I do agree that SSL is a great idea and a security best practice. However, unless the information on the forum is sensitive (personally identifying info, PANs, or anything you don't want getting out in the public) using SSL might be overkill. Enabling SSL is free, this is correct. But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired. The odds of a MiTM (man in the middle) capturing your traffic in transit off any of the routers at the ISP level is extremely low. Usually a MiTM is on one end or the other of the connection (on the servers network or the users). So again this lowers the risk of not using SSL. So basically unless the user is on a public WiFi or some one has hacked their network, the chances of the traffic being recorded is very low. And again, unless there is sensitive information, if someone were to get it they'd likely delete it. Plus unless your going to disable sslv2 sslv3 and tlsv1.0 as well there is no reason to use SSL.
I hope this info was helpful.
Cheers,
[email protected]
