"Not secure" in Forum url
Options
Former_MSE_Andrea
Posts: 9,614 Forumite
Hi everyone
You may have seen the words “not secure” in your url when visiting the forum in the last few days. This is a change Google has recently put into place for sites that don’t run on HTTPS.
Our technical team is working on this now and you should see it disappear once the work's been rolled out.
Thanks for your patience.
MSE Forum Team
You may have seen the words “not secure” in your url when visiting the forum in the last few days. This is a change Google has recently put into place for sites that don’t run on HTTPS.
Our technical team is working on this now and you should see it disappear once the work's been rolled out.
Thanks for your patience.
MSE Forum Team
Could you do with a Money Makeover?
Follow MSE on other Social Media:
MSE Facebook, MSE Twitter, MSE Deals Twitter, Instagram
Join the MSE Forum
Get the Free MoneySavingExpert Money Tips E-mail
Report inappropriate posts: click the report button
Point out a rate/product change
Flag a news story: news@moneysavingexpert.com
Follow MSE on other Social Media:
MSE Facebook, MSE Twitter, MSE Deals Twitter, Instagram
Join the MSE Forum
Get the Free MoneySavingExpert Money Tips E-mail
Report inappropriate posts: click the report button
Point out a rate/product change
Flag a news story: news@moneysavingexpert.com
0
Comments
-
It's worth noting that the change simply highlights the fact that the MSE login isn't HTTPS and has always been insecure not that any change made by Google has somehow made the login insecure.0
-
This issue also affects Firefox 52.0.1.
https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/0 -
...it's about the absence of transport layer security for sending/receiving data (and, most importantly, sending passwords).
I'd love to know what the technical team are so busy with that justifies continuing to run this site without SSL. Sending passwords in the clear is just plain bad and inexcusable in 2017. Wireshark screenshot:
My advice to users of this site is to make sure your MSE password isn't the same or even close to the same as the passwords you use for more sensitive sites such as your email (password reuse is generally bad anyway - but particularly worth emphasising here).
The reason for my advice should be plain enough; if your MSE password gets stolen, say, because you've used it while being connected to e.g. open access WiFi, then it's possible the thief could then access your email.0 -
Still no HTTPS 4 months later. Even my home website with nothing useful on it has HTTPS, it really isn't difficult to set up!0
-
Hi, this is in the pipeline, we'll let you know when we have an update.
Andrea
Could you do with a Money Makeover?
Follow MSE on other Social Media:
MSE Facebook, MSE Twitter, MSE Deals Twitter, Instagram
Join the MSE Forum
Get the Free MoneySavingExpert Money Tips E-mail
Report inappropriate posts: click the report button
Point out a rate/product change
Flag a news story: news@moneysavingexpert.com0 -
At least one more person (myself included) are getting the same thing, as per this thread.0
-
The continued lack of HTTPS is a surprising security flaw for a web site that has so many users and so much traffic. Also, failure to add HTTPS, which is specific but not technically unusual, nearly a year after the users started requesting it, implies that not enough effort is invested in security of the site (e.g. when was the last time a penetration test was run on here, is the patching up to date, do the admin staff have remote access through HTTP, etc).
Every forum member, especially anyone logging in from public WiFi networks, is exposed to theft of their user ID and passwords as highlighted. This opens a range of risks for the individual, such as, how many people, although they shouldn't, will reuse their user name and password from here on other sites?
I appreciate the forums might be run on a shoestring budget and this is a prioritisation not a work harder problem, but this ought to be getting attended to.0 -
over 3 months ago that it was "in the pipeline".
Which certainly shows it is deemed extremely low priority - if indeed on the list/still on the list in the first place.0 -
The MSE site still not secured connection on FireFox so trying to added " HTTPS " but not recognise. How solve that? Do the site have secured connection especially when log in?
Thanks
Don't Judge My Path If You Haven't Walked My Journey.... :A0 -
The only solution is for the site forum technical admins to configure the forum to use TLS. There's nothing you can do, unfortunately.The MSE site still not secured connection on FireFox so trying to added " HTTPS " but not recognise. How solve that?
No. There's some client side hashing going on so the password isn't sent over the wire in plain text. However, I'm assuming this means the hash becomes the password; if anyone were to eavesdrop your connection, they would just use the hash. There is also another login form which pertains to the old version of the forums. The old version is a user preference changeable in User Control Panel. The login form pertaining to the old version of the forums does send the password in plain text. But without TLS, both are as bad as each other.Do the site have secured connection especially when log in?
If anyone has a Twitter account perhaps they'd like to nudge Martin :money: about this. It's been an issue for a long time and I really don't get a sense from the admins here that they understand its importance. The sheer length of time this has been an issue speaks volumes.0
This discussion has been closed.
Categories
- All Categories
- 343.5K Banking & Borrowing
- 250.2K Reduce Debt & Boost Income
- 449.9K Spending & Discounts
- 235.6K Work, Benefits & Business
- 608.6K Mortgages, Homes & Bills
- 173.2K Life & Family
- 248.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards