Community site takes registration and login details over insecure HTTP

EvanOH · March 28, 2017, 2:42pm

The Community site doesn't have a valid SSL/TLS certificate, as it's for www.example.com and not signed by a valid CA. Personal information entered when signing up is sent in the clear and username/passwords entered when signing on also go in the clear over HTTP. Chrome and Firefox now both warn users when logging in over HTTP.

I also noticed that when validating my account via email, the email link sends me to the hardcoded IP address for the domain (13.93.53.90) and not community.seotoolsforexcel.com

gromex · March 28, 2017, 6:24pm

Same. But it looks like this entire site is just a fancy forum with no account management so worst case scenario you'd just have to create a new login. But still no excuses.

EvanOH · March 28, 2017, 10:41pm

Yeah, unfortunately most users re-use passwords at multiple sites so this could be exposing passwords for "more important" sites for those users.

I used login with Google which failed but got login with Twitter to work, at least then no passwords are disclosed.

gromex · February 1, 2018, 2:28am

Just to add. You're right about adding a secure connection over login. But it's not only the community it's the entire seotools site. Not sure what the hold up is, you can get an EV SSL for under $100 these days. Namecheap has good deals and I think they accept bitcoin.

And also, this board is from an open-source engine on github called Discourse. I'm thinking about implementing it on my ecommerce store (Which is Secure).

@diskborste Do you recommend Discourse for an ecommerce store? It looks really good. I just want to know from your experience and if you have any other recommendations.