cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"Insecure Discussion Forums “Login” link"

Madeleyite
Rising Star
Posts: 90
Thanks: 18
Fixes: 5
Registered: ‎19-03-2016

"Insecure Discussion Forums “Login” link"

‎21-03-2016 4:36 PM

Are members aware that the Discussion Forums “Login” link is insecure if using the Plusnet Login link?
Plusnet Home page = https://www.plus.net/ = Secure
Member Centre = https://portal.plus.net/index_nlp.html = Secure
Discussion Forums = http://community.plus.net/forum/ = OK for viewing only.
Clicking on the Discussion Forums link “Login” takes me to: - http://community.plus.net/forum/index.php?action=login = Not secure.
I have created a favourite/bookmark (I should not have had to do this) to take me to https://community.plus.net/forum/index.php?action=login
How many people are logging in to the Plusnet Community Site forums using the Plusnet provided “Login” link taking them to the insecure login page and then entering their username and password?
I have only been with Plusnet since February so how long has this breach been happening for and are Plusnet aware of it and sorting it?
Not good.
Message 1 of 14
(2,339 Views)
Reply
13 REPLIES 13
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: "Insecure Discussion Forums “Login” link"

‎21-03-2016 4:41 PM

Why should it use https - checking on the multiple forums I use and I only found one using it
Message 2 of 14
(1,819 Views)
Reply
0 Thanks
dvorak
Moderator
Moderator
Posts: 29,497
Thanks: 6,627
Fixes: 1,483
Registered: ‎11-01-2008

Re: "Insecure Discussion Forums “Login” link"

‎21-03-2016 4:43 PM

https works fine on the forum..
Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
Message 3 of 14
(1,819 Views)
Reply
0 Thanks
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: "Insecure Discussion Forums “Login” link"

‎21-03-2016 4:46 PM

but you have to change it yourself as linking from the main site doesn't use it
Message 4 of 14
(1,819 Views)
Reply
0 Thanks
jab1
Legend
Posts: 16,984
Thanks: 5,429
Fixes: 253
Registered: ‎24-02-2012

Re: "Insecure Discussion Forums “Login” link"

‎21-03-2016 4:50 PM

Dunno, Jim - I logged into the forums so long ago I can't remember which link I used, but my header definitely reads 'https://'
John
Message 5 of 14
(1,819 Views)
Reply
0 Thanks
Mav
Moderator
Moderator
Posts: 22,392
Thanks: 4,736
Fixes: 515
Registered: ‎06-04-2007

Re: "Insecure Discussion Forums “Login” link"

‎21-03-2016 5:36 PM

No http ot https shown in FF here but clicking on the little 'i' to the left of the address bar and I get a message that 'Connection is not secure'.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Message 6 of 14
(1,819 Views)
Reply
0 Thanks
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,887
Thanks: 4,979
Fixes: 316
Registered: ‎04-04-2007

Re: "Insecure Discussion Forums “Login” link"

‎21-03-2016 9:25 PM

Are you sure that's not just telling you certain items on the page are insecure Mav? Things like externally hosted images in signatures blocks/avatars probably won't be.
The login link should force SSL IMO and I believe it will when the community gets upgraded in the not too distant future.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 7 of 14
(1,819 Views)
Reply
0 Thanks
Mav
Moderator
Moderator
Posts: 22,392
Thanks: 4,736
Fixes: 515
Registered: ‎06-04-2007

Re: "Insecure Discussion Forums “Login” link"

‎22-03-2016 12:36 AM

Not sure so I've attached a screenshot:

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Message 8 of 14
(1,819 Views)
Reply
0 Thanks
w23
Pro
Posts: 6,347
Thanks: 96
Fixes: 4
Registered: ‎08-01-2008

Re: "Insecure Discussion Forums “Login” link"

‎22-03-2016 9:26 AM

As a publicly viewable site I guess having HTTP access makes some sense but I can't help thinking the login page, at least, should be HTTPS only.
What are the real risks of entering a username and password on a plain HTTP page?  (I ask because I genuinely don't really know)
In case anyone wants to state the obvious that unique usernames and passwords should be used for every different sites, we all probably know someone who doesn't do this so shouldn't all login pages be secure by default?
Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
Message 9 of 14
(1,819 Views)
Reply
0 Thanks
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,887
Thanks: 4,979
Fixes: 316
Registered: ‎04-04-2007

Re: "Insecure Discussion Forums “Login” link"

‎02-04-2016 12:06 PM

New community's going live next week so this will become a non-issue (from a login perspective). @Mav, you're browsing over HTTP by the looks of things. You can force HTTPS by manually prefixing the URL with 'https://'.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 10 of 14
(1,819 Views)
Reply
0 Thanks
Mav
Moderator
Moderator
Posts: 22,392
Thanks: 4,736
Fixes: 515
Registered: ‎06-04-2007

Re: "Insecure Discussion Forums “Login” link"

‎02-04-2016 12:14 PM

A bit moot now, really, but I have just added https:// before the URL.
I get a padlock with a red line through it and right-clicking still gives me a message 'Connection is not secure.'.
Not worth investigating but thought I'd post my results.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Message 11 of 14
(1,819 Views)
Reply
0 Thanks
dvorak
Moderator
Moderator
Posts: 29,497
Thanks: 6,627
Fixes: 1,483
Registered: ‎11-01-2008

Re: "Insecure Discussion Forums “Login” link"

‎02-04-2016 1:05 PM

There are some unsecured scripts
Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
Message 12 of 14
(1,819 Views)
Reply
0 Thanks
w23
Pro
Posts: 6,347
Thanks: 96
Fixes: 4
Registered: ‎08-01-2008

Re: "Insecure Discussion Forums “Login” link"

‎02-04-2016 8:26 PM

Will the new site login page be https by default?
Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
Message 13 of 14
(1,819 Views)
Reply
0 Thanks
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: "Insecure Discussion Forums “Login” link"

‎02-04-2016 8:32 PM

The entire site should be https by default. Otherwise, your login cookie would be exposed the same way as the username and password would be if the login page isn't https.
Message 14 of 14
(1,819 Views)
Reply
0 Thanks