Add HTTPS support

Nuke928 · 08-09-2016, 03:13 AM

In order to make the site a little more attractive HTTPS support should be added, both for security and because it makes the site feel safer. It's very easy now to get a cert from Let's Encrypt.

What do you guys think?

Vanni · 08-09-2016, 04:38 AM

I didn't even notice it was not encrypted, I thought it was HTTPS all along >_>
Anyway, personally I have no problem.

Lex Rudera · 08-09-2016, 04:56 AM

Having spent the last couple of days reading up on web site security, my jimmies are just rustling over the overhead that https adds. I don't really care for https outside of login pages, I've got to admit.

Nuke928 · 08-09-2016, 08:29 PM

(08-09-2016, 04:56 AM)Lex Rudera Wrote: Having spent the last couple of days reading up on web site security, my jimmies are just rustling over the overhead that https adds. I don't really care for https outside of login pages, I've got to admit.

How does https create any noticeable overhead? I don't think anyone has such crappy internet/PC that they'd even notice. Security is cheap.

***Wishdream*** · 08-13-2016, 04:30 PM

Ironically, I was trying to find an secure cert for the site. I might add that to the site when I have the time.
Thanks for providing Let's Encrypt >u<

Stormy · 09-07-2016, 11:31 PM

I don't see how HTTPS would make a forum more "attractive" and feeling safer is total BS unless you are safer. I'm not sure what there is to be safe from in any case. Also, 'noticeable overhead' is kind of dependent on what a given individual would notice. I could be wrong but the impact of that overhead would increase with an increased number of simultaneous users. I'm not against HTTPS, but I don't think it's strictly a necessity for a small fandom forum that's pretty darn quiet most of the time.

Lex Rudera · 09-08-2016, 12:07 AM

(09-07-2016, 11:31 PM)Stormy Wrote: ...Also, 'noticeable overhead' is kind of dependent on what a given individual would notice. I could be wrong but the impact of that overhead would increase with an increased number of simultaneous users. ...

Since I've been dabbling with writing web-servers on somewhat of a lower level, with more performance and cheap hardware costs in mind, the prospect of going through encrypting and decrypting for everything single request back and forth seems daunting to me.

So it's the server I have in mind, not the clients. I'd offload all the work possible onto the clients for the sake of the server, as long as it doesn't leave any security risks.

Stormy · 09-08-2016, 04:30 AM

(09-07-2016, 11:31 PM)Stormy Wrote: I don't see how HTTPS would make a forum more "attractive" and feeling safer is total BS unless you are safer. I'm not sure what there is to be safe from in any case. Also, 'noticeable overhead' is kind of dependent on what a given individual would notice. I could be wrong but the impact of that overhead would increase with an increased number of simultaneous users. I'm not against HTTPS, but I don't think it's strictly a necessity for a small fandom forum that's pretty darn quiet most of the time.

I was talking about server overhead, because if communications are encrypted then every received unit has to be decrypted and every sent unit encrypted. Both ends must do this for an encrypted connection, no? So, as the number of simultaneous users increases so does the impact of encrypting communications. I'm not knowledgeable enough to have any idea whether it's possible to leverage the client in a beneficial way in this department.