ADMIN: You NEED to set up HTTPS soon

Chromium has already started to report this site as "insecure" in its title bar.

Firefox will do in the next release, I think.

It's already a chore to even sign in because the browsers require extra confirmation for filling in forms (passwords) for anything non-HTTPS nowadays.

I have no idea about the hosting details of LtU, but good hosting providers already offer some sort of Let's Encrypt intregration these days, so please opt in to that, if you can. If you're self-hosting I think there should be a reasonably approachable solution to this issue. Feel free to contact me privately (you have my e-mail!) and I'll try to connect you with someone who knows exactly what to do.

EDIT: I had a brief look around for relevant admin email adresses on the site and didn't find any. Hence my post. (Plus formatting.)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Mitigation

One thing you can do to limit the damage that someone can do if they steal your LtU credentials is to register with a prepaid card rather than a credit card.

Huge risks

I know, the risk to LtU users is huge. Imagine a hacker being able to post comments under your name. In the worst case, we might even see static typing supporters posting comments in favor of dynamic typing!

But seriously, actions by Google essentially force us to toe the HTTPS line, otherwise as Bárður points out, just logging in with the latest browsers becomes tedious. So I'll do my bit to contribute even more to global warming by encrypting millions of pages a month that don't really need to be encrypted.

Can we at the same time get

Can we at the same time get everyone to mine bitcoin for us?

Exploits

Not to give black-hat lurkers ideas (although, in fairness, they probably don't need the help), but there are ways to take advantage of a site like LtU, itself a low-priority target but taking a password insecurely, to compromise other higher-priority targets.

Ordinary security measures are sufficient

I would hope that anyone with an account on LtU is aware enough to not use the same password on LtU that they do with their bank or whatever. The target audience is not your average Facebook user.

For the record, passwords on the server are hashed, although of course that doesn't help with an HTTP MITM attack.

I'm not saying we don't need to switch to HTTPS, etc., just pointing out that there's no immediate risk to anyone who is taking normal precautions. The biggest actual issue currently seems to be the inconvenience of logging in with certain browser versions.

Hmm

Had forgotten about the possibility of duplicate passwords. That'd be another one.

This was addressed a few

This was addressed a few days ago.

Firefox is already warning that the site is not secure

Two comments:

1) HTTPS would be useful for all Australian members as it is now mandatory that all communications through a browser be tracked and kept for use by the Australian Government. HTTPS at least mitigates that for Australian members.

2) Firefox now tells me that this site is unsecured and that the use of the login and password is unprotected.