https:// for login

woof · Nov 25, 2014

I note that the site generally is using http://

are the login credentials posted uing https://? if not, please consider adding this.

Respectfully,

Seaain

prophet · Nov 25, 2014

+1! ssl encryption should be standard these days, and is really no big deal to set up (even a free ssl certificate would do fine).

Amin · Nov 25, 2014

I'll look into this some more - both in terms of how important it is and how hard it would be to implement. I don't see any of the many other forums I frequent doing this, which makes me think that either it isn't needed or that there is some other downside.

Amin · Dec 27, 2014

Well, it seems like Google is pushing this pretty hard: http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html

Doesn't matter if you have a blog about how to make lemonade. Google wants you to use https.

Looks like good quality SSL certs are going to cost about $400 per year for the 5 websites I own. I've started working on this.

barry · Dec 28, 2014

Amin,

1. There are some free certificate authorities. One or two have been around awhile, and a new one is coming:
http://techcrunch.com/2014/11/18/mo...nd-together-to-provide-free-ssl-certificates/
Startssl.com

2. Godaddy sells perfectly good certs for well under $100USD, and they have multi-domain certs as well.
A single multi-domain cert ($90) can probably cover all 5 of your domains.
https://support.godaddy.com/help/article/3908/what-is-a-multiple-domain-ucc-ssl-certificate

If you need more details, I can look at the ones I've bought on Monday.

FYI, there is no extra value in buying an EV cert unless you are a bank or similar.

Barry

prophet · Dec 28, 2014

another free SSL certificate worth checking out: https://www.freessl.com/

Amin · Dec 28, 2014

Thank you both, but I'm going to go with the ones that I can buy from my host so that they'll do the installation, etc.

Amin · Dec 29, 2014

Darn, Google is pushing from both sides. On the one hand, they want everyone using https and will use it as a ranking signal, meaning that those who don't adopt it will eventually get less traffic. On the other hand, they acknowledge that their Adsense inventory for https sites is low, so we'll make less money through Adsense ads after adopting https.

We're very dependent on Adsense for paying the bills here, so it's a tough choice I'm facing here!

phigmov · Dec 29, 2014

It'd be interesting to see why the revenue for https sites is low. A click impression regardless of how its secured is just another click. The only thing I can think of is that the https secures the channel such that google can non longer 'see' into the traffic stream because its encrypted and it affects their analytics in some way (ie they're deliberately inflating the impact to them).

I'm not sure how vBulletin does what it does but perhaps it can be setup to secure the login itself (ie credentials aren't passed in the clear) while leaving the rest of the site as standard http (ie if you're not logging in and passing sensitive data you don't get secured). After-all, the content itself is publicly accessible and visible, its only the login portal that is sensitive.

I'll be hitting my 2000th post soon so I'll be sure to top up my site donation to aide the cause

Amin · Dec 29, 2014

phigmov said:
It'd be interesting to see why the revenue for https sites is low.

Here's what Google says (source):

HTTPS-enabled sites require that all content on the page, including the ads, be SSL-compliant. As such, AdSense will remove all non-SSL compliant ads from competing in the auction on these pages. If you do decide to convert your HTTP site to HTTPS, please be aware that because we remove non-SSL compliant ads from the auction, thereby reducing auction pressure, ads on your HTTPS pages might earn less than those on your HTTP pages.

phigmov said:
I'm not sure how vBulletin does what it does but perhaps it can be setup to secure the login itself (ie credentials aren't passed in the clear) while leaving the rest of the site as standard http (ie if you're not logging in and passing sensitive data you don't get secured). After-all, the content itself is publicly accessible and visible, its only the login portal that is sensitive.

Except that Google is going to use https as a ranking signal, meaning that the content itself will see less traffic if we don't serve it on https pages.

phigmov said:
I'll be hitting my 2000th post soon so I'll be sure to top up my site donation to aide the cause

Thanks as always!

phigmov · Dec 29, 2014

This seems promising (passwords are hashed before transmission) - not sure if its valid for the version mu-43 is running on -

http://www.vbulletin.com/forum/foru...troubleshooting/292830-secure-encrypted-login

Amin · Dec 29, 2014

Yes, it applies for our forum software.

Amin · Dec 30, 2014

Ouch, I just realized that switching the site to https is going to mean that any pages with embedded photos from non-https sites (eg, zenfolio, smugmug) are going to result in those scary browser warnings. I've already paid for the certificates, but I think changing over will be much more trouble than it is worth.

prophet · Dec 30, 2014

most of these sites also offer https - so you could tell you software to change embedded links to the https version, if available (Smugmug has, Zenfolio also).

Amin · Dec 30, 2014

How would I do that?

Amin · Sep 21, 2015

At long last, our site is now https.

woof · Oct 10, 2015

Congrats! great going. Thank you.

https:// for login

woof

Mu-43 Top Veteran

prophet

Mu-43 Regular

Amin

Mu-43 Legend

Amin

Mu-43 Legend

barry

Super Moderator

prophet

Mu-43 Regular

Amin

Mu-43 Legend

Amin

Mu-43 Legend

phigmov

Probably Not Walter Kernow

Amin

Mu-43 Legend

phigmov

Probably Not Walter Kernow

Amin

Mu-43 Legend

Amin

Mu-43 Legend

prophet

Mu-43 Regular

Amin

Mu-43 Legend

Amin

Mu-43 Legend

woof

Mu-43 Top Veteran

Similar threads

Latest threads