!Website Not Secure - reassurance

I think chrome highlights where you don't have a https option for a website - I don't think it is a big issue if you are not conducting financial transactions..

Just to add some

I have been told (unofficially) that the web is going encrypted (https-SSL) in the near future and pre-emptively the browsers are starting to state the websites that are not encrypted (https).

It is nowhere dangerous unless you go to websites that are not recommended.

The https version of the web will protect you against "the man in the middle" attack because of the encryption that will take place between your browser and the website you're visiting. It also "certifizes" the authenticity of the website.

Adding encryption to a website entails getting an authencitity certificate that validate ownership and status of the website using it. But it also add another cost to owning a website because those certificate are not free. Ball park figures are about 300$ to 1000$ per year per certificate.

And if your site is using a redirection like dyndns you cannot get those certificates because your ip address is not static and you don`t own the domain name.

www.sdbl.webhop.net, my site, is as such a redirection from dyndns. I don't own the domain name (webhop.net) and I don`t have a fix (static ip) address.

Either I will have to correct the situation ($$$) or simply close the site !!!

I'm discussing this with kikop. I hope we will move to HTTPS soon.

sybersitizen wrote: I then discovered that I was unable to login to my dyxum account. The password had been changed without my knowledge. I had to contact an admin here to arrange to reset it. No other account anywhere was affected.

Oh, worth knowing about. Thanks for sharing that. I have been quite uneasy about using public wi-fi networks for a while now, but since I have a cheap and plentiful supply of 4G data on my phone I never need to use them.

Since you have your own site I assume you have some basic knowledge about http and https.

When you log into sites (like dyxum) your browser sends a request header (specifying it's a POST-type request, listing what browser you are using and more) and a body containing parameter-value pairs like username=SomeName&password=somepassw

Since dyxum.com uses http (not https) this string is sent as "plain text" (unencrypted). On an open public network it may be easy to grab by eavesdropping if a hacker have some tools.

If you look at the code for the login page you will see there is a tiny bit of trickery going on using some unique strings (changing vale for every login) as field names like
input type="text" name="MemberNamexyz14chrstring"
input type="password" name="AB345678901STRINGLENGSTIS41CHR12345678901"
So the the dyxym parameter-value string will be on the format
MemberNamexyz14chrstring=SomeName&AB345678901STRINGLENGSTIS41CHR12345678901=somepassw

I don't think this is a real security measure, just a small distraction for a hacker.

If you install a tool like Firebug in your browser you will probably be able so see this in full details.

When you successfully log in the server responds by putting a cookie (small plain text file) on your computer that includes a session id. This id is now included in every request header your browser sends back until you log out. You may think of the session id as a temporary substitute for both username and password.

Cookies are not revealed tho third-party sites. You can easily find and read contents og cookies in your browser. https://www.wikihow.com/View-Cookies

You will see it has content like this:
dyxumforumsID
SID=12345678some%char%string12345678901234

On an un-encrypted network an eavesdropper may able to grab your session id (plain text if http) and hijack your session (no need for a username and password).
https://en.wikipedia.org/wiki/Session_hijacking

Next step for the hacker is to go to the Member CP > Edit Profile
and have your email address. On the Edit Profile page a new password can be saved if the old is known.

Take away:
The combination of public open networks and logging in non-encrypted (http) is a considerable security risk.
Never reuse passwords for low security sites on important sites!

Having someone tampering with personal data is always disgusting.

So, months later, it looks like nothing will be done to enable HTTPS here.

If that's the case, I've learned the hard way to never again access Dyxum on a wi-fi network other than my own. Too risky.

I would suggest, at the very least, to avoid sending the plaintext password over the unencrypted channel as long as HTTPS has not been implemented on the site. Why not send a browser-generated SHA-2 hash value of the password and compare it with the SHA-2 hash of the server-side password?