Log-in security [and using SSL / https]
 

Hi all,

I find it to be a bit of a shocker that not only is the log-in process not done over HTTPS -- schoolboy error, if I ever saw one -- but you do a simple MD5 of the password and send it along as part of the log-in procedure in clear text. The username is also in clear text.

<deleted>

Could you please sort it out ASAP? This should really not be happening in this day and age.

We don't force SSL; you are welcome to use SSL by switching over to HTTPS, you can log in via SSL.

Naturally, the question is: why isn't SSL enabled by default?

When we turn on for everyone we have some complaining about slowness and that alot of "posts" / "threads" are broken or "display browser error messages". Since this site is almost all user generated content - people post non-https images and etc and depending on their browser it may display a broken image or a warning pop-up, subsequently we start getting reports that site is broken.

That's fair enough. However, this does not preclude you from presenting the log-in form over a secure connection and processing the form information over HTTPS, followed by redirection back to HTTP.

P.S. The main page looks really bad when HTTPS is enforced.

I would consider the following to be shameless, since it has been a couple of weeks: bump.