0
Not a bug

Website log in not secure.

Twilight Sparkle 7 years ago updated by Tyler Owen (Lead Developer) 7 years ago 8

When changing password or logging in, the site is throwing encrypted warnings for me in Firefox.  Saying that the password is being sent in the clear.  The password page should be encrypted in order to protect passwords, etc, prevent future spam.

Under review

You are referring to this feedback forum? If that's the case then I will need to relay this information to User Echo, since they are the service we have employed for this forum functionality. There is nothing I can do about it myself unfortunately.

Yes.  The feedback forum.


Do you get the same security warnings if you use https://lacunapassage.userecho.com?

No. 
That's really strange that it doesn't automatically switch to the secure page when on the user settings or log-in page.

Ideal Solutions:

1. Have the website use https always. (aka disable unencrypted traffic complelty)

2. Have the website switch to https for the login/user settings stuff.


Wonky solution:

1. Have the feedback button point to the https page so fewer people experience this bug.

Started

Cool. I'm a bit limited since this is an external service that we are using, but I'll at least include the https in the in-game link. I'll mark it Started for now until I can find a better solution.

Not a bug

Apparently the UserEcho creators say that the login screen is secure regardless of https http://feedback.userecho.com/topics/7208-userecho-and-https/

The problem with that is that webbrowsers throw up warnings when that is done... and there is no way for the user to tell if it was done securely or not.

Yeah, I'm not entirely satisfied with it, but unfortunately there's not much I can do outside of sending them an email to see if they could address this in the future. I don't have any control over it. Hopefully if any other users come here and search for the security warning issue they will find this post and see that the devs of the forum service have accounted for the security of the login, and at the very least they can ensure they are using the https version themselves.