TLS Certificate (Let's Encrypt)
#1
Hey why not? (https://letsencrypt.org/) Let's Encrypt is free so I think we should implement this to make this forums (more) secured.
  Reply
#2
The forum already has SSL support through CloudFlare. I just switched some settings to use relative URLs, so it should work fine now.
  Reply
#3
Make it always on or at least on in specific areas such as log in and register.
  Reply
#4
No SSL for me on this forum.
But you are aware that CloudFlare only encrypts traffic from a user to their servers and all traffic from their server to the forum will be not encrypted?

You can use your own certificate with CloudFlare but then they pretty much act as a Man in the Middle which is not really better for security.

So I think CF https support is not useful for security. It's rather for a slightly better score in google search.
Recyclix - Get 20€ for free and 14% Profit every 5 Weeks
  Reply
#5
Same here, there's nothing telling me we're using a secure server or a HTTPS.
Besides, isn't TLS meant to work better, especially considering SSL 3.0 = POODLE attack - i don't know exactly what it is but it can still be some kinds an exploits? Who cares if it means anyone with IE9 and Vista can't access the site, people who use IE need to learn that it's only good to download other browsers with Smile

(IE probably only just realised it was discontinued in favour of Microsoft Edge last week or something, but its reply was "it can't download browsers better than me though can it")

As for CF/HTTPS and Google: I wish we ranked higher for 'web hosting community' already considering we're really good lol.
Jamie Dignam
KV32 Gamers - gaming blog/forum/wiki
  Reply
#6
I agree that getting an actual certificate on the server, telling Cloudflare to use strict mode and forcing HTTPS for all traffic is much better than the current setup.

(04-16-2016, 12:22 PM)Cammygirl192 Wrote: Besides, isn't TLS meant to work better
If you ready any article about SSL written in the last ten years which wasn't specifically about SSL 1, 2 or 3, it always includes TLS in the definition as well. It's just that everyone abbreviates the family of technologies of SSL/TLS to SSL. Also, lot's of configuration tools call it SSL too, even though they may not support SSL 1-3.
Owner of InfinityFree (formerly Grendel Hosting) and XVHOST.
  Reply
#7
(04-16-2016, 11:24 AM)Apollo Wrote: No SSL for me on this forum. 

I don't get why you don't want SSL for this forum. It makes the connection encrypted and make the users feel more safe from thiefs and session hijacker (although there's no such way to 100% prevent it) and https can be also faster than http, you can check/test it here: https://www.httpvshttps.com/

It can boost also the rank of the site. Search engine like Google now priorities the website with https connection since it is way more secured.

(04-16-2016, 11:24 AM)Apollo Wrote: But you are aware that CloudFlare only encrypts traffic from a user to their servers and all traffic from their server to the forum will be not encrypted?

Yes, I am aware. What I'm trying to exactly point is, we can use Let's Encrypt and set the CloudFlare SSL as Strict, so all the traffics will be encrypted.
  Reply
#8
(04-17-2016, 08:22 AM)Ronnel Wrote: I don't get why you don't want SSL for this forum. It makes the connection encrypted and make the users feel more safe from thiefs and session hijacker (although there's no such way to 100% prevent it) and https can be also faster than http, you can check/test it here: https://www.httpvshttps.com/
It can boost also the rank of the site. Search engine like Google now priorities the website with https connection since it is way more secured.
Yes, I am aware. What I'm trying to exactly point is, we can use Let's Encrypt and set the CloudFlare SSL as Strict, so all the traffics will be encrypted.

You got me wrong. All I wanted to say is that I can't acess this forum over https. Even Login and Registration is unencrypted on this site! Https does need more cpu power, but for a forum this small it should not matter at all.

Yes,like I said you can get a better google score if you are lucky.

Yes, but CloudFlare still will need your Cert or use its own for encryption between user and their servers. Otherwise they can't sniff traffic and avoid attacks. That's the downside of CF. It is a classic Man in the Middle attack. If any authority asks them do decrypt all traffic they can totally do that. Which does not mean that a CDN is a bad thing but you should consider using some alternatives which are more privacy orientated when DDoS is over.
I know, CF is cheap and effective against DDoS...
Recyclix - Get 20€ for free and 14% Profit every 5 Weeks
  Reply
#9
HTTPS is now being enforced for all pages. I'm working on getting full SSL, but this should be good enough for now.
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)