Just curious if there's a reason why we're not using SSL for this website? If it's a cost issue, there's always LetsEncrypt as the alternative.
Just curious if there's a reason why we're not using SSL for this website? If it's a cost issue, there's always LetsEncrypt as the alternative.
Since there's not a whole lot of PII or PCI data being handled by the forums, I doubt it's a huge priority. LE is a cool service though, except for renewing certs which can get annoying. I manage a few applications on Forge which handles the renewal process automatically. If it weren't for that I don't know that I would go to the trouble.
Last edited by AOD_Guybrush; 08-10-2016 at 08:35 AM.
Not a huge priority, I just don't like storing my password sent via plain text :P Not to mention that it'd help with SEO as I believe Google deducts a ton of points for non-ssl sites being indexed.
If we're not just using a simple webhost, and access to the system - renewing would be as simple as a single line command via cron.
Code:./letsencrypt-auto --config /etc/letsencrypt/cli.ini -d clanaod.net -d www.clanaod.net certonly if [ $? -ne 0 ] then ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log` echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" [email protected] else service apache2/nginx reload fi exit 0
The site is behind CloudFlare and actually does use CloudFlare's free SSL. The problem is the forum is configured to serve static content non-SSL and I'm not sure how much work the site owners would have to go through to get it to do forced-SSL.
I take it none of you have gone to https://www.clanaod.net ?
What once was can never be again,
What is now will never come anew,
What will be will only pass once.
Cherish it all.
To give a more detailed answer (I suppose)...
Everything on our website can be accessed via http or https, even static content. We don't force https because the security it would provide is pretty minimal and there is nothing transmitted that any observer would be particularly interested in. Since we use the cloudflare CDN to protect against DDoS attacks, cloudflare is already a man-in-the-middle and no one should consider the data they put on our website absolutely secure (because there is no way for me to make that guarantee).
I can understand wanting to prevent your workplace or school from eavesdropping or filtering your content, so you do have https available.
To address another concern here: Your password is never "sent in the clear". The forums store a salted cryptographic hash of your password which is used to validate a hash computed by your browser.
Also... We don't care much about SEO and google can down rank us all day long for all I care (Silencer might get bent out of shape by that comment :P )
Last edited by AOD_Archangel; 08-10-2016 at 10:55 AM.
What once was can never be again,
What is now will never come anew,
What will be will only pass once.
Cherish it all.
I mentioned the site already supports SSL - which implies I've been there. However, that isn't 100% SSL as there is static content being served over non-SSL - something most browsers warn about. And the biggest crutch: Try navigating to another page. Some of the links redirect you back to non-SSL.