Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20
  1. Collapse Details
    #11
    Senior Member
    Join Date
    Mar 2008
    Location
    Colorado
    Posts
    617
    Default
    The biggest benefit to going HTTPS is that Google Chrome will soon mark non HTTPS sites as explicitly not secure. It’s a good idea to just do it.

    The Chrome deadline is July if I remember right.
    Reply With Quote
     

  2. Collapse Details
    #12
    Senior Member jagraphics's Avatar
    Join Date
    Nov 2012
    Location
    Birmingham UK
    Posts
    505
    Default
    Quote Originally Posted by jbregar View Post
    The biggest benefit to going HTTPS is that Google Chrome will soon mark non HTTPS sites as explicitly not secure. Itís a good idea to just do it.
    The Chrome deadline is July if I remember right.
    Not really. Lots of people don't use chrome. Chrome is hardly secure in itself.
    SSL can be defeated in near real time

    So it is an improvement but not as much as you might think.
    In some ways it is worse as it givers a false sence of security.
    Reply With Quote
     

  3. Collapse Details
    #13
    Senior Member Thomas Smet's Avatar
    Join Date
    Jul 2005
    Location
    Colorado
    Posts
    2,200
    Default
    It is Google itself that will start to flag sites as non https. There is a push to make the entire internet https and eventually all browsers and search engines are going to ding sites that are not. The same goes for responsive. Google now hurts SEO on sites that are desktop only so many of our great posts no longer show up very well in search results. Both the lack of responsive and https are going to hurt this site.
    Reply With Quote
     

  4. Collapse Details
    #14
    Senior Member jagraphics's Avatar
    Join Date
    Nov 2012
    Location
    Birmingham UK
    Posts
    505
    Default
    Quote Originally Posted by Thomas Smet View Post
    It is Google itself that will start to flag sites as non https. There is a push to make the entire internet https and eventually all browsers and search engines are going to ding sites that are not. The same goes for responsive. Google now hurts SEO on sites that are desktop only so many of our great posts no longer show up very well in search results. Both the lack of responsive and https are going to hurt this site.
    I don't use google. neither do a growing list of people I work with

    That said SSL doesn't hurt but it is not the remedy people think it is.
    Reply With Quote
     

  5. Collapse Details
    #15
    Senior Member
    Join Date
    Mar 2008
    Location
    Colorado
    Posts
    617
    Default
    Quote Originally Posted by jagraphics View Post
    I don't use google. neither do a growing list of people I work with

    That said SSL doesn't hurt but it is not the remedy people think it is.
    You don't use Google. That doesn't really change the fact that the OVERWHELMING majority of people on the Internet do use Google. A ton of them also use Google Chrome.

    The fact is, SSL doesn't hurt anything and it does have tangible, real-world benefits.

    - Google is starting to down-rank non-SSL sites
    - Chrome is marking non-SSL sites as "insecure"
    - Usernames and passwords are being sent in clear text. If you re-use your password elsewhere, it's a security risk... and a TON of people re-use passwords.

    Getting SSL spun up on a web site is trivially easy nowadays. There's very little reason not to do it and a ton of reasons to do it... you and your friends notwithstanding.
    Reply With Quote
     

  6. Collapse Details
    #16
    Senior Member jagraphics's Avatar
    Join Date
    Nov 2012
    Location
    Birmingham UK
    Posts
    505
    Default
    Quote Originally Posted by jbregar View Post
    You don't use Google. That doesn't really change the fact that the OVERWHELMING majority of people on the Internet do use Google. A ton of them also use Google Chrome.
    As the saying goes: Just because a million flies eat s*%t.....

    Quote Originally Posted by jbregar View Post
    The fact is, SSL doesn't hurt anything and it does have tangible, real-world benefits.
    There's very little reason not to do it and a ton of reasons to do it..
    True. However it is not going to provide the security people think it does.
    Reply With Quote
     

  7. Collapse Details
    #17
    Default
    Quote Originally Posted by jbregar View Post
    Usernames and passwords are being sent in clear text.
    No, they are encrypted with JavaScript. It's a weaker formula than the latest HTTPS, but it is better than clear. Still I agree it would be nice to have this site be HTTPS.
    Reply With Quote
     

  8. Collapse Details
    #18
    Senior Member
    Join Date
    Mar 2008
    Location
    Colorado
    Posts
    617
    Default
    Quote Originally Posted by jagraphics View Post
    As the saying goes: Just because a million flies eat s*%t.....
    You just go ahead and tell a web client that you're not optimizing for Google because you don't use it and "just because a million flies eat s*%t...."

    No, really. I'll wait.

    Whether you like Google or not is irrelevant. Google is how a vast majority of the world finds information on the web. Doing things that hurt your rankings in Google means the information on your site isn't as accessible to the vast majority of the world. Sites like this are funded by advertising. Advertising needs eyeballs. Cutting out 70-90% of your potential eyeballs is really stupid. Not to mention that a UGC site like this actually only exists because people found it, found it interesting, and then decided to contribute. If they never find it in the first place, it never gets off the ground.

    Hence why we spent most of the late 90s through 2000s doing contortions to support Internet Explorer of various versions... and Netscape Navigator before that.

    True. However it is not going to provide the security people think it does.
    It provides more security than not using SSL, provides benefits other than that, and costs nearly nothing to actually do.

    You're literally arguing for not putting on your seatbelt because in an accident you might die anyway. That's silly and terrible advice.
    Reply With Quote
     

  9. Collapse Details
    #19
    Senior Member
    Join Date
    Mar 2008
    Location
    Colorado
    Posts
    617
    Default
    Quote Originally Posted by combatentropy View Post
    No, they are encrypted with JavaScript. It's a weaker formula than the latest HTTPS, but it is better than clear. Still I agree it would be nice to have this site be HTTPS.
    Not sure where you got this info... but I just logged into the site with JavaScript turned off... so it's not always true (if it is at all).

    Not to mention that JavaScript-based encryption is by it's nature insecure. Let's say it is encrypted using JavaScript on the client side. That means that you're taking the user's input into the password field and hashing it, then sending it to the server for authentication. That means the server is no longer expecting the password, it's expecting the hashed token... which is being sent over the wire as unencrypted plain text. That solves the problem of shared passwords, but the site itself is still trivially easy to get into by just sending the hash.

    An attacker can also take a look at the script files and look at the logic in use.

    Or you could just put SSL in place.
    Reply With Quote
     

  10. Collapse Details
    #20
    Senior Member
    Join Date
    Mar 2010
    Location
    Central NC, USA
    Posts
    1,479
    Default
    Quote Originally Posted by jbregar View Post
    You just go ahead and tell a web client that you're not optimizing for Google because you don't use it and "just because a million flies eat s*%t...."

    No, really. I'll wait.

    Whether you like Google or not is irrelevant. Google is how a vast majority of the world finds information on the web. Doing things that hurt your rankings in Google means the information on your site isn't as accessible to the vast majority of the world. Sites like this are funded by advertising. Advertising needs eyeballs. Cutting out 70-90% of your potential eyeballs is really stupid. Not to mention that a UGC site like this actually only exists because people found it, found it interesting, and then decided to contribute. If they never find it in the first place, it never gets off the ground.

    Hence why we spent most of the late 90s through 2000s doing contortions to support Internet Explorer of various versions... and Netscape Navigator before that.



    It provides more security than not using SSL, provides benefits other than that, and costs nearly nothing to actually do.

    You're literally arguing for not putting on your seatbelt because in an accident you might die anyway. That's silly and terrible advice.
    Nice mic drop. Point, set, and match to jbregar.
    Reply With Quote
     

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •