The default user journey around your main website does not lead to a secured (https) login although you can over-ride it (https://huel.com/account/login) and the forum site (discuss.huel.com) does not appear to even allow over-riding the http site with https.
This is bad - please implement site-wide secure browsing and allow https login to the forum as a matter of urgency.
Johnny.
3 Likes
I agree that most sites should use this protocol, however I don’t see it as a matter of urgency. If my account is breached, I’m not too bothered. If it was confidential material then I would be concerned.
1 Like
There is a time and a place for SSL. A discussion board about powdered food I don’t think is one of them. SSL is hard. It’s not easy to install and manage, and is expensive. This forum is a cost to Huel as a business and does not (AFAIK) generate revenue directly.
Seems fashionable these days to have everything SSL regardless of if it actually does need it and to think that those who do not are somehow inferior. The important parts of this site are SSL enabled.
If you’re smart enough to know about SSL, you’re smart enough to know about password managers and best passwords practices.
My initial point was about the mail huel site - the discussion board was simply because, thanks to Let’s Encrypt SSL Certificates are neither expensive, nor hard to implement.
Password managers are of course the way to go - but not everyone sees the need and the burden of security should not be left to the users of a site IMHO.
1 Like
It should also be noted that the world’s most popular search engine, Google, is gradually starting to include the use of HTTPS as a “ranking signal”. Meaning that it’ll improve the website’s visibility in search results, especially in the future.
2 Likes
Thank you for the suggestion Huelers, we will investigate.
I agree with the original poster. I can see why it might not be seen as important by some but it is good practice to implement such a feature.
Lets Encrypt is great and has a lot of different implementation methods!
1 Like
SSL is really easy. A good certificate is cheap these days and implementation shouldn’t take more then ten minutes - on a managed server you’d just put a support query in.
Many, many people reuse passwords across different websites and a breach on one vulnerable website could easily give hackers someone’s paypal details - no login, account or payment page should ever be served without https
I’ve looked into this. The good news is that:
The forum should have a https within a week.
Shopify, the platform we use for the main site, is rolling out https by the end of Feb 2016 - https://www.shopify.com/blog/73511365-all-shopify-stores-now-use-ssl-encryption-everywhere#disqus_thread
7 Likes
Good to hear Julian, thanks for considering it.
Johnny. (OP)
1 Like
The forum is now https.
6 Likes
So’s the main website too!
5 Likes