Page 1 of 1

should this forum go to using https

Posted: Sat Nov 29, 2014 8:09 pm
by damo2929
think this forum needs to be moved to https hosting because of passwords and login's at the moment this is all carried in plain text

Re: should this forum go to using https

Posted: Sun Nov 30, 2014 5:19 pm
by richard
Thanks. It is something I'm aware of and keeping an eye on.

Basically, it wasn't long ago that https was a serious pain in the posterior (and expensive) but it is becoming more practical all the time, and it won't be long before it is practical for the forums (and the rest of the LNER.info website). The recent announcement from the EFF regarding SSL certificates is a case in point.

So it will happen eventually but not in the next month or so. Such a change isn't necessarily as trivial as it should be though, and I'll post an announcement ahead of time and probably make the change during a weekend.

Before people get scared, be aware that the potential attack profile is not as wide as you might think. For example, cookies are already encrypted, so most people when reading the forums potentially only expose their password once every >6 months or so. And then there are a load of "ifs" before someone has the chance to steal it. In other words it is pretty obscure albeit not at an ideal level of security.