"If you have an entity snooping your internet traffic. Then you have more of a serious problem and isn't probably just looking for simple forum passwords, its very sneaky business."
"So, if you had someone with the intent of doing something, an SSL cert wouldn't completely stop them."
I am not so worried about a man in the middle attack, which sure is possible. And I am not worried about some point along the path sniffing the traffic - but then a ssl would protect against that even.
What I am concerned about, came about in another thread where OP there was asking security options while on a open wifi network. During the process of discussion on what the exact concerns were. It is impossible to suggest a mitigation method unless you understand the risk your trying to mitigate it was posted that neowins logins where not even encrypted.
I personally did not believe it, so I double checked - and to my dismay it was in fact true. Which was the reason for my query to the matter here on the site and forum issue. Maybe it might of been a subject better discussed in the mvc/staff area? But it security topic that should be discussed with the community at large using the site.
My concern is not some one without inappropriate access along the the path collecting forum logins, yes your mitm comment is still valid with any sort of SSL, but again this was not the reason for the query.
More worried about local wifi sniffers, that quite often could be kids just out for some lulz, etc. Now those can be mitigated with a secure connection across the open wifi like vpn or ssh tunnel for browser traffic, etc. But if best practices where followed, the login info would be secure anyway - which would reduce the risk of some kids out for some fun using a browser addon and simple wifi sniff. Again I am not too worried about someone sniffing my traffic while at home or work, etc. Or place of business that has a secure wifi connection.
I doubt I would stop using neowin if they don't change this method. But it would be nice to get a answer from the staff to why they don't feel its a concern, and why they don't use SSL to post the login info. Sofar info has been given to why they don't hash the info before posting it, but I have not seen a reason for not using ssl to post this info?
edit: Thanks for the clear answer Redmak, looking forward to the upgrade
This is a clear answer to my question, and satisfies my concerns. It has been running like this since the get go it seems, so a few more weeks/months should not be too big of an issue.