This site has been operating without a SSL certificate for quite a while now. I've considered bringing it up before as it is a huge security issue, but I've now definitely been breached due to this. I received a fairly obvious blackmail template scam email in my primary email account. In that email, they identified a password I had been using (without saying where it was used). Thing is, I use a unique password on every site and service I utilize, so it's fairly easy to identify where the security breach came from. In this case, the exposed password listed in the email was from this site - it's the only place I use that particular password. Without an SSL certificate it's impossible to encrypt communication between a client machine and the site, so it means a bad actor can intercept information and easily access it due to it not being encrypted. For those using the same username/email address/password on multiple sites, this creates a huge risk of exposure/potential for account breaches. I'd strongly suggest getting a SSL certificate into place as soon as possible. There are free services around if paying for one is a problem (they can be expensive from some providers).
Oh and from a user perspective: if you use the same password you use on this site on other sites too, I would STRONGLY recommend changing it immediately (and using a unique password here at a bare minimum). It's very likely that more accounts than mine have been compromised (probably most, if not all).
Any updates this? @hornmeister? I’m pretty concerned that my ‘password123’ will have to be changed all over the shop as a result of this.
As I understand it @nisman94 is looking into it. We have the certificate but it's not being activated or some such jiggery pokery. Beyond my skillset I'm afraid and moving into semi-retirement from the mod game the report function will be best going forward as I'm not around much these days.
I have https everywhere installed on my browser and this is one of the very few sites it doesnt work on.
Whilst an SSL certificate is a mighty fine idea for any site, most forum software will transmit passwords across the internet as a hash value so "sniffing" network data won't help in gathering them. More likely is either a key logger is installed on the users device or the company that host the forums have been compromised.
Hashing is used to store passwords in a database so that they're useless if the database is compromised. When a user authenticates to something that is using a hashed password, the password is sent in the way the user enters it (which on a port 80 connection means unencrypted plain text) and it then hashed and compared to the hashed string in the database. This is the main reason so many companies say "we can't see or retrieve your password"; they literally don't have it and couldn't look it up if they wanted to, as they only have the hashed value. What this means is that the password has to be received and converted into the hashed value in the first place, which is where the possibility for intercept arises. Without a SSL certificate you can't encrypt the connection between client and server using TLS and as a result the password is exposed any time the user enters it. This is the primary reason you put SSL certificates on websites. You can't encrypt the client/server connection without one, which is the methodology by which supplied credentials are protected in transit after they leave the client machine. Without that TLS encryption the data can be sniffed at any node between source and destination inclusive, including remotely.
Getting a lot of messages now when on mobile about how this site isn't safe. Any news on getting the encryption up and running?
Yup I am getting more messages although I have used this site for years with, fingers crossed, no issues.
Same here lots of messages saying insecure web site, plus getting strange page displays no yellow background just plain white, not sure if thats linked.
