Fold.it should be using TLS
|Opened on:||Friday, April 20, 2018 - 19:21|
|Last modified:||Thursday, April 26, 2018 - 01:04|
I've recently signed up for fold.it (as part of CitSciDay) and noticed that something was odd.
When a user signs up or logs in, they are presented with a warning:
On Firefox: "This connection is not secure. Logins entered here could be compromised."
See it visually: http://fold.it/portal/files/images/non_tls_foldit.png
Since Firefox 52 (March 2017) and Chrome 56 (January 2017), warnings like this are displayed any time a site is asking for a password over an unencrypted connection.
fold.it is not using encryption (ie. TLS). This has been an increasingly dangerous thing for websites to do, as user details are being sent in plaintext across the internet. This allows third parties to collect the user details which can be used to compromise accounts on fold.it (including admin accounts), and also endangers other accounts of users (more than 60%) who re-use their passwords across multiple sites. Beyond that, we have seen nation-states take advantage of non-TLS connections in order to perform man-in-the-middle attacks on users, which can harm both the users and the reputation of the site.
This is all to say that encrypting connections to websites has become table stakes for being secure on the web. Thankfully, it is easier than ever to get encryption set up on your website. Previously, it used to require money to buy TLS certificates, but now with projects like "Let's Encrypt!" it can even be free.
To be clear, I am just a concerned, tech-savvy user of your site. I'm not trying to sell you anything, nor am trying to scare you. I'm writing this email simply to inform you of the risks and the negligence with which fold.it is handling user details.
I'm more than willing to answer any questions you might have about getting TLS set up on fold.it, and am even willing to volunteer my time to give technical support with the process if you'd like. I simply want to see fold.it and similar citizen science portals be made secure from attacks.
- Let's Encrypt free TLS certificates: https://letsencrypt.org/
- Firefox documentation for insecure password warning: https://support.mozilla.org/en-US/kb/insecure-password-warning-firefox
- China taking advantage of non-TLS connections: https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack
- More than 60% of users reuse passwords: https://threatpost.com/no-simple-fix-for-password-reuse/118536/