cancel
Showing results for 
Search instead for 
Did you mean: 

"Insecure Discussion Forums “Login” link"

Madeleyite
Newbie
Posts: 8
Thanks: 1
Registered: 19-03-2016

"Insecure Discussion Forums “Login” link"

Are members aware that the Discussion Forums “Login” link is insecure if using the Plusnet Login link?
Plusnet Home page = https://www.plus.net/ = Secure
Member Centre = https://portal.plus.net/index_nlp.html = Secure
Discussion Forums = http://community.plus.net/forum/ = OK for viewing only.
Clicking on the Discussion Forums link “Login” takes me to: - http://community.plus.net/forum/index.php?action=login = Not secure.
I have created a favourite/bookmark (I should not have had to do this) to take me to https://community.plus.net/forum/index.php?action=login
How many people are logging in to the Plusnet Community Site forums using the Plusnet provided “Login” link taking them to the insecure login page and then entering their username and password?
I have only been with Plusnet since February so how long has this breach been happening for and are Plusnet aware of it and sorting it?
Not good.
13 REPLIES
Community Veteran
Posts: 38,460
Thanks: 1,027
Fixes: 62
Registered: 15-06-2007

Re: "Insecure Discussion Forums “Login” link"

Why should it use https - checking on the multiple forums I use and I only found one using it
Moderator
Moderator
Posts: 18,217
Thanks: 1,576
Fixes: 172
Registered: 11-01-2008

Re: "Insecure Discussion Forums “Login” link"

https works fine on the forum..

Customer / Moderator / If it helped click the thumb / If it fixed it click 'This fixed my problem'

Community Veteran
Posts: 38,460
Thanks: 1,027
Fixes: 62
Registered: 15-06-2007

Re: "Insecure Discussion Forums “Login” link"

but you have to change it yourself as linking from the main site doesn't use it
jab1
All Star
Posts: 1,844
Thanks: 409
Fixes: 6
Registered: 24-02-2012

Re: "Insecure Discussion Forums “Login” link"

Dunno, Jim - I logged into the forums so long ago I can't remember which link I used, but my header definitely reads 'https://'
John
Moderator
Moderator
Posts: 17,907
Thanks: 2,542
Fixes: 183
Registered: 06-04-2007

Re: "Insecure Discussion Forums “Login” link"

No http ot https shown in FF here but clicking on the little 'i' to the left of the address bar and I get a message that 'Connection is not secure'.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Community Gaffer
Community Gaffer
Posts: 13,167
Thanks: 941
Fixes: 78
Registered: 04-04-2007

Re: "Insecure Discussion Forums “Login” link"

Are you sure that's not just telling you certain items on the page are insecure Mav? Things like externally hosted images in signatures blocks/avatars probably won't be.
The login link should force SSL IMO and I believe it will when the community gets upgraded in the not too distant future.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Moderator
Moderator
Posts: 17,907
Thanks: 2,542
Fixes: 183
Registered: 06-04-2007

Re: "Insecure Discussion Forums “Login” link"

Not sure so I've attached a screenshot:

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Community Veteran
Posts: 6,313
Thanks: 86
Fixes: 3
Registered: 08-01-2008

Re: "Insecure Discussion Forums “Login” link"

As a publicly viewable site I guess having HTTP access makes some sense but I can't help thinking the login page, at least, should be HTTPS only.
What are the real risks of entering a username and password on a plain HTTP page?  (I ask because I genuinely don't really know)
In case anyone wants to state the obvious that unique usernames and passwords should be used for every different sites, we all probably know someone who doesn't do this so shouldn't all login pages be secure by default?
Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
Community Gaffer
Community Gaffer
Posts: 13,167
Thanks: 941
Fixes: 78
Registered: 04-04-2007

Re: "Insecure Discussion Forums “Login” link"

New community's going live next week so this will become a non-issue (from a login perspective). @Mav, you're browsing over HTTP by the looks of things. You can force HTTPS by manually prefixing the URL with 'https://'.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Moderator
Moderator
Posts: 17,907
Thanks: 2,542
Fixes: 183
Registered: 06-04-2007

Re: "Insecure Discussion Forums “Login” link"

A bit moot now, really, but I have just added https:// before the URL.
I get a padlock with a red line through it and right-clicking still gives me a message 'Connection is not secure.'.
Not worth investigating but thought I'd post my results.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Moderator
Moderator
Posts: 18,217
Thanks: 1,576
Fixes: 172
Registered: 11-01-2008

Re: "Insecure Discussion Forums “Login” link"

There are some unsecured scripts

Customer / Moderator / If it helped click the thumb / If it fixed it click 'This fixed my problem'

Community Veteran
Posts: 6,313
Thanks: 86
Fixes: 3
Registered: 08-01-2008

Re: "Insecure Discussion Forums “Login” link"

Will the new site login page be https by default?
Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
Community Veteran
Posts: 5,082
Thanks: 442
Fixes: 16
Registered: 10-06-2010

Re: "Insecure Discussion Forums “Login” link"

The entire site should be https by default. Otherwise, your login cookie would be exposed the same way as the username and password would be if the login page isn't https.