Jump to content

Forum login not encrypted?

Recommended Posts

  • 1 month later...

Hey @John Eucist, @Jag_Rip,

It's a late response on my part but yea all major websites/forums/communities are SSL encrypted. There is also a push now to encrypt everything by lowering the barrier to entry (Making SSL certificates freely available rather than needing to pay the usual CA authorities). There are a lot of projects that even provide free SSL certificates that are already included in major browser's root certificates (Mozilla's Let's Encrypt Initiative - Which I see that's what this website is using as well). That's also what I use for my website as well (http://xyinn.org - gets redirected to https://).

I see that the ssl lock is implemented only for the login page. It should be implemented for the forum subdomain completely, so any navigation and actions that are performed are encrypted as well. For example, If I tried to change my password, it would happen unencrypted still.


One of the reasons for this is because you are still allowing people to visit the website on port 80 (unencrypted http). It's fine to leave port 80 open (And expected), but you should force redirect all HTTP traffic to HTTPS. On my server, I use something similar to this in my apache config:


So yea, after the redirect is there, just make sure that every single request shows the green lock. There should be no empty/red locks. With the Let's Encrypt daemon, you can easily add more subdomains and domains to your certificate on demand. So if any changes on the certificate side are needed, it should just take 1-2 minutes max.

For me to change my password safely now, I would have to manually append the https:// to the above url, which works since the certificate was installed correctly for this sub-domain:



Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...