cancel
Showing results for 
Search instead for 
Did you mean: 

"Insecure Discussion Forums “Login” link"

Madeleyite
Rising Star
Posts: 93
Thanks: 18
Fixes: 5
Registered: ‎19-03-2016

"Insecure Discussion Forums “Login” link"

Are members aware that the Discussion Forums “Login” link is insecure if using the Plusnet Login link?
Plusnet Home page = https://www.plus.net/ = Secure
Member Centre = https://portal.plus.net/index_nlp.html = Secure
Discussion Forums = http://community.plus.net/forum/ = OK for viewing only.
Clicking on the Discussion Forums link “Login” takes me to: - http://community.plus.net/forum/index.php?action=login = Not secure.
I have created a favourite/bookmark (I should not have had to do this) to take me to https://community.plus.net/forum/index.php?action=login
How many people are logging in to the Plusnet Community Site forums using the Plusnet provided “Login” link taking them to the insecure login page and then entering their username and password?
I have only been with Plusnet since February so how long has this breach been happening for and are Plusnet aware of it and sorting it?
Not good.
13 REPLIES 13
Oldjim
Resting Legend
Posts: 38,460
Thanks: 741
Fixes: 63
Registered: ‎15-06-2007

Re: "Insecure Discussion Forums “Login” link"

Why should it use https - checking on the multiple forums I use and I only found one using it
dvorak
Moderator
Moderator
Posts: 29,716
Thanks: 6,593
Fixes: 1,485
Registered: ‎11-01-2008

Re: "Insecure Discussion Forums “Login” link"

https works fine on the forum..
Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
Oldjim
Resting Legend
Posts: 38,460
Thanks: 741
Fixes: 63
Registered: ‎15-06-2007

Re: "Insecure Discussion Forums “Login” link"

but you have to change it yourself as linking from the main site doesn't use it
jab1
Legend
Posts: 19,015
Thanks: 6,224
Fixes: 287
Registered: ‎24-02-2012

Re: "Insecure Discussion Forums “Login” link"

Dunno, Jim - I logged into the forums so long ago I can't remember which link I used, but my header definitely reads 'https://'
John
Mav
Moderator
Moderator
Posts: 22,673
Thanks: 4,854
Fixes: 517
Registered: ‎06-04-2007

Re: "Insecure Discussion Forums “Login” link"

No http ot https shown in FF here but clicking on the little 'i' to the left of the address bar and I get a message that 'Connection is not secure'.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,926
Thanks: 5,012
Fixes: 317
Registered: ‎04-04-2007

Re: "Insecure Discussion Forums “Login” link"

Are you sure that's not just telling you certain items on the page are insecure Mav? Things like externally hosted images in signatures blocks/avatars probably won't be.
The login link should force SSL IMO and I believe it will when the community gets upgraded in the not too distant future.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Mav
Moderator
Moderator
Posts: 22,673
Thanks: 4,854
Fixes: 517
Registered: ‎06-04-2007

Re: "Insecure Discussion Forums “Login” link"

Not sure so I've attached a screenshot:

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

w23
Pro
Posts: 6,347
Thanks: 96
Fixes: 4
Registered: ‎08-01-2008

Re: "Insecure Discussion Forums “Login” link"

As a publicly viewable site I guess having HTTP access makes some sense but I can't help thinking the login page, at least, should be HTTPS only.
What are the real risks of entering a username and password on a plain HTTP page?  (I ask because I genuinely don't really know)
In case anyone wants to state the obvious that unique usernames and passwords should be used for every different sites, we all probably know someone who doesn't do this so shouldn't all login pages be secure by default?
Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,926
Thanks: 5,012
Fixes: 317
Registered: ‎04-04-2007

Re: "Insecure Discussion Forums “Login” link"

New community's going live next week so this will become a non-issue (from a login perspective). @Mav, you're browsing over HTTP by the looks of things. You can force HTTPS by manually prefixing the URL with 'https://'.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Mav
Moderator
Moderator
Posts: 22,673
Thanks: 4,854
Fixes: 517
Registered: ‎06-04-2007

Re: "Insecure Discussion Forums “Login” link"

A bit moot now, really, but I have just added https:// before the URL.
I get a padlock with a red line through it and right-clicking still gives me a message 'Connection is not secure.'.
Not worth investigating but thought I'd post my results.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

dvorak
Moderator
Moderator
Posts: 29,716
Thanks: 6,593
Fixes: 1,485
Registered: ‎11-01-2008

Re: "Insecure Discussion Forums “Login” link"

There are some unsecured scripts
Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
w23
Pro
Posts: 6,347
Thanks: 96
Fixes: 4
Registered: ‎08-01-2008

Re: "Insecure Discussion Forums “Login” link"

Will the new site login page be https by default?
Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: "Insecure Discussion Forums “Login” link"

The entire site should be https by default. Otherwise, your login cookie would be exposed the same way as the username and password would be if the login page isn't https.