Page 1 of 1

Why don't we have https?

Posted: Sun Jan 07, 2018 5:54 pm
by wix
I don't know if this issue has been raised before (couldn't find it by searching), but is there a reason why the forum is not using https? Every time I log in, Firefox reminds me that this is an insecure site and I shouldn't be giving it my account details. I think most modern web browsers do this.

It seems, at least to me, that there really is no reason for any website to not be secure in 2017 2018 even, especially a forum with a login function.

Here are a few reasons I found to use https:
  • It stops account hijacking by people who snoop on network traffic. (Roommate, Coffee shop...)
  • It provides some privacy in that the contents of posts are hidden. (Mainly applicable for people in countries that restrict free speech.)
  • It prevents ISPs or anyone else from tampering with the webpage and inserting ads.
  • It removes a barrier for anyone who might have wanted to make an account, but their browser gave them a warning. (Yeah, I'm serious about this one.)
I don't know exactly how difficult it is to convert a phpBB forum to use https, but it's certainly possible (maybe even pretty easy). Also, certificates are cheap apparently free now with Let's Encrypt.

I don't mean to come across as harsh, but it feels like a bit of a disservice and a clear improvement to make. What do you all think?

Re: Why don't we have https?

Posted: Sun Jan 07, 2018 7:56 pm
by takenoko
Honestly don't know. I'd have to ask our tech guy.

Re: Why don't we have https?

Posted: Tue Jan 09, 2018 12:02 pm
SSL certs are not cheap. While there is Lets Encrypt, it can be tricky to get it working on an automated basis as those certs are only valid for 3 months.

Just depends how much work you want to put into it verses the cost of simple solutions.

Re: Why don't we have https?

Posted: Tue Jan 09, 2018 1:12 pm
by wix
Sure, it depends on how much work you put in, but I think it is an important feature.

I spent a couple of hours yesterday replacing my self-signed certs with Lets Encrypt for a personal site and it wasn't a huge task. Admittedly, I don't know if the timer job I set up works yet, but you can always set it to a few days early to allow some time to check it.

Can you give it a shot? I don't know what your system is, but as long as the http service is untouched by the changes, the forum should still be in business. I might be talking out of my ass here, though.

I'd be more than happy to assist with troubleshooting/testing if you want.