I have noticed that this website does not automatically redirect to the https version of the website. I don't know if this is by design, leaving it up to the users if they wish to visit the website over plaintext or not, but it is common practice to automatically redirect to https as long as it is available. A lot of users might not even be aware of this, and if they login over http then their password is sent as plaintext, and easily intercepted.
Thanks for the heads up Daerandin! I will contact Gizmo and see if he can setup HTTPS in the DNS hosting for us.
Darandin, Thanks for your observations. 1st, GOL doesn't send unencrypted passwords, whether you are using HTTP or HTTPS. This has been true for many years, and was true of AOA as well. We compute a salted hash in the browser, and exchange that with the server. 2nd, as you guess, we have left the use of HTTP or HTTPS at the user's discretion up to this point. As you point out, it's probably time to revisit that policy.
Great to hear that passwords are handled by JavaScript before being sent over the net. Personally I have no issues with regular old HTTP being available as long as there are no plaintext passwords being sent.