I also run a small SMF forum on a non-HTTPS site - is this likely to be a problem ?
Without TLS (HTTPS), user logins and passwords are transferred in cleartext, and not at all difficult to sniff (more on this below). I will not use a password on a site that does not use HTTPS for the login part, and seriously recommend the same to others.
(I have done security-sensitive web-based login systems and especially the backend stuff. Also web site engines and such in PHP and Python. I write my own from scratch, without frameworks, because I
know how to make them very intrusion-resistant. I used to do this for a while as a job, for both companies and larger organizations like universities. When I look at the source code and configuration of open source forums, I weep. No, they're not good. They work, usually, but that's about it.)
TLS (as used currently for HTTPS) encrypts the traffic both ways, so that sniffing ("overhearing") the traffic is no longer useful, unless you can somehow find out the temporary encryption key used. (Typically, this is done by either compromising or faking one end, for example by getting a certificate that makes the client believe they're connecting to the correct server, and then proxying the traffic between the fake server to the real server, as if the fake server was the actual client.)
Unprotected traffic is sent in cleartext. For example, your username and password are sent as HTTP POST data. If an attacker manages to subvert any of the machines along the data path between the client and the server, they can observe all unencrypted traffic between the two. Typically, it is the router nearest to the client that is subverted; those things have very little security. Sometimes, the web hosting provider isn't very diligent, and a lucky attacker renting virtual servers from the same provider can sometimes see some of the traffic to the web hosts; but this is mostly a problem with very fast growing providers who cut corners and don't pay enough attention to information security.
What's the difference between using HTTP and HTTPS, if my own router was compromised, then?
In the case of HTTPS, the attacker also needs a fake certificate, to be able to fool the client to divulge the TLS encryption key. The attacker may also intercept unencrypted SMTP and IMAP connections, to insert/inject malicious payload attachments to subvert other computers via email, unless those are TLS-encrypted also. (I use IMAP with a dedicated TLS port; the STARTTLS stuff may be subvertable by a man-in-the-middle.)
Usually, private routers just participate in spamming and DDOS attacks, because encryption is so commonplace nowadays. But, without the fake certificate, which are neither cheap or easy to come by (and are rather quickly killed by revocation when found in the wild –– the user's don't usually even notice this stuff), it is more a matter of causing issues for others rather than to the owner of the router. (Which is also why so many routers do get compromised.)
Without TLS, the compromised router can easily see and manipulate everything transmitted without encryption. It is also rather simple to set up a filter to grab only HTTP traffic when
username or
password also appears nearby, to help with username + password harvesting. How often the attackers actually do that, I don't know; that sort of statistics are typically only known to security specialists at larger, well-known antivirus/infosec companies.
I use Let's Encrypt for my own
minimal home page. Feel free to open that page, then click on the lock icon, and check its certificate info. I currently use OVH for my webhost (simple web site, not a virtual server), and they include Let's Encrypt certificates even on the cheapest (2€/month) hosting services.
Let's Encrypt is an interesting
automated service. The way
OVH uses Let's Encrypt is interesting, and is possible for other web hosts to do. Other domain owners can set up their own, too; just
see the docs for the options. But obviously the easiest and most robust way to do it is to choose a hosting provider that does that for you already, because that way the certificate updates etc. are automatic once the trust relationships have been set up. I like it. For a commercial business, I would get a certificate from a commercial partner, one that cares about privacy and security, and does NOT have a history of "accidentally" putting out unauthorized certificates "due to human error". (That's how crooks get their fake certificates: they buy them from people with necessary access at certificate authority companies.)