Board Thread:New Features/@comment-270184-20151105191759/@comment-33557929-20171117162529

Kirkburn wrote: I can't provide an ETA, unfortunately. Just pointing out this was said a whole two years ago... Has there been a test site yet?

OneTwoThreeFall wrote: FishTank wrote: … In the meantime, as you said, the part that really needs to be securely encrypted (your login) is indeed delivered by HTTPS. This would only be an improvement if we would only be concerned about the security of the password choices of the users and not their accounts:

If you would want to illegitimately use an account, it makes little difference whether you know its login details, or are able to read unencrypted traffic between the server and the browser and hijack the session. Having access to the client's local area network (including merely being able to somehow circumvent its encryption e.g. KRACK) or any other exposed point between the server and the browser makes it possible to eavesdrop on all traffic that is not encrypted between the two.

On top of that, I can't come up with another site that to this day, can't be normally used with "Block all unencrypted requests" toggled on from HTTPS Everywhere