Just to clarify some things and provide some security-101 in general:
UniLang didn't even use HTTPS
, this means that connections were never encrypted to begin with and passwords were send over the net unencrypted. Making them in theory susceptible to being intercepted by an eavesdropper. Note that sites using HTTPS always have https:// in the URL bar (which you can usually click to see the certificate).
So this particular security flaw did not affect UniLang as we weren't secure in this regard to begin with (nor is any other site you visit that doesn't use HTTPS!!! And now because of this vulnerability many HTTPS sites are not secure either until they pull their act together).
To prevent any misunderstanding and unnecessary worry: though transmitted unencrypted, UniLang user passwords are of course stored in encrypted (=unrecoverable) form in our database and the database has not been compromised.
In this day and age, with Edward Snowden's revelations, NSA & Co snooping around everywhere and users having tons of important accounts all around, providing no HTTPS will not do of course. I have therefore enabled HTTPS support for UnILang as well now, meaning people wanting encryption can now use https://unilang.org
(note that some insensitive parts of the site may still be passed unencrypted). When you access https://unilang.org
you will first get a security warning and may have to confirm a "security exception" because the certificate is a self-signed one (by me), rather than verified by an independent authority. Despite the warning, this is not a problem (assuming you trust me). You will want to store this exception permanently so you don't have to confirm it every time.Note 1: If you're paranoid and want to be really sure those are the certificates I created and you're not being tricked by someone in the middle, then verify the certificate fingerprint which should be F6:4C:79:3A:24:FD:C3:59:92:4B:63:63:24:CC:68:F6:FB:CB:A0:8A (SHA1) or 75:BE:06:7B:9E:75:31:25:34:14:25:38:B3:DC:21:AB (MD5) )Note 2: Now if you're a real professional paranoid you should be worried whether I in fact typed this message or if some evil-doer managed to break in, edit my message, and change the fingerprints. I'm of course mostly being sarcastic but I do want to make a point that absolutely foolproof security is impossible.
Last, but not least, some general tips on security:
- Never use the same password on multiple sites
- If a website offers HTTPS, use it! (this especially goes for big sites and big accounts like facebook, google) and is absolutely mandatory for anything that involves banking or online shopping.
- Similar for mail, ensure your mail connection (IMAP, POP3, SMTP) is encrypted. If you use public webmail like gmail, us https, but be aware of privacy risks inherent in letting someone else host your mail, especially if servers are hosted in countries known to violate privacy on a regular basis (yes, this is not just China but includes the US too).
- Always be aware whether your password is transmitted encrypted (https) or unencrypted (http) and again, never use the same passwords for both mechanisms. If you're not sure, assume it's unencrypted.
- Don't use a password with words that could be found in a dictionary, use variation, include digits and special characters, and make sure it is sufficiently long.
- Be especially careful on public computers and third-party wireless connections, never connect to wireless access points you don't know
- Change passwords immediately if you suspect they may be compromised, especially if you use the same password on multiple accounts (which you shouldn't)
- Don't write your password on a post-it and stick it to your monitor