cancel
Showing results for 
Search instead for 
Did you mean: 

"Insecure Discussion Forums “Login” link"

Madeleyite
Newbie
Posts: 8
Thanks: 1
Registered: 19-03-2016

"Insecure Discussion Forums “Login” link"

Are members aware that the Discussion Forums “Login” link is insecure if using the Plusnet Login link?
Plusnet Home page = https://www.plus.net/ = Secure
Member Centre = https://portal.plus.net/index_nlp.html = Secure
Discussion Forums = http://community.plus.net/forum/ = OK for viewing only.
Clicking on the Discussion Forums link “Login” takes me to: - http://community.plus.net/forum/index.php?action=login = Not secure.
I have created a favourite/bookmark (I should not have had to do this) to take me to https://community.plus.net/forum/index.php?action=login
How many people are logging in to the Plusnet Community Site forums using the Plusnet provided “Login” link taking them to the insecure login page and then entering their username and password?
I have only been with Plusnet since February so how long has this breach been happening for and are Plusnet aware of it and sorting it?
Not good.
13 REPLIES
Community Veteran
Posts: 38,244
Thanks: 933
Fixes: 54
Registered: 15-06-2007

Re: "Insecure Discussion Forums “Login” link"

Why should it use https - checking on the multiple forums I use and I only found one using it
Moderator
Moderator
Posts: 17,249
Thanks: 904
Fixes: 102
Registered: 11-01-2008

Re: "Insecure Discussion Forums “Login” link"

https works fine on the forum..
Will Moderate For Thanks
Community Veteran
Posts: 38,244
Thanks: 933
Fixes: 54
Registered: 15-06-2007

Re: "Insecure Discussion Forums “Login” link"

but you have to change it yourself as linking from the main site doesn't use it
jab1
Seasoned Pro
Posts: 1,464
Thanks: 254
Fixes: 5
Registered: 24-02-2012

Re: "Insecure Discussion Forums “Login” link"

Dunno, Jim - I logged into the forums so long ago I can't remember which link I used, but my header definitely reads 'https://'
John
Moderator
Moderator
Posts: 16,524
Thanks: 1,780
Fixes: 123
Registered: 06-04-2007

Re: "Insecure Discussion Forums “Login” link"

No http ot https shown in FF here but clicking on the little 'i' to the left of the address bar and I get a message that 'Connection is not secure'.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Community Gaffer
Community Gaffer
Posts: 12,852
Thanks: 672
Fixes: 65
Registered: 04-04-2007

Re: "Insecure Discussion Forums “Login” link"

Are you sure that's not just telling you certain items on the page are insecure Mav? Things like externally hosted images in signatures blocks/avatars probably won't be.
The login link should force SSL IMO and I believe it will when the community gets upgraded in the not too distant future.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

Moderator
Moderator
Posts: 16,524
Thanks: 1,780
Fixes: 123
Registered: 06-04-2007

Re: "Insecure Discussion Forums “Login” link"

Not sure so I've attached a screenshot:

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Community Veteran
Posts: 6,307
Thanks: 86
Fixes: 3
Registered: 08-01-2008

Re: "Insecure Discussion Forums “Login” link"

As a publicly viewable site I guess having HTTP access makes some sense but I can't help thinking the login page, at least, should be HTTPS only.
What are the real risks of entering a username and password on a plain HTTP page?  (I ask because I genuinely don't really know)
In case anyone wants to state the obvious that unique usernames and passwords should be used for every different sites, we all probably know someone who doesn't do this so shouldn't all login pages be secure by default?
Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
Community Gaffer
Community Gaffer
Posts: 12,852
Thanks: 672
Fixes: 65
Registered: 04-04-2007

Re: "Insecure Discussion Forums “Login” link"

New community's going live next week so this will become a non-issue (from a login perspective). @Mav, you're browsing over HTTP by the looks of things. You can force HTTPS by manually prefixing the URL with 'https://'.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

Moderator
Moderator
Posts: 16,524
Thanks: 1,780
Fixes: 123
Registered: 06-04-2007

Re: "Insecure Discussion Forums “Login” link"

A bit moot now, really, but I have just added https:// before the URL.
I get a padlock with a red line through it and right-clicking still gives me a message 'Connection is not secure.'.
Not worth investigating but thought I'd post my results.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

Moderator
Moderator
Posts: 17,249
Thanks: 904
Fixes: 102
Registered: 11-01-2008

Re: "Insecure Discussion Forums “Login” link"

There are some unsecured scripts
Will Moderate For Thanks
Community Veteran
Posts: 6,307
Thanks: 86
Fixes: 3
Registered: 08-01-2008

Re: "Insecure Discussion Forums “Login” link"

Will the new site login page be https by default?
Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
Community Veteran
Posts: 4,916
Thanks: 335
Fixes: 16
Registered: 10-06-2010

Re: "Insecure Discussion Forums “Login” link"

The entire site should be https by default. Otherwise, your login cookie would be exposed the same way as the username and password would be if the login page isn't https.