Login information is transmitted without encryption

[James CMember]

Hello,

I see that login information is transmitted without encryption. This is just an FYI to everybody, that if one logs in from, say, a coffeehouse, the other people on the WiFi network can easy see your username and password.

Even if this may not be a big security threat in itself, if anyone is using the same password here, as for anything “important,” (e.g, banking, e-mail) he/she may consider a new password.

Feel free to reply with follow-up questions, and with comments.

Hoping To Help,
James

Attachments:

You must be logged in to view attached files.

[Blake BartonKeymaster]

Hi James,

Thanks for the information. I overlooked your message when it was originally posted. I haven’t researched the issue yet, but I assume you are saying this because this is an http: site instead of https. Is this correct?

You also stated that “other people in a coffee shop on the Wifi network can easily see your user name and password” To put this into perspective wouldn’t the person need to be sitting in the coffee shop with packet sniffing software to capture the data, and then sort through it to find the password? The password would just not appear to other people in the coffee shop unless they had specific software and malicious intent.

Nonetheless, I agree with your advice not to use the same user name and password as you use for anything sensitive.

I will research converting this site to https, to eliminate this potential problem.

Thanks,
Blake – Dharma Treasure Community Admin

[James CMember]

Blake,

I’m happy to hear I was of assistance to point this out. It’s the least I could do, given the sizable benefits I’ve received over the years from the collective you.

> [Y]ou are saying this because this is an http: site instead of https. Is this correct?

That is more or less correct.

> To put this into perspective wouldn’t the person need to be sitting in the coffee shop with packet sniffing software to capture the data, and then sort through it to find the password?

Precisely—it’s exactly like leaving the door to your home unlocked. If someone goes around to the homes of your neighbors and you checking the front door, he will find that yours is unlocked. The people who are able to do this include fellow customers at the coffeehouse, the owner of the coffeehouse, the people who live above or next to the coffeehouse, and anyone with access to the assortment of computers and networking/telecom equipment the password travels through across the internet to reach the WordPress server.

> I will research converting this site to https, to eliminate this potential problem.

Sounds good, Blake! Personally, I use a unique password for the forum, so I’m unaffected, although others almost certainly are affected/exposed by this.

For what it’s worth, for fun I put https://dharmatreasurecommunity.org/forums/reply/2043 into my browser and it worked just fine (albeit with a warning). So I suspect it’d be fairly easy to secure.

Godspeed, sir.

―James

[Chris GagneMember]

Blake, feel free to reach out to me if interested. If you are on a modern cPanel setup, this is quite easy and likely free with LetsEncrypt.

[RicardoMember]

Hi, today I logged in for the first time and firefox notified me of this security issue. Let me know if I can be of any help in this matter.

Cheers,
Ricardo

• This reply was modified 5 years, 8 months ago by  Ricardo.

[Author]

Posts