
Thanks!

Lex · October 20, 2015, 9:40pm

Looks like everything is using HTTPS now apart from the Facebook/Twitter image links which appear to be retrieved with HTTP (which results in a redirect to the resource behind HTTPS). The only issue with that is it causes chrome to show a warning next to the padlock on the URL bar, as some of the resources are not considered secure.

Good work!