format_quote Originally Posted by
00001001
No TLS a.k.a HTTPS?
TLS/SSL will not make much of a difference. The very same parties who can intercept http, can also intercept https.
95% of HTTPS servers vulnerable to trivial MITM attacks. If you fancy to intercept other people's TLS traffic over wifi, then install
sslsplit or
mitmproxy.
It is trivial to intercept mobile network traffic. There are
cheap devices available to do that.
format_quote Originally Posted by
00001001
Anyway, for the love of god. Google for "Let's Encrypt", you can get an SSL certificate for free, as it is an non-profit. It would probably take you like 10 minutes to get the certificates and an additional 10 for changing the settings for your servers.
Using TLS/SSL will actually give a false sense of security. Security theatre is not without danger. Some people may really start believing in the effectiveness of what are otherwise just cargo-cult TLS rituals.
It is perfectly ok to start running the site in TLS/SSL but without ever making the false claim that it would then be safer.
It is quite possible to build relatively secure forum applications, but they will have to implement their own cryptographical primitives. For example,
bitsquare.io has a famously secure architecture.
Another alternative is to do like facebook and allow access the site from the tor network. It is also perfectly possible to run the site simultaneously on the clearnet and on the darknet (like facebook does). Tor traffic to a darknet site is encrypted automatically over TLS/SSL, without the certificate-authority cesspool that makes https so vulnerable to interception.