Any server that requires a login must utilize SSL/TLS encryption... without it, there'd literally be no point to utilizing a password, thereby doing away with forum logins all together. Just as with a WebGUI that isn't utilizing https, if you login via a non-encrypted connection, your password is sent in plaintext, readable by anyone else on the network, or anyone sniffing traffic.
Additionally, certain browsers, such as Chrome, will not allow you to navigate to a webserver's pages if it's SSL cert has expired, which is probably why this thread has seen minimal activity over the past 3 days or so. As was also mentioned above, you're begging on your hands and knees for a MITM attack if you're not utilizing SSL/TLS encryption.
On a side note, when you buy an SSL cert from a CA, you're not paying for the certificate, you're paying for the management of the CRL. While businesses & forums must purchase their certificates for chain of trust to be maintained, if you're hosting your own content for yourself/friends/family, creating your own CA via an openssl.cnf and signing certs with it is more than enough due to the small pool of individuals accessing the content. One simply needs to post their CA.crt.pem on their site for download and installation by those utilizing the site, along with a complex hash (at least SHA256) to verify it hasn't been tampered with
(Last edited by JW0914 on 26 Jul 2016, 02:37)