Would be awesome if you could add HTTPS along with HSTS support to the forums. I don’t feel comfortable logging in with a password that everyone capturing my traffic can read in clear text.
I think you could even go that far to drop HTTP support entirely because none of us use Internet Explorer 5. Therefore everyone’s browser should support HTTPS without any issues.
Also make sure to deactivate support for SSLv3 as it has been branded reeealy insecure.
What no please
I am on Windows 95 and i use netscape to browse the forums
please dont do this to me 
or maybe i failed and even netscape has HTTPS support.
Who knows
It doesn’t even have to cost anything: https://letsencrypt.org/
In this case, it’d probably still be insecure because the used cipher would most likely be deprecated.
Yeah SSLv3 was deemed really really insecure in the last years and the majority of servers these days deactivate its legacy support for it.
Any news on HTTPS encryption in the forums?
We’ve looked into doing this, but there is more focus on the game at the moment and the current hosting provider doesn’t make this a simple task to do.
Still, it’s atleast on the back of my mind, and I’m sure we’ll look at it again in the future.
I’d like to HTTPS all the things, but that isn’t always easy.
I assume this means Let’s Encrypt was no viable option.
This is what we were looking into, but things got in the way. We’ll look into it more when we aren’t super busy.
Just my own opinion here, HTTPS encryption to message boards is impractical as it requires all content(embeds, images, etc.) to be hosted on site. Reason being as loading content from a non-HTTPS connection(roughly 98% of the internet) would break the “security” of HTTPS, so external content would break on that “secure” connection.
On second thought, why are you worried about people sniffing your traffic?
I mainly fear identity theft when connected to a public unsecured internet connection such as a mobile network or a wifi Hotspot. They could steal my session and then start shit posting using this account.
Most pics here are hosted by the forum itself btw. And only a few are on imgur. I assume that they also support HTTPS so changing the URLs should solve that.
If you’re connected to a public unsecured network, shouldn’t you use a VPN in that case?
Good point but how much can you trust an external provider compared to a phone company? HTTPS is the best way to ensure that what you receive wasn’t modified in any way and even Google will implement warnings for unencrypted web pages in the next few versions of Chrome. http://www.cnet.com/news/chrome-warning-insecure-http-websites-expose-passwords-credit-card-numbers/
While true(regarding session stealing), it’s fairly unlikely someone attacking a public network is going to want your forum account for a game. One of the few reasons I see it being worthwhile is SEO purposes. On the other hand, you’re (most likely) not doing anything on this forum that is potentially threatening to be in the open.
The only real attack I can imagine is a player against a player, say through malware, and HTTPS isn’t going to stop a RAT from collecting your keystrokes.
but it’s just too easy to do. That’s why Google wants to enforce it. Also implementing HTTPS is super easy thanks to Let’s Encrypt (their bot does it for you).
Let’s Encrypt is a mediocre way of securing a site at best, in my opinion. There’s too many factors in the back end I’ve personally dealt with that has broken Let’s Encrypt, either requiring me to completely remove it from the system or going through numerous hoops to find the fix myself.
I had forgotten about Cloudflare SSL though, which is also free and much simpler to set up.
@Caboose700 , tagging you in this for a simple solution to the problem(well, maybe. I’m not 100% sure what other services you’re running with your host).
Forward your domain’s name servers through Cloudflare. It’s a free service and allows you to manage your analytics(i.e. Unique Visitors; http://i.imgur.com/q9rNTNp.png ), cache your content, and tons of other features. Not to mention, masking the external IP of the forum(in a sense, free DDoS protection).
Along with those awesome features, they also offer free SSL that doesn’t require running commands. 3 clicks, and you’re done.
A flexible certificate is exactly what you would need, as it allows members to use SSL at their leisure, but not force it upon members if not required. It’ll only be HTTPS if the user specifically navigates to it(unless you want to force SSL connections).
Hope this is a reasonable solution for the both of us, Zen!
Quick edit, here’s my site which flexible SSL is enabled on. http://jk.la vs. https://jk.la
Is it bad idea to enforce SSL? Unless you are using Windows 98 it shouldn’t be a problem right? This could be done using NGINX redirects btw.
No, not a bad idea at all. Why force change when it isn’t necessary, though? A forum post can just alert members that the site allows SSL connections.
I just reviewed Caboose’s posts, though, and it looks like the site is stuck in a domain registrar that’s connected to his hosting services. Gritting my teeth behind my computer.
Hope he’s able to find a reasonably simple* solution.
Their domain is on Dreamhost but the server runs in NY through DIgitalOcean. Maybe Let’s Encrypt is better than nothing.
Or Dreamhost is just a reseller. ;^)
Nah their main website is hosted using Dreamhost and they use DigitalOcean for the forum to handle the load we put on it. You get your domain for free during the first year you use their hosting service but afterwards they charge you regular fees. They also advertise Free SSL encryption through Let’s Encrypt.
