#Security advisory: this forum was using http not https
We’ve recently upgraded this discourse forum to use https instead of http but we’re concerned that some people might not know that/how the previous system (http) had a potential security hazard, or might not have realized that the site was using that method.
If you were ever accessing this site using wifi hotspots that you don’t totally trust, and if you were logging on by typing a username/password rather than the google/github/facebook authentication buttons, then we strongly recommend you read this thoroughly
###What is this http/https stuff? Why should I care?
With an http website (or an ftp server) all the text being transmitted back and forth unencrypted. That means another person can see the content of the web pages being sent to you and also the content of the boxes you type into. They can be even alter the content of the web pages being sent to you, including inserting JavaScript scripts into the pages (a “man in the middle” MITM attack). An https site, often indicated by a lock at the top of the browser address bar, prevents this from happening by encrypting the page at both ends preventing other users from seeing or altering the content.
The main concern of these activities is that someone can “eavesdrop” on what you’re doing, including reading your username and password and, if you use that password elsewhere, can than access this and the other sites masquerading as you.
###So discourse.psychopy.org was insecure?
Well, yes. It was an http site and was not a good place to be typing in a password if you were on a network that wasn’t secure or trustworthy (e.g. your local coffee shop). This has been fixed as of 18 Dec 2016 and now all traffic to/from the forum is secured by https.
We switched on Dec 17th 2017 to force the use of https throughout the site and since then all communication between your browser and the site has been safely encrypted.
###Have I had my details stolen?
We don’t think so. It isn’t that the server was hacked. There are no signs of concern that any user has actually had their password compromised (e.g. spam being posted to the site). If a user password had been eavesdropped then the perpetrator would only get access to that person’s details; they couldn’t have used it to get into the rest of the site or get anyone else’s details. In particular:
- If you signed in to the forum using the google authentication, rather than typing in a username and password, then you’re fine
- If you only signed in from work/home and not from open wifi hotspots then you’re very unlikely to have been eavesdropped (except by your boss)
- If you subsequently went on to the forum but didn’t need to type in your password (because you were already logged in and discourse remembered you) then your password would also not have been revealed. An eavesdropper would only have been able to see what you were reading/writing while you were there
###I was typing in my password at a wifi hotspot! What should I do?
Well, even then it remains fairly unlikely anyone was eavesdropping while you typed your password and, to reiterate, we have no reason to think that anyone has had their details stolen.
Nonetheless, it would be very wise to:
- change your password at discourse.psychopy.org
- if you’ve used the same (or similar) username/password here as on any other sites then you should also change your password on those sites in case
Good security practice
- Don’t type a password into any field of an http website from an open network (e.g. wifi hotspot)
- Use different passwords on different websites. Certainly, in important websites, like banks and google.com, don’t use the same password as other sites. That way if one site gets attacked or you do something silly you don’t give away your login
- If you then struggle to remember the numerous passwords then you may want to use some software to keep track of passwords for you (e.g. http://keepass.info/ or LastPass)