Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • MSE Andrea
    • By MSE Andrea 1st Feb 17, 12:24 PM
    • 8,973Posts
    • 21,725Thanks
    MSE Andrea
    "Not secure" in Forum url
    • #1
    • 1st Feb 17, 12:24 PM
    "Not secure" in Forum url 1st Feb 17 at 12:24 PM
    Hi everyone

    You may have seen the words “not secure” in your url when visiting the forum in the last few days. This is a change Google has recently put into place for sites that don’t run on HTTPS.

    Our technical team is working on this now and you should see it disappear once the work's been rolled out.

    Thanks for your patience.

    MSE Forum Team
    Could you do with a Money Makeover?


    Follow MSE on other Social Media:
    MSE Facebook, MSE Twitter, MSE Deals Facebook, MSE Deals Twitter, Forum Twitter, Instagram, Pinterest
    Join the MSE Forum
    Get the Free MoneySavingExpert Money Tips E-mail
    Report inappropriate posts: click the report button
    Point out a rate/product change
    Flag a news story: news@moneysavingexpert.com
Page 1
    • kwikbreaks
    • By kwikbreaks 3rd Mar 17, 10:50 PM
    • 8,867 Posts
    • 4,435 Thanks
    kwikbreaks
    • #2
    • 3rd Mar 17, 10:50 PM
    • #2
    • 3rd Mar 17, 10:50 PM
    It's worth noting that the change simply highlights the fact that the MSE login isn't HTTPS and has always been insecure not that any change made by Google has somehow made the login insecure.
    • alanq
    • By alanq 23rd Mar 17, 4:31 PM
    • 3,963 Posts
    • 2,568 Thanks
    alanq
    • #3
    • 23rd Mar 17, 4:31 PM
    • #3
    • 23rd Mar 17, 4:31 PM
    This issue also affects Firefox 52.0.1.

    https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
    • Jabba_flabba
    • By Jabba_flabba 29th Apr 17, 11:30 AM
    • 70 Posts
    • 27 Thanks
    Jabba_flabba
    • #4
    • 29th Apr 17, 11:30 AM
    This really isn't about any particular browser...
    • #4
    • 29th Apr 17, 11:30 AM
    ...it's about the absence of transport layer security for sending/receiving data (and, most importantly, sending passwords).

    I'd love to know what the technical team are so busy with that justifies continuing to run this site without SSL. Sending passwords in the clear is just plain bad and inexcusable in 2017. Wireshark screenshot:



    My advice to users of this site is to make sure your MSE password isn't the same or even close to the same as the passwords you use for more sensitive sites such as your email (password reuse is generally bad anyway - but particularly worth emphasising here).

    The reason for my advice should be plain enough; if your MSE password gets stolen, say, because you've used it while being connected to e.g. open access WiFi, then it's possible the thief could then access your email.
    • DragonQ
    • By DragonQ 26th May 17, 11:50 PM
    • 2,000 Posts
    • 676 Thanks
    DragonQ
    • #5
    • 26th May 17, 11:50 PM
    • #5
    • 26th May 17, 11:50 PM
    Still no HTTPS 4 months later. Even my home website with nothing useful on it has HTTPS, it really isn't difficult to set up!
    • MSE Andrea
    • By MSE Andrea 8th Jun 17, 4:37 PM
    • 8,973 Posts
    • 21,725 Thanks
    MSE Andrea
    • #6
    • 8th Jun 17, 4:37 PM
    • #6
    • 8th Jun 17, 4:37 PM
    Hi, this is in the pipeline, we'll let you know when we have an update.

    Andrea
    Could you do with a Money Makeover?


    Follow MSE on other Social Media:
    MSE Facebook, MSE Twitter, MSE Deals Facebook, MSE Deals Twitter, Forum Twitter, Instagram, Pinterest
    Join the MSE Forum
    Get the Free MoneySavingExpert Money Tips E-mail
    Report inappropriate posts: click the report button
    Point out a rate/product change
    Flag a news story: news@moneysavingexpert.com
    • MothballsWallet
    • By MothballsWallet 30th Jun 17, 9:47 PM
    • 12,233 Posts
    • 16,412 Thanks
    MothballsWallet
    • #7
    • 30th Jun 17, 9:47 PM
    • #7
    • 30th Jun 17, 9:47 PM
    At least one more person (myself included) are getting the same thing, as per this thread.
    Always ask yourself one question: What would Gibbs do?

    I live in the UK City of Culture 2021

    I had to put mothballs in my wallet - the moths had learned the PINs to my cards...
    • RobJDean185
    • By RobJDean185 27th Sep 17, 6:14 PM
    • 1 Posts
    • 6 Thanks
    RobJDean185
    • #8
    • 27th Sep 17, 6:14 PM
    • #8
    • 27th Sep 17, 6:14 PM
    The continued lack of HTTPS is a surprising security flaw for a web site that has so many users and so much traffic. Also, failure to add HTTPS, which is specific but not technically unusual, nearly a year after the users started requesting it, implies that not enough effort is invested in security of the site (e.g. when was the last time a penetration test was run on here, is the patching up to date, do the admin staff have remote access through HTTP, etc).

    Every forum member, especially anyone logging in from public WiFi networks, is exposed to theft of their user ID and passwords as highlighted. This opens a range of risks for the individual, such as, how many people, although they shouldn't, will reuse their user name and password from here on other sites?

    I appreciate the forums might be run on a shoestring budget and this is a prioritisation not a work harder problem, but this ought to be getting attended to.
    • moneyistooshorttomention
    • By moneyistooshorttomention 28th Sep 17, 8:07 AM
    • 15,305 Posts
    • 42,689 Thanks
    moneyistooshorttomention
    • #9
    • 28th Sep 17, 8:07 AM
    • #9
    • 28th Sep 17, 8:07 AM
    over 3 months ago that it was "in the pipeline".

    Which certainly shows it is deemed extremely low priority - if indeed on the list/still on the list in the first place.
    ***************
    • djc58
    • By djc58 10th Dec 17, 4:43 PM
    • 1,444 Posts
    • 22,725 Thanks
    djc58
    The MSE site still not secured connection on FireFox so trying to added " HTTPS " but not recognise. How solve that? Do the site have secured connection especially when log in?
    Thanks

    Don't Judge My Path If You Haven't Walked My Journey
    ....
    • Jabba_flabba
    • By Jabba_flabba 10th Dec 17, 5:52 PM
    • 70 Posts
    • 27 Thanks
    Jabba_flabba
    The MSE site still not secured connection on FireFox so trying to added " HTTPS " but not recognise. How solve that?
    Originally posted by djc58
    The only solution is for the site forum technical admins to configure the forum to use TLS. There's nothing you can do, unfortunately.
    Do the site have secured connection especially when log in?
    Originally posted by djc58
    No. There's some client side hashing going on so the password isn't sent over the wire in plain text. However, I'm assuming this means the hash becomes the password; if anyone were to eavesdrop your connection, they would just use the hash. There is also another login form which pertains to the old version of the forums. The old version is a user preference changeable in User Control Panel. The login form pertaining to the old version of the forums does send the password in plain text. But without TLS, both are as bad as each other.

    If anyone has a Twitter account perhaps they'd like to nudge Martin about this. It's been an issue for a long time and I really don't get a sense from the admins here that they understand its importance. The sheer length of time this has been an issue speaks volumes.
    • jonny2510
    • By jonny2510 17th Dec 17, 8:13 PM
    • 662 Posts
    • 195 Thanks
    jonny2510
    Just a bump to say this still isn't fixed (but really should be). This is an extremely poor way for such a popular site to process logins, especially in 2017.
    • gromituk
    • By gromituk 18th Apr 18, 2:48 PM
    • 3,031 Posts
    • 540 Thanks
    gromituk
    And a bump to say this still hasn't been fixed four and a half months into 2018! Just what is going on, MSE?

    And there's worse. The password reset procedure emails you a new password in plain text that is neither single-use nor has an expiry date!

    It is more than a year since MSE officially acknowledged this security flaw (in a mealy-mouthed way, implying that it's Google's fault).
    Last edited by gromituk; 18-04-2018 at 3:06 PM. Reason: added to
    Time is an illusion - lunch time doubly so.
    • Plus
    • By Plus 19th Apr 18, 5:48 AM
    • 330 Posts
    • 263 Thanks
    Plus
    Thanks MSE for finally implementing HTTPS after all these years people have been pointing out this massive weakness, inexcusable for a site covered in people's financial details. I can now use MSE without concern about my login password or cookies being stolen.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

479Posts Today

5,639Users online

Martin's Twitter
  • I've decided my weekend starts here while the sun's glow is still baskable. So I'm signing off. Have a great weeke? https://t.co/9FxNEpDs6p

  • No not correct. The big six do, but you can get fixed tariffs guaranteed not to rise and about 25% cheaper. Just tr? https://t.co/B2ft5OS3Ig

  • Baaaa! Scottish Power has bleated and followed the herd, today announcing it's putting up energy prices by 5.5%. R? https://t.co/vi3hBxo4Hn

  • Follow Martin