Thank you for your reply.
While this occurrence could have been something like phishing, I had the feeling that there was more going on here so did some sleuthing and research this morning. While I am sure that you are well aware of what is summarized following, it may be helpful to those HM users with less technical background.
Some background:
- I am not a web expert nor an IT guy so my apologies if I get something very wrong.
- In the early days of web browsing, all connections were
http://www. In technical terms, this connection utilizes hyper text transport protocol to access a web site. http: connections are open, in that they are unencrypted and a person with enough technical savvy could watch what was being sent and received.
- As web technology developed, the need/desire for online payment and use of other confidential records became obvious. To make this web usage more secure, the use of https:// was introduced where the s stood for secure. A secure socket layer or SSL encrypts the data such that it is much more difficult to intercept. In general, for several years web sites used http: and banks and other confidential sites used https://.
- In recent years the usage of https: has become more common as it provides a more secure web browsing experience. Web sites purchase a security certificate that allows them to move to https:// as the default. Most websites appear to still offer functionality in both normal and secure mode.
- I use Microsoft Edge day to day and for several years have had HM stored as a favorite.
- To start HM I type hobb in the address bar. My browser finds this address in my Favorites and suggests it to me as I type. By selecting this address I avoid typing the rest of the URL.
- In reviewing the Xenforo forum this morning (HM is based on Xenforo) it appears that this forum engine has at some point evolved to use of https://.
- As web browsers evolve, it appears that at least some are allowing default to the https:// even when the user attempts to access the older http://
- I tested both Edge and Chrome and determined that they both allow use of http:// and are configurable for default to https://
- The HM implementation of Xenforo appears to allow both http:// and https://. In the first case one does not get the secure site notification in the address bar. In the second case the lock symbol appears next to the HM URL.
- At some point Bitdefender started alarming password entry on http:// where the password is obviously transmitted unencrypted.
- My iOS devices all point to the secure URL so suspect that they auto direct.
What I think happened in my case:
- When I got the Bitdefender warning that day a month or so ago, it is clear that Edge pointed to the unsecured
http://www.hobby-machinist.com. Looking at the screen shot above, Edge actually indicates to the left of the URL that it is not secure.
- Realizing that Edge Favorites was actually inserting the requested URL I looked at the URL stored in favorites and found that it was the insecure http:// version.
The fix: (I hope)
- I edited the Favorites HM entry to reflect the https:// URL and tested to be sure that typing only hobb would result in the secure URL. It did.
- I tested login using the secure URL and got no alarm from Bitdefender.
Next steps - I need to go through all of my favorites and update the URLs where necessary or I suspect I will begin to get security alarms from all sites transitioning to secure connections.
I hope this update to my issue may be helpful to others. If I have any of this wrong I would greatly appreciate a course correction.
Respectfully,
Bob