Piano World Home Page

HTTP Secure (HTTPS)

Posted By: Roshan Kakiya

HTTP Secure (HTTPS) - 05/03/18 06:56 PM

Piano World is secure:

https://pianoworld.com


Piano World's forums are not secure:

http://forum.pianoworld.com


You can test this by copying and then pasting the following URL:

https://forum.pianoworld.com



Please make Piano World's forums secure.
Posted By: dddaaannn

Re: HTTP Secure (HTTPS) - 08/04/19 04:46 PM

This issue deserves more attention. Many web hosting providers offer free auto-renewing certificates and easy set-up, so hopefully this won't be too difficult to add. You'll also want redirect rules so all http requests go to https, to prevent people from accidentally using the non-secure version of the site, and to redirect all permalinks.

Without this, anyone else connected to the same network as someone browsing the forums (such as connected to the same wifi in a coffee shop), as well as anyone with access to any intermediate system between the user and the forum's web host, can see:

* the forum user's username and password when they sign in, such that someone else can also sign in as the user
* the signed-in token sent with every page, such that someone else can impersonate the signed-in user (post, change the password, etc.)
* the address and contents of every page the user loads, and all activity such as posting, private messaging, or changing settings

Someone capable of interfering with network traffic, such as if the forum user accidentally connects to an attacker's wifi thinking it's the wifi of the coffee shop, can also replace content on pages loaded, such as to inject malware and other attacks.

The most likely of these attacks is password skimming, not because a Piano World forum account is that valuable, but because many people still use the same email address and password on more important sites. The attacker doesn't even have to be in the coffee shop: this is easy to do by compromising someone else's computer and turning it into a password skimmer. Do this in bulk and you have passwords coming in from all over the world.

The Google Chrome browser displays a warning for all non-secure pages, and Google's search engine demote non-secure pages in search rankings. This is part of an industry-wide move to using HTTPS (SSL/TLS) for all websites.
© 2019 Piano World Piano & Digital Piano Forums