Login Security

Browsers (eg Google Chrome, Safari) are always being upgraded and improved. Recently browsers have started highlighting pages where you are asked to enter a password, but the page is not on HTTPS. Here's an example from Firefox.

HTTPS is a secure protocol - in effect it means that anything you enter on a website form gets encrypted on your device, then decrypted on the website's server which means nobody listening in to your traffic* can find out your password.

At present Spanglefish only works on HTTP, unencrypted, so you will see these warnings when logging in. To be clear, this doesn't mean you are any less secure than you were last month or last year, just that browsers are being more pro-active in telling you about it.

We are looking into moving Spanglefish to HTTPS in the next few months. There is a big but though. We're only able to do so for our own domains. If your Spanglefish site is running on your own domain then you'll need to consider whether you should purchase an SSL certificate for it.

Your domain registrar will charge a certain amount for an SSL certificate, and we at Spanglefish may have to charge for the time it takes to set up on the server. A very rough estimate might be a cost between £50 and £100 Sterling per annum. We will provide exact costs for Calico registered domains in the next month or so.

So you should consider whether this is worthwhile for you. The risk is that someone snooping on your traffic between your computer and our server could grab your admin password. You may consider this risk to be very small, and in general if someone interfered with your website we can reinstate the changes and change the password safely.

However, (for instance) if you have lots of users logging into your admin, for example club members, and you have protected pages with sensitive content on them, then you might think the cost is worthwhile.

But to be clear, the biggest danger is if you re-use passwords. If the one you use for Spanglefish is also the one you use for your bank or your email account then you really must change them.

* You might think listening into your traffic unlikely, but it's easy for someone with a laptop sharing a wireless network with you (for instance in a café) to view the data you're typing in if the website doesn't use SSL.