Open movermeyer opened 6 years ago
This applies to
PHYLO: http://phylo.cs.mcgill.ca/
Password reset site: http://kovik.cs.mcgill.ca:3000/reset/
Open Phylo: http://kovik.cs.mcgill.ca/#/login
Thanks. We are indeed planning to use TSL. We're working on it but are experiencing compatibility issues. Hopefully it'll be fixed soon.
PHYLO is not using encryption (ie. TLS). This has been an increasingly dangerous thing for websites to do, as user details are being sent in plaintext across the internet.
This allows third parties to collect the user details which can be used to compromise other online accounts of the >60% of users who re-use their passwords across multiple sites.
Beyond that, we have seen nation-states take advantage of non-TLS connections in order to perform man-in-the-middle attacks on users, which can harm both the users and the reputation of the site.
This is all to say that encrypting connections to websites has become table stakes for being secure on the web.
From Fiddler 4:
More reading: