https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307932#M7578 Are members aware that the Discussion Forums “Login” link is insecure if using the Plusnet Login link? <BR />Plusnet Home page = <A href="https://www.plus.net/" target="_blank">https://www.plus.net/</A> = Secure<BR />Member Centre = <A href="https://portal.plus.net/index_nlp.html" target="_blank">https://portal.plus.net/index_nlp.html</A> = Secure<BR />Discussion Forums = <A href="http://community.plus.net/forum/" target="_blank">http://community.plus.net/forum/</A> = OK for viewing only.<BR />Clicking on the Discussion Forums link “Login” takes me to: - <A href="http://community.plus.net/forum/index.php?action=login" target="_blank">http://community.plus.net/forum/index.php?action=login</A> = Not secure.<BR />I have created a favourite/bookmark (I should not have had to do this) to take me to <A href="https://community.plus.net/forum/index.php?action=login" target="_blank">https://community.plus.net/forum/index.php?action=login</A><BR />How many people are logging in to the Plusnet Community Site forums using the Plusnet provided “Login” link taking them to the insecure login page and then entering their username and password?<BR />I have only been with Plusnet since February so how long has this breach been happening for and are Plusnet aware of it and sorting it?<BR />Not good.<BR /> Mon, 21 Mar 2016 16:36:31 GMT Madeleyite 2016-03-21T16:36:31Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307932#M7578 Are members aware that the Discussion Forums “Login” link is insecure if using the Plusnet Login link? <BR />Plusnet Home page = <A href="https://www.plus.net/" target="_blank">https://www.plus.net/</A> = Secure<BR />Member Centre = <A href="https://portal.plus.net/index_nlp.html" target="_blank">https://portal.plus.net/index_nlp.html</A> = Secure<BR />Discussion Forums = <A href="http://community.plus.net/forum/" target="_blank">http://community.plus.net/forum/</A> = OK for viewing only.<BR />Clicking on the Discussion Forums link “Login” takes me to: - <A href="http://community.plus.net/forum/index.php?action=login" target="_blank">http://community.plus.net/forum/index.php?action=login</A> = Not secure.<BR />I have created a favourite/bookmark (I should not have had to do this) to take me to <A href="https://community.plus.net/forum/index.php?action=login" target="_blank">https://community.plus.net/forum/index.php?action=login</A><BR />How many people are logging in to the Plusnet Community Site forums using the Plusnet provided “Login” link taking them to the insecure login page and then entering their username and password?<BR />I have only been with Plusnet since February so how long has this breach been happening for and are Plusnet aware of it and sorting it?<BR />Not good.<BR /> Mon, 21 Mar 2016 16:36:31 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307932#M7578 Madeleyite 2016-03-21T16:36:31Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307933#M7579 Why should it use https - checking on the multiple forums I use and I only found one using it Mon, 21 Mar 2016 16:41:27 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307933#M7579 Oldjim 2016-03-21T16:41:27Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307934#M7580 https works fine on the forum.. Mon, 21 Mar 2016 16:43:23 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307934#M7580 dvorak 2016-03-21T16:43:23Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307935#M7581 but you have to change it yourself as linking from the main site doesn't use it Mon, 21 Mar 2016 16:46:12 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307935#M7581 Oldjim 2016-03-21T16:46:12Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307936#M7582 Dunno, Jim - I logged into the forums so long ago I can't remember which link I used, but my header definitely reads 'https://' Mon, 21 Mar 2016 16:50:14 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307936#M7582 jab1 2016-03-21T16:50:14Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307937#M7583 No http ot https shown in FF here but clicking on the little 'i' to the left of the address bar and I get a message that 'Connection is not secure'. Mon, 21 Mar 2016 17:36:29 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307937#M7583 Mav 2016-03-21T17:36:29Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307938#M7584 Are you sure that's not just telling you certain items on the page are insecure Mav? Things like externally hosted images in signatures blocks/avatars probably won't be.<BR />The login link should force SSL IMO and I believe it will when the community gets upgraded in the not too distant future. Mon, 21 Mar 2016 21:25:11 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307938#M7584 bobpullen 2016-03-21T21:25:11Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307939#M7585 Not sure so I've attached a screenshot:<BR /><IMG src="http://i67.tinypic.com/1z3wehy.jpg" /> Tue, 22 Mar 2016 00:36:01 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307939#M7585 Mav 2016-03-22T00:36:01Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307940#M7586 As a publicly viewable site I guess having HTTP access makes some sense but I can't help thinking the login page, at least, should be HTTPS only.<BR />What are the real risks of entering a username and password on a plain HTTP page?&nbsp; (I ask because I genuinely don't really know)<BR />In case anyone wants to state the obvious that unique usernames and passwords should be used for every different sites, we all probably know someone who doesn't do this so shouldn't all login pages be secure by default? Tue, 22 Mar 2016 09:26:17 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307940#M7586 w23 2016-03-22T09:26:17Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307941#M7587 New community's going live next week so this will become a non-issue (from a login perspective). @Mav, you're browsing over HTTP by the looks of things. You can force HTTPS by manually prefixing the URL with 'https://'. Sat, 02 Apr 2016 11:06:39 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307941#M7587 bobpullen 2016-04-02T11:06:39Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307942#M7588 A bit moot now, really, but I have just added https:// before the URL.<BR />I get a padlock with a red line through it and right-clicking still gives me a message 'Connection is not secure.'.<BR />Not worth investigating but thought I'd post my results.<BR /> Sat, 02 Apr 2016 11:14:03 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307942#M7588 Mav 2016-04-02T11:14:03Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307943#M7589 There are some unsecured scripts Sat, 02 Apr 2016 12:05:08 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307943#M7589 dvorak 2016-04-02T12:05:08Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307944#M7590 Will the new site login page be https by default? Sat, 02 Apr 2016 19:26:48 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307944#M7590 w23 2016-04-02T19:26:48Z https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307945#M7591 The entire site should be https by default. Otherwise, your login cookie would be exposed the same way as the username and password would be if the login page isn't https. Sat, 02 Apr 2016 19:32:10 GMT https://community.plus.net/t5/Community-Site-Feedback/quot-Insecure-Discussion-Forums-Login-link-quot/m-p/1307945#M7591 ejs 2016-04-02T19:32:10Z