Give us HTTPS

Zholef

Warlord
Joined
Feb 20, 2014
Messages
192
You've recently given this website a makeover, made it pretty for the release of Civ6 and more compatible with smartphones, I hear. That's something, I guess, but everyone's passwords are still transmitted in cleartext, meaning they can be seen by anyone in between this website and its users' end devices, for example by the owner of a hotspot. With that in mind, you might as well post everyone's passwords on the front page and that would make all our accounts only sightly less secure. My point is, buy a certificate and allow access through HTTPS. I don't mean to sound ungrateful; this is a wonderful if insecure free-to-use website, but it's almost 2017 and not using encryption is getting embarrassing. Anyway, just a suggestion.
 
How much it costs normally and how much work to set it up?
 
@Thunderfall Unless your web host or software used makes it unnecessarily difficult, it should be rather quick and painless to set up. SSL encryption isn't a fancy feature. Enabling it might be as easy as checking a box in a menu somewhere. From looking at https://forums.civfanatics.com, it would seem that you are running an Apache web server with cPanel for configuration, which sounds good. That site, which currently only displays a placeholder message, in fact already is encrypted and does provide a certificate, albeit an invalid one. So basically you only need to do two things, tell your server to show this forum there too instead of the placeholder message and replace the invalid certificate with a proper one.

As for the cost of a certificate, that page: http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm lists some cheap options. Since this isn't a shop and little sensitive information is stored here other than our passwords and email addresses, a cheap one (anything less than $40 per year) should be sufficient. Personally though, I wouldn't use a free one for anything but testing. Free things so often come with hidden costs: https://www.techdirt.com/articles/2...voke-ssl-certs-vulnerable-to-heartbleed.shtml
 
Ok, will look into getting one then.

After having it setup, will visitors get automatically re-direct to use https version, even if they come from a URL with http://?
 
...And from what i've read, it seems that once it is configured for use on the webserver, in the actual xenforo configuration, it is actually just changind the forum url to a https rather than http prefix. But tutorial info on this is pretty hopeless...
 
Ok, will look into getting one then.

After having it setup, will visitors get automatically re-direct to use https version, even if they come from a URL with http://?

That depends on the web server's software and its configuration, though in this day and age I don't see what benefit there would be in not re-directing.
 
I looked into it some time back at GoDaddy.

https://m.godaddy.com/products/ssl-certificates.aspx?ci=82941#compare-anchor

It costs about $50 a year per subdomain. For our case, we have two main sub-domains: forums and www.

I likely will get the 5 subdomains package. This way we can make gotm and hof to use .com domain instead of .net and make the entire site use https.

Will target this before end of the year...
 
I looked into it some time back at GoDaddy.

https://m.godaddy.com/products/ssl-certificates.aspx?ci=82941#compare-anchor

It costs about $50 a year per subdomain. For our case, we have two main sub-domains: forums and www.

I likely will get the 5 subdomains package. This way we can make gotm and hof to use .com domain instead of .net and make the entire site use https.

Will target this before end of the year...
Having five members signing up for permanent membership per year will easily pay for this.
 
I switched from using subdomains to subfolders on my own website to save money on HTTPS certificates. :p
 
I looked into it some time back at GoDaddy.

https://m.godaddy.com/products/ssl-certificates.aspx?ci=82941#compare-anchor

It costs about $50 a year per subdomain. For our case, we have two main sub-domains: forums and www.

I likely will get the 5 subdomains package. This way we can make gotm and hof to use .com domain instead of .net and make the entire site use https.

Will target this before end of the year...

It's possible to get free SSL certificates via https://letsencrypt.org/
Might be worth checking with the current host if they're not maybe already supporting "let's encrypt".
 
I have installed SSL certificate and enabled HTTPS for both the forums and main site. :)
 
Last edited:
Nice :goodjob:.

Maybe it would then good if someone could have a look if there's an easy way to change how the passwords are encrypted.
IIRC in vbulletin they were by standard encrypted with MD5, which is as good as no encryption (can probably crack all forum passwords in less than 5 minutes).
If there's an easy way to switch it to something proper (e.g. SHA256), then this would be very good :).
 
Top Bottom