Security issue with this website?

Firefox warns me about logging in to this forum, saying it's insecure. I get the "slash through the lock" icon, and when I click for more information, this is what I got --

https://support.mozilla.org/en-US/kb/insecure-password-warning-firefox

I don't know how to alert you guys without logging in, so here I am. Do we have a security issue on this forum?

Thank you for bringing this up, Bingley.

The forum website is not secured with encryption, so a bad actor who had access to your network, the network the site is hosted on, or (less likely) any network between the two could capture the packets containing your username and password in plaintext, and steal your account.

I'll see what Blast and Doug would like to do about it.


In the meantime, here are two simple security tips that you should follow wherever you go.

1) Do not reuse passwords

One of the most common ways accounts are compromised is when one website has a security breach of some kind, and the users use the same password on other sites. The bad guys will take the credentials they stole and try them everywhere else.

Don't ever do this. Most particularly don't ever reuse a password on a website that has critical information on it, such as anything to do with your financial life. To be clear, that means that once you use a password anywhere, you don't ever use the same password again, anywhere.

2) Don't use insecure wireless networks

Don't use wireless networks that are unencrypted or have weak security to login anywhere. It's trivially easy to capture packets on these networks, and your login credentials can be easily stolen.


Neither of these security tips are perfect or foolproof, but they're easy ways to make it harder for the bad guys to do bad things to you.


chaosmagnet

Firefox now complains about anything that is not HTTPS, with varying degrees of alarmism. Try going to something that actually IS https, but uses a self-signed certificate (free) rather than a paid certificate from some place like Verisign, and boy will Firefox complain. So will Chrome. You'd think the whole world was on fire!

Note: Most public websites don't use self-signed certificates, but many private ones do. I've got a couple HTTPS websites set up at home for my personal cloud service and backup service. They are perfectly secure with encryption and all, but I don't need to pay Verisign to prove to me that the personal websites that I own are indeed owned by me (I already know that!) But Firefox screams about it like a scalded ape. Chrome does too. But public websites are different. Those have many different users and those users rightfully might want to know that their target website is indeed where they thought they were going. Not a big deal for some place like Equipped To Survive (who would want to spoof this website, and why?) But something like a banks website is a whole different ballgame.

I'm sure Verisign, et.al., paid good money to Firefox to have it scream so loudly to coerce people to use Verisign's paid signing service.

We are working on a plan. Please stay tuned.


chaosmagnet