FacebookTwitter

Login Security

Browsers (eg Google Chrome, Safari) are always being upgraded and improved. Recently browsers have started highlighting pages where you are asked to enter a password, but the page is not on HTTPS. Here's an example from Firefox.

HTTPS is a secure protocol - in effect it means that anything you enter on a website form gets encrypted on your device, then decrypted on the website's server which means nobody listening in to your traffic* can find out your password.

At present Spanglefish only works on HTTP, unencrypted, so you will see these warnings when logging in. To be clear, this doesn't mean you are any less secure than you were last month or last year, just that browsers are being more pro-active in telling you about it.

We are looking into moving Spanglefish to HTTPS in the next few months. There is a big but though. We're only able to do so for our own domains. If your Spanglefish site is running on your own domain then you'll need to consider whether you should purchase an SSL certificate for it.

Your domain registrar will charge a certain amount for an SSL certificate, and we at Spanglefish may have to charge for the time it takes to set up on the server. A very rough estimate might be a cost between £50 and £100 Sterling per annum. We will provide exact costs for Calico registered domains in the next month or so.

So you should consider whether this is worthwhile for you. The risk is that someone snooping on your traffic between your computer and our server could grab your admin password. You may consider this risk to be very small, and in general if someone interfered with your website we can reinstate the changes and change the password safely.

However, (for instance) if you have lots of users logging into your admin, for example club members, and you have protected pages with sensitive content on them, then you might think the cost is worthwhile.

But to be clear, the biggest danger is if you re-use passwords. If the one you use for Spanglefish is also the one you use for your bank or your email account then you really must change them.


* You might think listening into your traffic unlikely, but it's easy for someone with a laptop sharing a wireless network with you (for instance in a café) to view the data you're typing in if the website doesn't use SSL.

 

Examples

  1. You have a website on Spanglefish for your local bowling club. Only you have a login and the password you use is not one you use anywhere else. You only ever log in to administer the site using your home computer which is connected to your router by network cable rather than wireless. You don't have any sensitive data on protected pages on your site.

    There really isn't any security reason why you'd spend money to get an HTTPS certificate.
     
  2. You're an ex-police officer and set up a website for all of your colleagues to keep in touch. You create protected pages which only administrators can see which lists all the members' phone numbers and addresses. You give all your colleagues passwords so they can view the protected pages.

    Your members might log in from any location using their 'phones or tablets, maybe in internet cafés over public WiFi. Someone snooping on the traffic could get access to a member's password or the telephone numbers etc.

    You may decide that you need the extra security an HTTPS certificate would provide, so that anyone snooping on the traffic can only see encrypted gibberish.