HTTPS encryption

Well, if they have “forums.pixeltailgames.com” pointed to a VPS, I’m sure you can point it to nameservers just as easily.

We’ll see what Caboose has to say when he has a chance to look into it.

Truthfully, if we do this, it’ll probably be with Let’s Encrypt.

How Cloudflare does their SSL doesn’t sit well with me, as Cloudflare sits as a Middle Man in the connection, which kind of defeats the entire point in my mind.

All this being said, still can’t give any timeline to when we will get to the HTTPS stuff on the forums.

3 Likes

In theory, it’d still be a secure connection because Cloudflare is the one hosting your content with my workaround. The DNS would be hosted through them, though it sounds like you have some experience with their services.

The more you load from the same server the better. Not every 3rd party service out there should be able to track you using the server requests you send them. (Google Fonts for example)

As already mentioned, Cloudflare is MITM HTTPS, you don’t really want that. Also, have you ever tried to visit Cloudflare-protected sites via Tor? The experience is less than pleasant.

Well the point of a site protected by Cloudflare is to protect it from unwanted visitors, so having an unpleasant time is better for the security of the site… And we’re talking about MITM attacks, not external tracking? I’m not sure where your info is being relayed from.

Not to mention most Tor nodes are monitored harder than public networks. You really shouldn’t be using Tor as your daily browser.

And what makes you think more bandwidth is better? I don’t remember if DigitalOcean has specific bandwidth plans, but my previous VPS at Vultr(before I started using Cloudflare) was DDoS’d with about 250GBps of power and basically maxed my bandwidth for the month. Thankfully those cloud hosts charge hourly so I was able to just open a new VPS, but the point sits.

Cloudflare also caches content for faster loading and less bandwidth from host server, not to mention Cloudflare has servers worldwide so your connection will be much better across the globe.

I don’t see a negative effect, honestly.

I can live with a CAPTCHA every few minutes but I’d prefer not to. (25:10)

I was just making a side note on why what you called impractical is better for the user.

In order for Tor to work, the more “normal” HTTPS traffic the better.

I don’t see the effect, as mentioned Cloudflare offers MITM HTTPS.

I’ve stressed my points. Honestly I don’t give a fuck if SSL is added or not, I’m smart enough to know when I’m safe, so this is my last reply.

Regards to Caboose and the final decision of the team.

Please, please, please, please do not remove http support.

I am totally fine with the site supporting https for those who wish to use it.

There are some of us who absolutely despise https. There is a reason google is getting so much backlash for trying to mark all http sites as “unsafe”.

If you are particularly worried about your traffic being sniffed, then go ahead and use https (or tor / i2p). There is absolutely no reason to remove http support.


On another note, [quote="Zennoe, post:20, topic:10802"] they use DigitalOcean for the forum [/quote] This makes me very happy because I like DigitalOcean a lot.

I never understood why. So I’d appreciate it if you could explain it. Despite a bit more CPU time required for sending the data I don’t see that many disadvantages so I’d love to hear your point.

It’s slower on both sides. It has higher latency. It can prevent people in certain areas and from certain connections attempting to access the site. The certificate and CA chain add soooo much to connection overheads. Dealing with a CA means having to renew it and all that shit.

But more importantly, https is less safe.
I know, that sounds crazy, but hear me out for a second.
More protocols means more open ports, more security updates, more possible security flaws, more configuration, and a greater attack surface. As a pentester (or “white-hat”), having https is just more opportunity for exploits, and simultaneously complicates things for your own security team.

Then, if your website loads any external information that isn’t encrypted (user’s avatars, embedded videos or pictures, etc.) then you’ll be marked as “insecure”.

Virtual hosting is still problematic when dealing with https.

Using https is leading to http/2 which doesn’t fix anything and, as I must agree with Poul-Henning Kamp, does nothing significant to improve privacy. I think we should get rid of cookies as an idea and replace them with an identity / session facility.

Then we get into CA/PKI - Public key infrastructure - Wikipedia - which I personally think is a load of horseshit and anecdotal to net freedom.


Something way cooler (which I've been developing privately for a while now) would be to have the webserver generate a new GPG keypair and have the client do the same, and both immediately save a copy of the others' public key. Then when someone logs in you don't even need to exchange keys, since both sides already have the others' public key from registration time. This gives you the upside of encryption and stops people from being able to MITM you, and saves you from all the extra latency and dealing with CA/PKI. It also works as a third-form authentication (instead of those dumb phone apps) which is completely anonymous and doesn't require anything that could give away your identity, like a phone.

If/When we add HTTPS, we won’t be removing normal HTTP operation.

3 Likes

Yay!

I hope my rant was informational to some extent. :yum:

I disagree with almost all of it (to eaches own people will disagree) but I’m with you about leaving normal HTTP for people who don’t want to use HTTPS.

3 Likes