Security issue: Please SSL encrypt the Axoloti Order Form!

scitoast · 2018-10-19 15:53:38 UTC

Hi @Johannes & Axoloti Community

Just a warning/advisory: The Axoloti online order form is NOT encrypted / not SSL secured. While it is true that if you use Paypal your credit card information will (hopefully) be protected, credit card numbers are not the only hazard! Any orders of Axoloti are sending your name, address, house number, phone number and Email unencypted and in the open. This is a real problem in regards to the potential for identity theft and is absolutely not up to modern web privacy standards. I would recommend any potential Axoloti buyers refrain from making purchases until this issue is fixed, as will I.

scitoast · 2018-10-22 18:37:24 UTC

A second note -- it shouldn't cost you anything to SSL encrypt the order form! @Johannes, the "Let's Encrypt" project can hook you up with an SSL certificate to do this: https://letsencrypt.org/

Likewise the logins to the Axoloti community forum aren't SSL encypted. This means any sufficiently motivated intermediary can receive your username/password and use that to log in as you. This kind of thing can and does happen online. I realize there are those who would argue, what possible damage could someone do in a special topic forum such as the Axoloti community is. However the possibility that someone could take your account info opens you up to the possibility that that person could then attempt to use those same login credentials on other websites. If users use the same username/password on other websites, this is potentially a significant problem! On this point I strongly urge you to SSL encrypt the community forum login.

scitoast · 2019-06-10 17:40:14 UTC

8 months and no change in status of this issue: Still no SSL / https security available for forum login and for address / order form for Axoloti core. I will try to raise this issue regularly until it gets fixed. It IS an issue.

chaocrator · 2019-06-11 07:47:49 UTC

… and getting valid Let's Encrypt certificates for free and with automatic reissue is no-brainer nowadays …

vdtoorn · 2019-10-21 14:34:06 UTC

Indeed, please do this, if you have a decent hosting company it is trivial. Should we ask @thetechnobear maybe?

thetechnobear · 2019-10-22 18:29:08 UTC

I’ve done this on another sever.
But unfortunately I don’t have access to the host for axoloti forum just moderation/admin rights in discourse