Passwords may be stored encrypted, but your site doesn't support secure authentication, which is the real issue. Most sites that have a login page do support secure authentication for that function.Passwords are encrypted, so they are secured that way. The gap in security your browser is pointing out is common on most sites
Submitting private authentication data to the site and submitting content to the site are two separate things - and that's saying nothing about the PM system. It always made sense to protect authentication data in transmission.Since everything you type here is view-able to all, this has never been a thing it made sense to protect against.
That is unfortunately not accurate. Currently, all communication (including username, password, PMs, etc) can be read in plaintext by any network component between the client and server. If you're on an untrusted network, say a coffee shop, internet cafe, hotel, it is trivial for someone else on that network to intercept your password. And if you're one of many who reuse passwords across several sites, you can have a serious problem.As long as you aren't typing your password into a thread in plain text, or your bank info, this doesn't effect you.
Fortunately not. Most sites today are switching over to HTTPS even for non-sensitive data. Ever done a Google search lately?The gap in security your browser is pointing out is common on most sites,
They may be encrypted on your server, but they are definitely not in encrypted in transit - when they are most vulnerable. So to anyone reading this: It is currently an exceedingly bad idea to reuse your stromtrooper.com password in any other place, or reuse a password from anywhere else here.Passwords are encrypted, so they are secured that way.
I fully agree with this. The sooner the better.All that said, now that Google is pointing this out, we are going to have to add the protection to keep our standing as a trusted site.
There's a couple of aspects to that.What backend does VericalScope use to drive the forum? Is it possible to move to a provider that will deliver a secure platform?
You are quite correct. If you use a truly unique password for each and every site on the internet, then the worst that can happen if somebody intercepts the password, is that they login as you. That gives them access to anything you've got stored on the site (including PMs, which may contain sensitive information) and gives them the ability to pose as you (which may ruin your reputation). If you're not too worried about those two issues then, indeed, you don't have a lot to worry about.I would be interested in someone smarter than me explaining what is at risk with an unsecured site if you segregate the password and do not put sensitive information on the site.
Dayle, two months since your post above. Any progress to report?0SSL/HTTPS is in the works, as Kevin mentioned. Tech is in the final stages now - this is something that was started last year with the breach (for the record, it was not our database, but that of a third party vendor). It does take a while to get everything sorted out to be deployed across nearly 1000 sites and not break everything. Tech is aiming for this to be active in the next few months.
Make sure that the password you use here is NOT used anywhere else. The easiest to achieve that is to logout and then follow the steps as if you had lost your password. The site will then generate a new, random password for you and mail it. Use that and don't change it.
I would imagine that all of the MANY forums that verticalscope runs aren't secure as well?Another, what, eight months, without progress?
Starting about July 2018, Google Chrome will even more prominently display a "Not Secure" icon for this site. And rightfully so: Even the login process itself is still using (unencrypted) http instead of (encrypted) https. This wasn't acceptable in 2010, and is definitely not acceptable in 2018.
In the meantime, let me repeat the advice to all users of this forum that I gave almost 10 months ago:
I'm not arguing any of this cause the tech stuff is over my head - but i did recall this post and was able to find it. Unless it's changed since Dec2017, i was led to believe that ADVRider was specifically not sold to VerticalScope. Again not trying to argue, i really appreciate the time and effort Big B and the others put in on this site.Looks like neither ADVrider or the goldwing forums are secure either, appears they are run by verticalscope.