SSL

Should we go SSL?

  • No, doesn't worry me.

    Votes: 1 14.3%
  • Yes, and I'll help pay for it.

    Votes: 6 85.7%
  • Yes, and I am skint m8, you pay for it..

    Votes: 0 0.0%

  • Total voters
    7
  • Poll closed .

Guvnor

Administrator
Staff member
#1
Some peeps on UKRP have emailed me since modern browsers don't like unsecure non SSL sign in pages.
Now.. we have already laid down some gelt for this board and I am ambivalent about the need to buy an SSL certificate.
On the other hand, it seems silly to be not following secure protocols.
It's £24 a year.

Of course, people should always use multiple passwords and especially for troll based elfgame space fantasy bulletin boards.. but is that enough?
 
#4
I'm not really up to speed with the implications of having it or not having it.
It would be good regardless of whether or not it is implemented, to be able to contribute to running costs - is there some way of doing this? A tip-jar or suchlike?
 

Newt

RunePriest
#5
When I was still working for the University of Manchester as a web developer, the entire domain was going SSL with University Web Managers encouraging site owners to get it installed. As well as the security and usability implications (which you've already hit upon), Google had updated their search engine algorithms to "lightly" weight sites using a certificate - to encourage people to make their sites more secure.
 

Ezio

Administrator
Staff member
#6
OK, so in the interests of informed decision-making, what these browsers are complaining about is the fact that when you sign up/log in to the Tavern, your username and password are transmitted as unencrypted plain text. This means that if someone is eavesdropping on your connection, say by using a packet sniffer or having access to a proxy server, then they can get hold of your account details.

The two questions to ask here are how likely is that to be happening, and how much damage would be done in the event that someone did get your login details. If we stored financial data, or even significant amounts of personal data, then I would regard SSL as absolutely essential. But since the Tavern only asks you for an email address, and you don't even have to give your real name, then it is perhaps more questionable how much we need it.

Newt is right that there is kind of a general drive to make more sites use SSL, and that Google apparently gives more weight to SSL-enabled sites, at least at the moment. Although since you can't view posts without being logged in, that second point is perhaps moot. However these initiatives are really designed to counteract losses of data of the kind that doesn't really exist on the Tavern. The only argument that really applies to us is that lots of people are lazy and use the same password for multiple sites. So a weak site like the Tavern can be used as a way to obtain a password that might then allow them to access a more important site.

Implementing SSL itself is reasonably straight-forward. Provided our hosting provider know what they're doing, the server side stuff should all get done for us. The forum software requires a few minor config changes. The biggest issue is usually embedded content using insecure links that then breaks pages - third party libraries, analytics, embedded images, etc. It won't affect images uploaded to this site such as avatars, but might affect resource links.
 
#7
The only argument that really applies to us is that lots of people are lazy and use the same password for multiple sites. So a weak site like the Tavern can be used as a way to obtain a password that might then allow them to access a more important site.
This, right here, is the reason this forum should use SSL. People are lazy. Not only will they re-use the same password, they will also be using the most stupid passwords. You may believe that it isn't your problem but with the availability of free SSL certificates there is no excuse not to encrypt your website.
 
#8
Definitely look at implementing https as a priority, but don’t buy an ssl cert, use Let’s Encrypt and get it for free.

As from later this year Chrome (and I believe Firefox) are going to start flagging sites that don’t serve over https as Not Secure and will also flag any text entry field as insecure, not just password entry fields.

Here's a really good article on all of this - https://www.troyhunt.com/life-is-about-to-get-harder-for-websites-without-https/

Hopefully the developers of the forum software will look at integrating Troy's Pwned Passwords service to help users choose better passwords - https://haveibeenpwned.com/Passwords

- Neil.
 

Ezio

Administrator
Staff member
#9
Using free SSL certificates requires your hosting provider to support Let's Encrypt, which ours does not. It also requires you to be happy renewing your certificate every 90 days, which is a pain. If we decide to do this, I'd rather pay the money and not have to faff around.
 

Guvnor

Administrator
Staff member
#10
Yes, there is not a free option for us here. It's a paid service or none.

If Xenforo supports "have I been pwned" we will consider it. I am not convinced that just because a password has been pwned means it's been pwned for the user trying to use it, tho'
 
#11
Using Let's Encrypt is zero faff with the automated tools. If the hosting provider isn’t supporting it, then it’s a money grab on their part. But that’s where The Tavern is however, so as you say, it’s pay up or nothing. Let me know where to send the first £24!

The point about Pwned Passwords is not that the chosen password is necessarily pwned for the particular user trying to use it, but that it almost certain that it's going to be amongst those used by credential stuffing tools trying to breach sites. Anything that reduces the risk from such tools is a good thing. But we are getting off topic, so let's park this particular discussion.

- Neil.
 
Top