Piano World is secure:https://pianoworld.com
Piano World's forums are not secure:http://forum.pianoworld.com
You can test this by copying and then pasting the following URL:https://forum.pianoworld.com
Please make Piano World's forums secure.
This issue deserves more attention. Many web hosting providers offer free auto-renewing certificates and easy set-up, so hopefully this won't be too difficult to add. You'll also want redirect rules so all http requests go to https, to prevent people from accidentally using the non-secure version of the site, and to redirect all permalinks.
Without this, anyone else connected to the same network as someone browsing the forums (such as connected to the same wifi in a coffee shop), as well as anyone with access to any intermediate system between the user and the forum's web host, can see:
* the forum user's username and password when they sign in, such that someone else can also sign in as the user
* the signed-in token sent with every page, such that someone else can impersonate the signed-in user (post, change the password, etc.)
* the address and contents of every page the user loads, and all activity such as posting, private messaging, or changing settings
Someone capable of interfering with network traffic, such as if the forum user accidentally connects to an attacker's wifi thinking it's the wifi of the coffee shop, can also replace content on pages loaded, such as to inject malware and other attacks.
The most likely of these attacks is password skimming, not because a Piano World forum account is that valuable, but because many people still use the same email address and password on more important sites. The attacker doesn't even have to be in the coffee shop: this is easy to do by compromising someone else's computer and turning it into a password skimmer. Do this in bulk and you have passwords coming in from all over the world.
The Google Chrome browser displays a warning for all non-secure pages, and Google's search engine demote non-secure pages in search rankings. This is part of an industry-wide move to using HTTPS (SSL/TLS) for all websites.
I'm happy to assist in getting the site on a secure host. I also just noticed when I signed up that the site emails my plain-text password to me, which is not an ideal situation... I'm a web developer so I have experience in these areas.
Still an issue in 2021. Just issue a ceritifcate, maybe with Certbot + Nginx?
+1 - came here to whinge about this and found it was the most recent post in here anyway.
Firefox currently warns on login due to this:
I suspect that the issues noted in another thread in here on Safari are due to similar user protection measures.
As previously noted, Google search have publicly stated that they penalize non-https results; this will currently be affecting the pianoworld forum.
The forum is actually currently available on https, however the certificate is only valid for "pianoworld.com" and "www.pianoworld.com" and hence is invalid in this context. You'd need to add "forum.pianoworld.com" or "*.pianoworld.com" to make it valid.
Cheers and sorry for the whinge.