|
The only valid reason I could see for doing this would be to secure user credentials against interception, which is a somewhat valid concern, but perhaps not enough to justify the additional complexity, cost, and overhead of maintaining an HTTPS version of the site, and in particular forcing/redirecting users to that version — which as others have pointed out would potentially create needless connectivity issues.
Ultimately like any security assessment it comes down to the actual threat and risk we're talking about. As long as you're following best security practices and not reusing the same password everywhere (and password reuse is a very bad idea even if a site is fully SSL-protected), there's very little that an attacker is going to get from having your EMD password. Basically, they can compromise your account and impersonate you on these forums, read your private messages, and obtain your email address. How much of an issue that is for you really depends on what sort of things you're doing on these forums — if you're exchanging confidential information via the PM system, then perhaps you have something to be concerned about, but it's probably safe to say that most users aren't doing that.
Personally, I think most hackers have better things to do with their resources than target EMD profiles, especially on a per-user basis. There's just nothing of sufficient value here to make it worth anybody's time and effort.
Frankly, if I wanted to pick at nits, I'd be more concerned that EMD is still running considerably older versions of Apache (2.2.24 circa 2013), PHP (5.2.17, circa 2011), and vBulletin 3.6.12 (assuming PL2, circa 2009). That said, I'm not even that concerned about these, since with the exception of Apache, these are the latest patch releases for those streams. However, there are still known vulnerabilities in those as well that make a desire for SSL securing the transmission channels even less relevant by comparison.
|