Why no HTTPS?

[BFeely]

It's 2016, and for years the EFF has been recommending all websites use HTTPS, and even Firefox plans on deprecating insecure HTTP.

This forum is a special case though, as it implements password login, so it should be considered important to add password protection.

Some background regarding my experience with hosting HTTPS:
Early in the life of my website, I quickly outgrew shared free hosting and have since been through several VPS services. I made sure that before accepting any user accounts that my server implement HTTPS. At first I attempted to d HTTPS only for login, but it became such a mess it was easier to just run the whole site (except optionally the download section) with HTTPS, and have even submitted my domains to Chrome HSTS preload.
Originally I obtained certificates through DNS provider Namecheap (who I have decided to sever ties with for various concerns) as a re-sold Comodo certificate, and it cost something like $10 a year. Now, I use free, short-lived certificates from Let's Encrypt, which uses a special client to validate your server before issuing the 90-day certificate (I think they expect you to set up a cron job to keep the certificate updates).
At regular intervals I test the configuration of my HTTPS server at https://www.ssllabs.com/ssltest/ and consistently get an A+ score.
I run nginx, currently at version 1.11.5, which accelerates the HTTPS connection with the new HTTP/2 protocol.

These days, the performance impact of HTTPS is minimal due to modern VPS providers, including $10/month Linodes, supporting the hardware-accelerated AES-NI instruction set (EDIT: My Linode VPS didn't support AES-NI at the time but it does now). Using a modern server program such as Apache httpd 2.4.23 or nginx 1.11.5 can speed up the loading of all those little icons in the edit page, as both servers support the new HTTP/2 protocol, which my understanding is the multiplexing allows all the little icons to be loaded in one shot with a compressed request. The HTTP/2 standard supports unencrypted connections, but no browser that I know of supports that arrangement, in order to deprecate plaintext HTTP.

[Tamamo]

because we're running in the 90s on agn, don't you know that?

[Radium]

Sounds like a great idea. Depending on the current hosting environment, it could be done for free with Let's Encrypt; see https://community.letsencrypt.org/t/...art-guide/1631

[ZoriaRPG]

One problem, is that a cert that supports multiple domains is somewhere around £350 per year. Firefox are just idiots, as you certainly do not need SSL for most things, and it doesn't do that much anyway. A purchased cert differs in no way from a self-signed cert, either. It's mock security, at best. If your ISP blocks port 80, running a personal cert n the cheap, and using port 443 will usually bypass that, and it''s one of the most common uses of SSL for small sites.

You know what Firefox should do? Reword all of their warnings to explain what each one means. They warn against self-signed certs, and domain->cert mismatches on subdomains, and all sorts of mad things that make it sound as if visiting a site with those is automatic malware. SSL doesn't prevent malware either, for those who (for whatever reason) do not know that; nor does it prevent WiFi signal sniffing.

It's not that hard to crack a network, and intercept all transmissions, and decrypt them.

I find it even funnier that they'd try t require SSL for sites with no submit forms.

All this will mean is that complete technical morons--a lot of people who probably shouldn't be using computers in the first place--will be terrified by their web browser on a daily basis. it's a very bad more.

I still use old FF versions personally, as newer ones are far more RAM-intensive, with no positive benefit. It's not just silly, it's probably going to be a disaster. People should put out a petition to the FF community, to the effect that this warning is not enabled by default, and that a user needs to enable it manually, or on installation. It should also be a quick setting, that a user can tick on, or off, from the FF main menu: 'Warn on HTTP'.

[BFeely]

Does armageddongames.net run on shared hosting, or does it run on VPS/dedicated? If the latter, then with letsencrypt.org you can get free HTTPS. If using shared hosting though things get way more dicey because to perform domain validation for a Let's Encrypt certificate requires special support installed on the provider's systems.On a semi-related note I noticed purezc.net responds to https with an expired certificate. I know they could replace with Let's Encrypt if they want to because I learned they use Linode after it went down due to the big DDOS attack against their datacenter.With Let's Encrypt you can get multi-domain certificates issued too. I have both a multi-domain certificate for both my domains plus a single-domain certificate for my secondary domain which is delivered on SNI-compatible browsers. Both are issued by Let's Encrypt.