If/when HTTPS gets fixed it may be an idea to tell members about it. In amongst all the emails telling me that my account with password 123456 or asdasd had been accessed was one with a genuine(but old) C&F password in the subject line. I guess this was picked up from an HTTP connection on a compromised free WiFi somewhere. No big deal but it is a temptation to open the email.

Those emails quoting actual passwords are normally not derived from websites visited or used; they are derived from hacked lists, often arising from security breaches at internet providers. You can check whether a particular email has been hacked in this fashion, and even when it was likely to have been, by visiting:

https://haveibeenpwned.com/

_________________
"Only connect!"

https://youtu.be/ezbWVysJAOY
https://tapm.bandcamp.com/

The only list containing my C&F password will be the one maintained by this board. If that had been hacked I think you would have had more comments. I suspect a hacked WiFi router at a pub or cafe somewhere, or their third-party WiFi provider - the logo for which got attached to a link to this board in Safari. With http passwords are not encrypted.

I'm no IT expert, but the point is that it isn't websites that your password would have been gleaned from. When you enter a password on a computer (including a smartphone), at that moment, it can be harvested. That has nothing to do with the website concerned. It's the ISP that's been hacked. If you follow that link I gave you and you type your email address in, you'll see the likely breach that caused your password to be on a separate, hacked list. I suppose it could be a WiFi router, but, from the breaches that I've seen, it's much more likely to be an ISP. There have been many, and very well publicised.

_________________
"Only connect!"

https://youtu.be/ezbWVysJAOY
https://tapm.bandcamp.com/

There's no need to hack the ISP to get the C&F login password. Anyone on the same network can do it very easily. Any traffic that isn't encrypted, e.g. sites using http:// (and not https:// sends everything in the open, and every single computer on that network can watch the traffic in clear, with only the simplest of tools. And in hotels it's extremely likely that someone is doing just that, and in cafeterias and the like it's also not uncommon (but hotels have hundreds of guests so that's a very attractive target for harvesting).
The only way to fix that is to go to https:// where neither the login credentials nor the cookie used afterwards can be seen (using https:// just for the login part removes the most obvious problem - the one anyone can use straight away, with no knowledge: Getting the account name/password. But using http:// for the rest still leaves the cookie in the open, although using that one for nefarious purposes needs more than %0 knowledge).

Ben - as I understand it the situation is along the lines described by Tor. If you have a WiFi connection which does not require a password then the traffic can be intercepted. If it does have a password then the router needs to be hacked but many can be. Then the harvested passwords are put on a list and sold.

That's why people use https - so that it is encrypted all the way between the browser and the server hosting the web page. Routers and ISPs don't see the password.

For C&F admin one advantage of https would be that less passwords would go onto lists so fewer people would tell you that the site may have ben hacked. (And if a lot of people did then maybe the problem really was at your end)

It's not necessary to hack the router if you have access to the network via the password, as is the case for WPA- or WPA2-encrypted public (e.g. cafeterias) networks (or just via a login page as is often the case for hotels). You'll then be able to see all network traffic. The network encryption is only to protect from listening / connecting by others, it's not protecting those on the network from each other. For that you need HTTPS, VPN, or other per-device encryption.

Ah, OK, right you are. Anyhow, as one security advice site puts is succinctly "Public Wi-Fi is inherently insecure"

By contrast, I've never actually heard of an ISP being hacked and that being the source of passwords being lost. The main method I am familiar with is dumping passwords from a website's own database. This isn't hard to do for some websites.

Part of the problem is that this can go un-noticed for a while and then the passwords show up in some other public dump. A large portion of https://haveibeenpwned.com 's passwords are from such harvests and just added to a list. Passwords and personal information doesn't sell for a lot individually, so you usually see it in massive heaps. This is also how you end up with out-dated passwords in lists that show up in some the phishing emails where someone claims to know your password. (You can read about each of the largest breaches on the website. You'll see in the description that LinkedIn, or MySpace, had had passwords and data exposed that may have gone unknown for a while. Again, the point is that it was the website itself that had the problem.)

(I'm a little bit of a Cybersecurity enthusiast. I hope to become a Security auditor at some point; so I read up on how to hack websites and try to practice hacking on my own when I get the chance.)

I see it's been fixed: https://forums.chiffandfipple.com/

Why, so it is! But is it just my computer, or are all the avatars gone defunct for everyone else, too?

_________________
"Time is the wisest counselor of all." - Pericles

"I remain not entirely convinced of it." - Nano

They've never worked for me on the https version. I thought that was just the way it was.

_________________
"Only connect!"

https://youtu.be/ezbWVysJAOY
https://tapm.bandcamp.com/

Practically all of them, with just an exception or two, worked for me up to now. For example, yours was a photo of a little monkey doll with a human-sized whistle in its arms, and sitting on a book. I always assumed the photo was taken in your home. Now all the avatars are replaced with a teensy square that's supposed to vaguely evoke a picture; it has a bent-inward upper right corner, and is accompanied by the words "User avatar".

I wonder what's up with the change.

_________________
"Time is the wisest counselor of all." - Pericles

"I remain not entirely convinced of it." - Nano

For me avatars are still there with http - which I think is what Ben meant. Not there with https in Firefox on Windows or Safari on iThing.

On my computer (Windows 10, Chrome) I'm not seeing anything in the way of either http or https written in any URL of any webpage I'm on, be it C&F or otherwise. I couldn't tell you if it's always been that way; I never really noticed. I just checked on my phone, and there C&F's URLs begin with https. I'm getting the same "User avatar" thingum there, too, but I don't know if that's new, as I almost never access C&F by phone; any memory for me of such features is out the window.

Hmm. I'm not seeing C&F's usual banner ads, either. I made no intentional move to block them.

_________________
"Time is the wisest counselor of all." - Pericles

"I remain not entirely convinced of it." - Nano