This forum requires users to login over HTTP rather than HTTPS and posting things on the forum while logged in is also done over HTTP. This is very insecure, the passwords are being sent as plaintext over the Internet. Please switch your forums to HTTPS so they are secure. The download and informational parts of your website do not necessarily need to be in HTTPS but the forums definitely do. There is zero security at all with HTTP and with a site people login to with a username and password, that is something that should never be done on the Internet these days, HTTPS is a must. And obviously require TLS 1.0 at a minimum, preferably TLS 1.2 or 1.3. SSL versions 1-3 are all deprecated and insecure, using TLS is a must.

Honestly I feel insecure even logging into this site and posting it but somebody has to tell you about this. I am going to have to change all my passwords now in case there is a man-in-the-middle attack and someone intercepted my plaintext password that was sent over HTTP without any encryption.

What is so important or secret in this open public forum that you require https? You don't even need to log in here, you can post as a guest…

General Public wrote:This forum requires users to login over HTTP rather than HTTPS and posting things on the forum while logged in is also done over HTTP. This is very insecure, the passwords are being sent as plaintext over the Internet. Please switch your forums to HTTPS so they are secure. The download and informational parts of your website do not necessarily need to be in HTTPS but the forums definitely do. There is zero security at all with HTTP and with a site people login to with a username and password, that is something that should never be done on the Internet these days, HTTPS is a must. And obviously require TLS 1.0 at a minimum, preferably TLS 1.2 or 1.3. SSL versions 1-3 are all deprecated and insecure, using TLS is a must.

Honestly I feel insecure even logging into this site and posting it but somebody has to tell you about this. I am going to have to change all my passwords now in case there is a man-in-the-middle attack and someone intercepted my plaintext password that was sent over HTTP without any encryption.

If that is your problem your already to late to stop it. I think you have more issue then FDM at hand that you first need to resolve before asking this.

Usher wrote:What is so important or secret in this open public forum that you require https? You don't even need to log in here, you can post as a guest…

Email addresses and passwords of all current and new users including those that aren’t particularly security conscious.

In any case, it looks like the site does use HTTPS now, though one has to manually go to the HTTPS site from the HTTP site since redirects to HTTPS aren’t configured.

Time for freedownloadmanager.org to put itself on the HTTP Strict Transport Security preload list at https://hstspreload.org/?domain=freedownloadmanager.org (which requires implementing the aforementioned redirects).