Redirect HTTPS to HTTP for this forum?
 

Can't hurt.

SSL certificates cost money.

There's a few places where you can get them for free..

https://www.startssl.com/Support?v=1
https://letsencrypt.org/

But a simple re-direct from HTTPS to HTTP would be cool (which is also free)

There is absolutely NO REASON to have this site on HTTPS!!

Nothing private here........ All you do is cause potential connection problems FOR NO REASON!!

I resurrect this thread because I was just about to start a new thread and ask why the forum has no https... In fact, attempting to connect via https results in an error page for me.

While I agree with the previous poster that there is nothing really private on this forum, I believe that https should be best practice today for anything that involves a login procedure. Protecting your credentials should IMHO be taken serious these days.

Are there any plans to offer https in the future?

Best,
gecko

Of course the only person able to give an authoritative answer is Edwin, the forum administrator.

His last visit here was on 13 July 2016, six months ago.

The computationally expensive part of HTTPS is the initial negotiation. After that, it's cheap. And you want that to protect passwords anyway. It's impractical at best to attempt to securely request or submit passwords over HTTP.

Any counterarguments probably addressed here.

Whoops. Meant to quote/dispute not the OP's post.

Why?
 

I find this old thread very strange. The original question (if I understand the subject in the post correctly) was to redirect https secure login requests from browsers to the existing nonsecure http URL for this forum. So you think you are using a secure connection, but you are redirected to an insecure connection to enter your login credentials.

I disagree with the original poster. This would hurt, since users would get a false sense of security without any benefit.

Bill

I agree with Bill's post a thousandfold.

They mistyped the title. They meant to say


"Redirect HTTP to HTTPS for this forum?"

There is NO reason to put a reg site like this on HTTPS!!

The OP repeated the same order in a later post:
I don't disagree that a secure site is not needed. But that's not the topic in the subject. Redirecting does not cause a secure connection to occur unless a proper security certificate and other server features are available.

• Redirecting as you describe (http to https) just causes a security warning in the browser, since a secure connection is not allowed. If it was allowed, it would work like the automatic redirection from http://www.fastmail.com to https://www.fastmail.com.
• Redirecting as in the subject (https to http) would be a security flaw. We don't want to force a secure connection attempt with https and get redirection to an insecure http website.

Bill

Ya I just noticed they said the same thing twice...... (They are confused.... They meant to say HTTP TO HTTPS (The other doesnt make any sense @ all))

The only valid reason I could see for doing this would be to secure user credentials against interception, which is a somewhat valid concern, but perhaps not enough to justify the additional complexity, cost, and overhead of maintaining an HTTPS version of the site, and in particular forcing/redirecting users to that version — which as others have pointed out would potentially create needless connectivity issues.

Ultimately like any security assessment it comes down to the actual threat and risk we're talking about. As long as you're following best security practices and not reusing the same password everywhere (and password reuse is a very bad idea even if a site is fully SSL-protected), there's very little that an attacker is going to get from having your EMD password. Basically, they can compromise your account and impersonate you on these forums, read your private messages, and obtain your email address. How much of an issue that is for you really depends on what sort of things you're doing on these forums — if you're exchanging confidential information via the PM system, then perhaps you have something to be concerned about, but it's probably safe to say that most users aren't doing that.

Personally, I think most hackers have better things to do with their resources than target EMD profiles, especially on a per-user basis. There's just nothing of sufficient value here to make it worth anybody's time and effort.

Frankly, if I wanted to pick at nits, I'd be more concerned that EMD is still running considerably older versions of Apache (2.2.24 circa 2013), PHP (5.2.17, circa 2011), and vBulletin 3.6.12 (assuming PL2, circa 2009). That said, I'm not even that concerned about these, since with the exception of Apache, these are the latest patch releases for those streams. However, there are still known vulnerabilities in those as well that make a desire for SSL securing the transmission channels even less relevant by comparison.

It should always be https nowadays. This is one of the few places without it. I'm pretty sure we won't see much effort here due to the falling interest overall.

I've been using a vpn service for years and am not concerned about an emd breach at my end. And like someone else mentioned, we are low priority. I would hate to see my many year account hacked.