Message boards :
Web site :
Suggestions: Require HTTPS connections
Posted 1157 days ago by Hello World
Currently only the login page is protected by HTTPS. I hope HTTPS is always enforced, so that the cookies can be marked as Secure. If users are redirected to HTTP after login, the cookies can be hijacked by man-in-the-middle who can use the cookies to log in others' accounts.
Also the home page (https://boinc.thesonntags.com/collatz/index.php) contains mixed content. Some images are loaded over HTTP rather than HTTPS, such as http://boinc.thesonntags.com/collatz/user_profile/images/10137_sm.jpg. I suggest to change them to relative links.
Hope you can consider the two suggestions. Thanks!
Edit 1: If possible, could you please also disable SSL 3.0 to mitigate POODLE attacks?