Posted by GregChapman on Jun 05, 2013; 12:14am
URL: https://support.nabble.com/HTTPS-for-passwords-in-the-year-2013-tp7584662p7584683.html

badon wrote

Nabble's login form does not use SSL. So, anyone who logs in to Nabble has almost certainly had their login credentials logged by someone malicious.

That can only occur if a computer's security is already compromised. It is relatively easy to take steps to ensure this doesn't happen.

The trail ends at the victimized Nabble user

There is no victimised Nabble user. If they are a victim at all, it is because of their own security failings that originated before logging into a Nabble server.

Maybe some people are comfortable with that. I'm not.

Your lack of comfort is misplaced and stems from a misunderstanding.

I'm not an administrator, I'm a regular user. My message had a missing word that caused this confusion.

You don't mention the missing word so I am not sure that I know what you really intended to say.

I don't know how that happened, but with no security, someone could have altered my message in a man-in-the-middle attack. I think my PC just ate the word, like if I was typing it at the same moment a popup got in the way, and I resumed typing after dismissing the popup without realizing something got lost. However, there's no way to know, because Nabble has no modern security features. I don't know who is using my account right now, and I don't know who is reading my messages, or trying to strip away my anonymity and privacy.

I'm afraid these worries are all based on misunderstandings.

Yes, "man in the middle attacks" can occur. I pointed out in my previous post that most Internet traffic is no more secure that snail mail or telephone calls, so It is possible for people intercept and make copies of traffic passing through a server. And yes, SSL will make it practically impossible for intercepted traffic to be misused.

However, your initial fear (misplaced, in my view) suggested that key-logging was taking place on most people's computers. You then suggest that the solution to that problem is for Nabble to use SSL connections. That is like saying your car keys have been stolen but now you refuse to call your garage to order a replacement in case the thief is tapping your telephone.