It’s start to be rare that a web site is not using SSL. Google started to give lower rating in search when a web site doesn’t use SSL.
But here, it’s way worst! This web site is about controlling an entire house or business, including security system.
Even if the web site doesn’t use SSL, the login/password could use encryption but it doesn’t. I have trace the network call, and the password is visible and marked ‘password’ in clear text…
It should be assumed that any password use on this web site is known by lot of people with malicious intents.
I hope there is no engineer of the Vera product involved with designed this forum system because that would mean basic security concepts are not understood.
The forum is running on version 2.0.11 of the SimpleMachines forum software. Which is the latest version but is not developed by GetVera. I wonder if getVera can redo the forum login page as https. But SMF hashes the password before it sends it over the net so I’m quite surprised you can see a clear text password.
While you’re not wrong that HTTPS(TLS) is becoming the defacto connection method and that it is a good thing that ideally Micasaverde’s Simple Machines Forum should use, you are wrong about the password.
Forum login passwords are NOT sent in plain text. Forum login passwords are hashed before being sent, as can be seen in the following code snippet from the forum login page.
I’ve also done network traces, just now, to verify that it is working as it should and no clear text password hits the wire. Only the hashed password is sent.
Your statement is incorrect. The forum does not send clear text passwords. If you have a network trace as you describe, I suspect that you have a problem with your collection method. The password does not hit the wire.
Additionally, Logins to the Vera home automation portals - distinct from the forum - use HTTPS(TLS) secured connections and tunnels between Vera and the Vera servers are secured using SSH.
I hope you have different passwords for different accounts.
If you use the same password than your security is only as strong as the WEAKEST web service provider.
In general there are lots of websites that I do not worry about being compromised.
I am sure the one for the Forum must have been compromised … other wise I do not know how I could get such a large negative charma
