so we can login without our passwords being sent in plain text!!
Does anyone know how to do this? Was https not broken at some point?
As far as I know, this forum has never used HTTPS. I vote strongly in favor of enabling it, but it’ll be a certain amount of real work for whoever does the job.
I can’t remember if it used to work. What’s happening now, is I’m getting nasty warning messages from my browser. Perhaps because it’s been updated or something. But this is something you ought to look into.
Typing; intfiction.org/ directly doesn’t work, so i guess there’s no security at all.
If you don’t have a certificate, get a free one from letsencrypt.org, then once set up, either rediect http -> https or, at least, put https on the login page.
on the config side, i think their `certbot can automatically edit your config (if you trust it). You’ll probably be fine if you run apache. I run nginx on all my servers, so if it’s that, i can help you with the config changes if you need it (or want to edit manually).
Slowly but surely, it looks like HTTP will be made more and more annoying to use.
Which browser? I’m on Chrome 60 and I’m not seeing any warning messages, even in incognito mode.
(I agree that someone should enable HTTPS, but it is real work; I’m not sure who has the power to do it.)
I can reproduce the Firefox 54 warning when attempting to sign in.
My experience with letsencrypt is that it’s easy to use if you run your own server and OS. If you use a virtual hosting service, you may have to wait for the service to integrate letsencrypt (which they may not want to do if they have a profitable side business selling SSL certificates.)
EDIT-ADD: You can install a LE manually, but they insist that you renew every 90 days. It’s not really practical for a hobby site owner to go through certificate paperwork every three months forever. So you really want to set up an automated script to do it. That’s the part which is easy if you have root on the server, but if not, not.
Who has the power to take action here? I’m happy to provide help.
Ping! Who has the power to take action here?
I hear you, I just don’t know how to do something like this, or even if I have access. I’ll put a note to the other mods.
I feel like Carolyn is the knowing-how-to-do-stuff-like-this person–when does she come back?
[ETA: Whoops, that was supposed to go in the moderator forum. Anyway, we’re trying to figure out what we can do!]
We need to make some arrangement for the forum hosting before we can fix https, and we are actively discussing this on the mod board.
The https certificate should be provisioned and working in the next few hours.
HTTPS is now fixed (and by “fixed” I mean added). I’ve paid for the first year of the certificate (figuring out the free one somebody suggested would have been a pain). There’s been some talk of people wanting to move the server elsewhere entirely, which is fine (and I suggested it when I stepped down as a moderator – this is Merk by the way), but I don’t know if the certificate is portable if the new server doesn’t use Apache 2. It may be. It’s just .CRT/.PEM files.
In the Apache config, I set it up to redirect http to https, so everybody should be seeing the secured pages now. But let me know if there’s an issue and I’ll investigate, or re-enable plain http for the site.