Login information is transmitted without encryption

Front Page Forums Dharma Treasure Community Information Login information is transmitted without encryption

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Chris Gagne Chris Gagne 3 days, 18 hours ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #1929
    Profile photo of James C
    James C
    Member

    Hello,

    I see that login information is transmitted without encryption. This is just an FYI to everybody, that if one logs in from, say, a coffeehouse, the other people on the WiFi network can easy see your username and password.

    Even if this may not be a big security threat in itself, if anyone is using the same password here, as for anything “important,” (e.g, banking, e-mail) he/she may consider a new password.

    Feel free to reply with follow-up questions, and with comments.

    Hoping To Help,
    James

    Attachments:
    You must be logged in to view attached files.
    #2043
    Profile photo of Blake Barton
    Blake Barton
    Member

    Hi James,

    Thanks for the information. I overlooked your message when it was originally posted. I haven’t researched the issue yet, but I assume you are saying this because this is an http: site instead of https. Is this correct?

    You also stated that “other people in a coffee shop on the Wifi network can easily see your user name and password” To put this into perspective wouldn’t the person need to be sitting in the coffee shop with packet sniffing software to capture the data, and then sort through it to find the password? The password would just not appear to other people in the coffee shop unless they had specific software and malicious intent.

    Nonetheless, I agree with your advice not to use the same user name and password as you use for anything sensitive.

    I will research converting this site to https, to eliminate this potential problem.

    Thanks,
    Blake – Dharma Treasure Community Admin

    #2050
    Profile photo of James C
    James C
    Member

    Blake,

    I’m happy to hear I was of assistance to point this out. It’s the least I could do, given the sizable benefits I’ve received over the years from the collective you.

    > [Y]ou are saying this because this is an http: site instead of https. Is this correct?

    That is more or less correct.

    > To put this into perspective wouldn’t the person need to be sitting in the coffee shop with packet sniffing software to capture the data, and then sort through it to find the password?

    Precisely—it’s exactly like leaving the door to your home unlocked. If someone goes around to the homes of your neighbors and you checking the front door, he will find that yours is unlocked. The people who are able to do this include fellow customers at the coffeehouse, the owner of the coffeehouse, the people who live above or next to the coffeehouse, and anyone with access to the assortment of computers and networking/telecom equipment the password travels through across the internet to reach the WordPress server.

    > I will research converting this site to https, to eliminate this potential problem.

    Sounds good, Blake! Personally, I use a unique password for the forum, so I’m unaffected, although others almost certainly are affected/exposed by this.

    For what it’s worth, for fun I put https://dharmatreasurecommunity.org/forums/reply/2043 into my browser and it worked just fine (albeit with a warning). So I suspect it’d be fairly easy to secure.

    Godspeed, sir.

    ―James

    #2051
    Profile photo of Chris Gagne
    Chris Gagne
    Member

    Blake, feel free to reach out to me if interested. If you are on a modern cPanel setup, this is quite easy and likely free with LetsEncrypt.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.