TLS Certificate for Forums

General chat about Mongoose Publishing and its releases
Duck-Billed Mongoose
Posts: 1502
Joined: Thu Oct 13, 2005 3:41 am

TLS Certificate for Forums

Postby Prime_Evil » Mon Sep 23, 2019 10:18 am

It looks like the SSL / TLS certificate for the Mongoose forums expired back expired back on 4/18/2019. This is a potential security risk since usernames and passwords are being transmitted in cleartext. Fortunately, this is a different certificate to the one used by the web store (which expires on 2 November 2019), but I'm willing to bet that a lot of people use the same credentials for both. Are there plans to update the forum certificate and put in a rewrite rule to redirect insecure HTTP connections to HTTPS?

Re: TLS Certificate for Forums

Postby Moppy » Mon Sep 23, 2019 3:49 pm

I'm sure password reuse is not limited to the Mongoose sites. The user may have the same password for everyone else's store, and Paypal too.

An http login is a problem for the whole internet, as a leak affects the security of that user on another company's site, and the user will naturally blame that site even though the leak came from elsewhere.

Who is online

Users browsing this forum: No registered users and 1 guest