Quite frankly I'm disappointed at the number of forums (including this one) who do not implement TLS.
They cite, with a depressing degree of technical ignorance, that the site isn't facilitating financial transactions or storing sensitive data, so therefore TLS isn't required.
These sites are forgetting a few things:
- User credentials are sensitive data. Users are human and many users are pretty ignorant of security; they shouldn't - but they DO - use the same usernames and passwords on forums and other sites which do, for example, facilitate financial transactions.
- Using TLS, as well as protecting credentials in transit also certifies the validity of the forum to the user and reduces the likelihood of a man in the middle attack by various means.
- User creds for Administrative users are particularly valuable to a bad actor. Lack of TLS is a birthday present!
Reading the "what we're doing" paragraph actually annoyed me - particularly the "we're looking at new encryption techniques". My view is that the entire session from start to finish should be done over TLS and the technology to do this has been around for decades.
That said, I'm pleased to see at least that our passwords are being persisted as salted hashes.
CB