Dear Tim & Team,
I've noticed that the websites and forums settings are not completey state of the art when it comes to encryption. There are potential points of improvement I've found:
- The website has an SSL certificate, which is good. However, visitors are not forwarded automatically to the encrypted version
- The forums do not have encryption at all
Especially since you're dealing with personal data and logins, this is a potential security risk. However, implementing a baseline of security is not much effort at all. All you need is a certificate for the forums page and an automatic redirection for both pages. Free SSL certificates can be obtained from Let's Encrypt for example.
If you want to make a game out of it: Try to improve your grade for both sites on
https://observatory.mozilla.org . Once you've started, it's actually quite funny to see the score rising :-)
Best Regards
jk