Login Security and SSL Certificates
Browsers (eg Google Chrome, Safari) are always being upgraded and improved. Recently browsers have started highlighting websites which don't have SSL certificates and especially pages where you are asked to enter a password, but the page is not on HTTPS. Here's an example from Firefox.
HTTPS is a secure protocol - in effect it means that all the traffic between you and the website, and most importantly anything you enter on a website form gets encrypted on your device, then decrypted on the website's server which means nobody listening in to your traffic* can find out your password.
At present Spanglefish sites mostly work on HTTP, unencrypted, so you will see these warnings when logging in. To be clear, this doesn't mean you are any less secure than you were last month or last year, just that browsers are being more pro-active in telling you about it.
We now have an SSL certificate for sites on some of our domains - you'll see that the address of this Spanglefish Manual website starts with https://. If you have a Gold site and would like it moved to HTTPS please let us know. This does involve some work by us, so we cannot provide it for free sites on the system.
There is an important issue to note though. We're only able to do so for our domains spanglefish.com, parish-council.com and community-council.org.uk at present. If your Spanglefish site is running on your own domain then you'll need to consider whether you should purchase an SSL certificate for it.
Your domain registrar will charge a certain amount for an SSL certificate, and we at Spanglefish may have to charge for the time it takes to set up on the server. You might expect a cost of £30 per annum.
So you should consider whether this is worthwhile for you. The risk is that someone snooping on your traffic between your computer and our server could grab your admin password. You may consider this risk to be very small, and in general if someone interfered with your website we can reinstate the changes and change the password safely.
However, (for instance) if you have lots of users logging into your admin, for example club members, and you have protected pages with sensitive content on them, then you might think the cost is worthwhile.
But to be clear, the biggest danger is if you re-use passwords. If the one you use for Spanglefish is also the one you use for your bank or your email account then you really must change it.
* You might think listening into your traffic is unlikely, but it's easy for someone with a laptop sharing a wireless network with you (for instance in a café) to view the data you're typing in if the website doesn't use SSL.