HTTPS

[kladner]

Quote:

Originally Posted by chalsall

.....

Somewhat tangential, I consider Snowden to be a hero, and Assange a bit of a twat.

Indeed. I agree with both assessments.

[VictordeHolland]

Firefox and Crome are starting to label sites that don't use HTTPS as 'insecure'. That alone could be an incentive to use it.
Just my 2 cents,
Victor

[MisterBitcoin]

Quote:

Originally Posted by VictordeHolland

Firefox and Crome are starting to label sites that don't use HTTPS as 'insecure'. That alone could be an incentive to use it.
Just my 2 cents,
Victor

Indeed they do, but (sofar I understand it) only if there may a risk for stealing sensitive informations (e.g. online banking).
We dont need an secure transport for the website. Thats my opinion

[chalsall]

Quote:

Originally Posted by MisterBitcoin

We dont need an secure transport for the website. Thats my opinion

Your are entitled to your opinion, even if it is incorrect.

There is no downside to going to SSL, other than the small additional cost for a server able to host such a configuration.

[CRGreathouse]

Quote:

Originally Posted by chalsall

There is no downside to going to SSL, other than the small additional cost for a server able to host such a configuration.

It's hard! There are a lot of moving parts. I'd like to reconfigure the SSL for oeis.org so it's not insanely outdated but I lack expertise. Hopefully Xyzzy has more of a turnkey solution than what we have.

[Nick]

Quote:

Originally Posted by chalsall

There is no downside to going to SSL, other than the small additional cost for a server able to host such a configuration.

Pressure to adopt HTTPS is being used to impose a significant hike in the hosting price.
Using TLS/SSL carelessly can also create a false sense of security, which is why I suggest we consider what threats we are really concerned about and whether this is a complete solution.

Here is a test for anyone interested: find a TLS server on the internet which requires client certificates and use the protocol to ask it for the full list of certification authorities it trusts.
You may be disturbed by the results!

[Mark Rose]

Quote:

Originally Posted by Nick

Here is a test for anyone interested: find a TLS server on the internet which requires client certificates and use the protocol to ask it for the full list of certification authorities it trusts.
You may be disturbed by the results!

That's how I setup OpenVPN.

[chalsall]

Quote:

Originally Posted by Nick

Pressure to adopt HTTPS is being used to impose a significant hike in the hosting price.

I don't agree. Many hosting providers offer HTTPS serving for the same, or only slightly more, cost.

Many domain providers offer SSL certificates for free. Separately, other providers offer free certificates to anyone. Let's Encrypt is only one example.

Quote:

Originally Posted by Nick

Using TLS/SSL carelessly can also create a false sense of security, which is why I suggest we consider what threats we are really concerned about and whether this is a complete solution.

I agree with this. But, at the same time, using fire carelessly can cause problems.

[CRGreathouse]

Quote:

Originally Posted by Nick

Pressure to adopt HTTPS is being used to impose a significant hike in the hosting price.

Quote:

Originally Posted by chalsall

I don't agree. Many hosting providers offer HTTPS serving for the same, or only slightly more, cost.

Mine charges 50% more for HTTPS.

[chalsall]

Quote:

Originally Posted by CRGreathouse

Mine charges 50% more for HTTPS.

If I may please ask you... What is the rational for that?

Is it the need for a dedicated IPv4 address, or the load on the server?

[CRGreathouse]

Quote:

Originally Posted by chalsall

If I may please ask you... What is the rational for that?

Is it the need for a dedicated IPv4 address, or the load on the server?

I assume it's bog-standard price discrimination, having no connection to costs incurred. But I'm not privy to their internal decision-making processes.