User Tag List

Results 1 to 5 of 5

Thread: Why no HTTPS?

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Octorok
    Join Date
    Dec 2001
    Age
    40
    Posts
    166
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    vBActivity - Stats
    Points
    1,264
    Level
    12
    vBActivity - Bars
    Lv. Percent
    13.76%

    Why no HTTPS?

    It's 2016, and for years the EFF has been recommending all websites use HTTPS, and even Firefox plans on deprecating insecure HTTP.

    This forum is a special case though, as it implements password login, so it should be considered important to add password protection.

    Some background regarding my experience with hosting HTTPS:
    Early in the life of my website, I quickly outgrew shared free hosting and have since been through several VPS services. I made sure that before accepting any user accounts that my server implement HTTPS. At first I attempted to d HTTPS only for login, but it became such a mess it was easier to just run the whole site (except optionally the download section) with HTTPS, and have even submitted my domains to Chrome HSTS preload.
    Originally I obtained certificates through DNS provider Namecheap (who I have decided to sever ties with for various concerns) as a re-sold Comodo certificate, and it cost something like $10 a year. Now, I use free, short-lived certificates from Let's Encrypt, which uses a special client to validate your server before issuing the 90-day certificate (I think they expect you to set up a cron job to keep the certificate updates).
    At regular intervals I test the configuration of my HTTPS server at https://www.ssllabs.com/ssltest/ and consistently get an A+ score.
    I run nginx, currently at version 1.11.5, which accelerates the HTTPS connection with the new HTTP/2 protocol.

    These days, the performance impact of HTTPS is minimal due to modern VPS providers, including $10/month Linodes, supporting the hardware-accelerated AES-NI instruction set (EDIT: My Linode VPS didn't support AES-NI at the time but it does now). Using a modern server program such as Apache httpd 2.4.23 or nginx 1.11.5 can speed up the loading of all those little icons in the edit page, as both servers support the new HTTP/2 protocol, which my understanding is the multiplexing allows all the little icons to be loaded in one shot with a compressed request. The HTTP/2 standard supports unencrypted connections, but no browser that I know of supports that arrangement, in order to deprecate plaintext HTTP.
    Last edited by BFeely; 11-19-2016 at 08:42 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
About us
Armageddon Games is a game development group founded in 1997. We are extremely passionate about our work and our inspirations are mostly drawn from games of the 8-bit and 16-bit era.
Social