SSL?

[Guest ad-ARO-ble]

Would it be possible to allow an SSL version of the site. (i.e, encrypt data).

Currently the SSL certificate for the https site is for lunarbreeze.com for some reason.

With Let's Encrypt a certificate wouldn't cost, and would allow better security for everyone on the site.

[owl]

I thought about making a post on this, but I didn't really know enough about it... Only really came across it because it could be a way to bypass my school's block on the site, so...

[Blue Phoenix Ace]

It actually isn't free. My web host won't install a SSL certificate unless I have a dedicated IP address. That would cost me another 5 bucks per month.

[Blue Phoenix Ace]

I think this would be important if we were running a store front and accepting payments, but we aren't. What kind of concerns do you have with missing SSL here?

[Robin]

Seems overkill for a forum on which we are anonymous

[Guest ad-ARO-ble]

Just having passwords feels like grounds enough to use SSL tbh.

It sucks that your web host doesnt give dedicated ip's, i would have thought that would be standard.

[Blue Phoenix Ace]

The best things in life cost money. Like dedicated IP addresses.

[Robin]

16 hours ago, ad-ARO-ble said:

Just having passwords feels like grounds enough to use SSL tbh.

It sucks that your web host doesnt give dedicated ip's, i would have thought that would be standard.

So you should use a password that you don't use on any other site

[Spud]

3 hours ago, Robin said:

So you should use a password that you don't use on any other site

I guess it was a good idea not to cop out and use the same one for this site/AVEN as I do for a bunch of other sites then...

[Blue Phoenix Ace]

That's generally good advice for any internet user.

[DeMorgan]

Wow, I never realized how expensive SSL certificates are until I searched just now. That's horrifying.

[Spud]

3 hours ago, Blue Phoenix Ace said:

That's generally good advice for any internet user.

Yeah... I generally use a similar password for sites I don't care about (like weird internet games) because I don't think anyone would want to hack that anyway and also... I don't care about it. But certain sites I change the password to be more secure

[Guest ad-ARO-ble]

22 hours ago, DeMorgan said:

Wow, I never realized how expensive SSL certificates are until I searched just now. That's horrifying.

 

That's why I suggested Let's Encrypt. Because FREE!

 

[Blue Phoenix Ace]

I'm not sure how people can get away with charging an arm and a leg for a certificate, when other people are handing them out for free. Are some SSL certificates somehow superior to others? I don't quite understand.

 

In any case, in the far distant future, if we did open a storefront then I would certainly look into it.

[Guest ad-ARO-ble]

On 30 April 2016 at 6:26 PM, Blue Phoenix Ace said:

I'm not sure how people can get away with charging an arm and a leg for a certificate, when other people are handing them out for free. Are some SSL certificates somehow superior to others? I don't quite understand.

 

Let's Encrypt is a project by the EFF, Mozilla and a few other organisations to make encryption almost the default. The reason that they are the first to give them away is because they are the first organisation to be well known enough to become a certificate authority without it costing the earth.

 

To create SSL certificates, you basically have to tell everyone on the Internet that you make SSL certificates, and how to recognise your ones. To do this takes a lot of effort and money, so most certificate authorities will charge for a certificate.

 

Also, it supposedly keeps them from handing out fake certificates, but let's encrypt wouldn't do this either, because it's set up by people who like encryption.

[Tal Shi'ar]

This seems like a bit of an overkill for well, not much at all.

[Guest ad-ARO-ble]

Last time I suggested this, Let's Encrypt was still in its infancy. It's now more mature and should be much easier to get a free certificate.

 

And with increasing interception of communications (see investigatory powers act), I think that encryption is more important than ever.

 

I'm willing to pay for it, if Let's Encrypt isn't viable.

[Robin]

Let's Encrypt is only supported on dedicated servers. Arocalypse is on shared hosting, and it's up to the web host to support it. After a quick search, it appears that this web host doesn't. We must either pay for dedicated hosting or pay for an SSL certificate, which honestly isn't worth it for a small forum.

[Guest ad-ARO-ble]

20 minutes ago, Robin said:

Let's Encrypt is only supported on dedicated servers. Arocalypse is on shared hosting, and it's up to the web host to support it. After a quick search, it appears that this web host doesn't. We must either pay for dedicated hosting or pay for an SSL certificate, which honestly isn't worth it for a small forum.

 

5 hours ago, ad-ARO-ble said:

I'm willing to pay for it, if Let's Encrypt isn't viable.

 

[Robin]

Wouldn't it be better to support the server cost itself first? But if you're that bothered by SSL, I guess?

[Blue Phoenix Ace]

On 1/3/2017 at 3:18 PM, ad-ARO-ble said:

 

 

 

It's not just a matter of cashola (though it is also a deterrent), it's a matter of uprooting everything to move web hosts. I honestly don't see enough benefit from that just yet. Again, if we open a storefront and start accepting payments for Aro merch, then I'll reconsider.

 

EDIT: Wow, that quote didn't work too well did it? LOL

[Guest ad-ARO-ble]

If you cannot provide basic security to your users, I ask that you do all that you can to delete/deactivate my account and ALL INFORMATION THAT COULD BE USED TO IDENTIFY ME OR IS OTHERWISE CONSIDERED PERSONAL INFORMATION IN THE UK, as I do not believe that you are taking the necessary precautions to safeguard it.

[Robin]

12 minutes ago, ad-ARO-ble said:

If you cannot provide basic security to your users, I ask that you do all that you can to delete/deactivate my account and ALL INFORMATION THAT COULD BE USED TO IDENTIFY ME OR IS OTHERWISE CONSIDERED PERSONAL INFORMATION IN THE UK, as I do not believe that you are taking the necessary precautions to safeguard it.

 

 

EDIT: Actually, VPN would be your best bet. Even if we used SSL, it wouldn't prevent the government from knowing that your IP has visited this domain, and that is the only thing the UK is storing. If you don't want the government to know you're aromantic, use a VPN.

[Guest ad-ARO-ble]

10 minutes ago, Robin said:

EDIT: Actually, VPN would be your best bet. Even if we used SSL, it wouldn't prevent the government from knowing that your IP has visited this domain, and that is the only thing the UK is storing. If you don't want the government to know you're aromantic, use a VPN.

Because a VPN won't do anything for: MITM attacks, potential unseen poor security practices, etc.\

I'm not worried about what the UK government is tracking. I have that covered.

[Robin]

4 minutes ago, ad-ARO-ble said:

Because a VPN won't do anything for: MITM attacks, potential unseen poor security practices, etc.\

I'm not worried about what the UK government is tracking. I have that covered.

Well, that's true, but this is literally just a forum. Not handling sensitive information here, at least not personally identifiable ones.