https:// for login

Discussion in 'Help and Feedback' started by woof, Nov 25, 2014.

  1. woof

    woof Mu-43 Top Veteran

    511
    Oct 18, 2011
    The present.
    I note that the site generally is using http://

    are the login credentials posted uing https://? if not, please consider adding this.

    Respectfully,

    Seaain
     
  2. prophet

    prophet Mu-43 Regular

    116
    Aug 10, 2014
    +1! ssl encryption should be standard these days, and is really no big deal to set up (even a free ssl certificate would do fine).
     
  3. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    I'll look into this some more - both in terms of how important it is and how hard it would be to implement. I don't see any of the many other forums I frequent doing this, which makes me think that either it isn't needed or that there is some other downside.
     
  4. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    • Like Like x 1
  5. barry13

    barry13 Super Moderator; Photon Wrangler

    Mar 7, 2014
    Southern California
    Barry
    Amin,

    1. There are some free certificate authorities. One or two have been around awhile, and a new one is coming:
    http://techcrunch.com/2014/11/18/mo...nd-together-to-provide-free-ssl-certificates/
    Startssl.com

    2. Godaddy sells perfectly good certs for well under $100USD, and they have multi-domain certs as well.
    A single multi-domain cert ($90) can probably cover all 5 of your domains.
    https://support.godaddy.com/help/article/3908/what-is-a-multiple-domain-ucc-ssl-certificate

    If you need more details, I can look at the ones I've bought on Monday.

    FYI, there is no extra value in buying an EV cert unless you are a bank or similar.

    Barry
     
  6. prophet

    prophet Mu-43 Regular

    116
    Aug 10, 2014
  7. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    Thank you both, but I'm going to go with the ones that I can buy from my host so that they'll do the installation, etc.
     
  8. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    Darn, Google is pushing from both sides. On the one hand, they want everyone using https and will use it as a ranking signal, meaning that those who don't adopt it will eventually get less traffic. On the other hand, they acknowledge that their Adsense inventory for https sites is low, so we'll make less money through Adsense ads after adopting https.

    We're very dependent on Adsense for paying the bills here, so it's a tough choice I'm facing here!
     
  9. phigmov

    phigmov Mu-43 Hall of Famer

    Apr 4, 2010
    It'd be interesting to see why the revenue for https sites is low. A click impression regardless of how its secured is just another click. The only thing I can think of is that the https secures the channel such that google can non longer 'see' into the traffic stream because its encrypted and it affects their analytics in some way (ie they're deliberately inflating the impact to them).

    I'm not sure how vBulletin does what it does but perhaps it can be setup to secure the login itself (ie credentials aren't passed in the clear) while leaving the rest of the site as standard http (ie if you're not logging in and passing sensitive data you don't get secured). After-all, the content itself is publicly accessible and visible, its only the login portal that is sensitive.

    I'll be hitting my 2000th post soon so I'll be sure to top up my site donation to aide the cause :)
     
    • Like Like x 1
  10. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    Here's what Google says (source):


    Except that Google is going to use https as a ranking signal, meaning that the content itself will see less traffic if we don't serve it on https pages.


    Thanks as always!
     
  11. phigmov

    phigmov Mu-43 Hall of Famer

    Apr 4, 2010
  12. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    Yes, it applies for our forum software.
     
  13. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    Ouch, I just realized that switching the site to https is going to mean that any pages with embedded photos from non-https sites (eg, zenfolio, smugmug) are going to result in those scary browser warnings. I've already paid for the certificates, but I think changing over will be much more trouble than it is worth.
     
  14. prophet

    prophet Mu-43 Regular

    116
    Aug 10, 2014
    most of these sites also offer https - so you could tell you software to change embedded links to the https version, if available (Smugmug has, Zenfolio also).
     
  15. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    How would I do that?
     
  16. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    At long last, our site is now https.
     
    • Like Like x 2
    • Appreciate Appreciate x 1
  17. woof

    woof Mu-43 Top Veteran

    511
    Oct 18, 2011
    The present.
    Congrats! great going. Thank you.
     
    • Appreciate Appreciate x 1