Add HTTPS on community.revolut.com


#1

Hello,

Looks like this is an issue most people are forgetting. This forum (community.revolut.com) should use HTTPS for better security. It could save people from potential MITM attacks on a public Wi-Fi network for example.

Revolut, you can use Let’s Encrypt, a free SSL certificate issuer :slight_smile:
https://letsencrypt.org/


#2

Yeah for sure it would be greater. :smiley:

In fact discourse offers a SSL solution ; or if it’s a self hosted version Let’s Encrypt or even a paid certificate is a great option. :wink:


#3

I’d noticed this too. It is a little disturbing when finance companies don’t take security seriously :confused:


#4

Well I won’t go to that extreme point, Revolut’s security is excellent using HTTPS, AES encryption and even VPN Tunnels trough the app to protect the connection… plus non-optional double authentication! :smiley:

But yes, Forum should be secured too. :confused:


#5

Hey guys.

I agree. Will look into this. :slight_smile:


#6

The security footprint should include all sub-domains. A man in the middle attack could be performed on the forum, then that could be used to provide malicious advice to assist with attacking the app itself.

Fin tech companies need to look at the whole security picture, not just their app itself.

This is somewhere that prehistoric banks seem to do much better at.


#7

couldnt have said it any better…
makes us question how secure other things are


#8

I got very confused whilst working on a banks website a while, as I couldn’t get a subdomain working with either http or https, even with a supposedly valid https certificate. This was due to the use of HSTS, which blocked me from creating a valid subdomain even though I had access to everything I thought I required. I didn’t even know what HSTS was until that point, but it’s standard procedure for all (good) financial institutions.

This is a useful security measure which could prevent problems like this from occurring again, even if someone in management decides to (attempt) to bypass https like this.

More information on this can be found here:


#9

My comments above may have come across a bit harsh. IMHO Revolut is still far ahead of other financial institutions in most respects. Problems like this are significantly less serious than the problems with most banking organisations.


#10

One more point: The https setup on the root site does not support perfect forward secrecy at the moment. I’m not sure why this wouldn’t be implemented, so I’m guessing it’s just a bug in the https setup on the server.

This is another thing that most banks suck at, but Revolut is better than almost all of them.


#11

Yes! :smiley: Small point = HSTS and High SSL encryption block a great park of outdated devices ; but that’s important…


#12

I didn’t think that would include many remaining devices. I’ll admit I don’t know for sure, just that other fin tech companies I’ve worked with did not seem to consider that an issue.


#13

Any news on this?

Some random text to bypass min. 20 characters


#14

That “Not Secure” bar really puts off people trust.

Source:


#15

Wow Google is becoming very aggressive with no-https. :open_mouth:


#16

I’m glad they are. that’s what it should be always


#17

Still no HTTPS after a month :sob:


#18

Great news HTTPS added :r: :champagne:


#19

still not redirecting or HSTS


#20