News:

Don't forget to visit the main site! There's lots of helpful docs, patches, and more!

Main Menu

HTTPS support for Metroid Construction sites

Started by Law, January 22, 2017, 09:22:01 PM

Previous topic - Next topic

Law

Google has recently announced that starting from Chrome version 56, any non-HTTPS website that utilises password fields will be marked as 'Not Secure'. Recent Firefox releases also have a similar warning, and affect all sections of the site where a user can log in. HTTPS can provide an assurance that a user reaches the server they're trying to connect to, as well as providing protection against man-in-the-middle (MITM) attacks, and I believe that in the age where ads (that may or may not contain malware) can be injected into HTTP sites, we should be looking out for our users.

With that said, implementing HTTPS on Metroid Construction sites may not be easy, depending on how hosting is set up.

Lunaria

Configuring HTTPS is not as simple as changing an extensions or something. Personally IDK how this forum software is configured and how hard it would be to support it, but given that it was made in an age where it was largely irrelevant I'm unsure how much support was/is offered by the original developers behind it.

thedopefish

#2
I don't think the forum software needs to care about HTTPS.  It's mostly a question of whether the web host supports it.  On a dedicated web server, enabling HTTPS is pretty trivial; however, in a large shared hosting environment there are additional complications.  I would not be surprised at all if MetConst's host is not able to provide HTTPS on our current plan, but I don't actually know what the capabilities are.

Edit:  after some research, it appears adding HTTPS support would involve some up front money to acquire a certificate and bribe inmotion to install it, plus an increase in the monthly server hosting cost.  To me, it seems like more hassle than its worth just to avoid a browser warning (well to be fair, it WOULD make the site/forums more secure, it's just that nobody has ever particularly cared about that until now), but it's not out of the question.

I'd be interested to hear if anyone else has strong feelings one way or the other.

P.JBoy

Use a non-password field to suppress the warning >_>
...

Boured

Well to be honest we don't really need them, though this might be bad as even though we aren't malicious some browsers will label in a way that would make the unaware person think so. While HTTPS would be nice I don't really see it happening here for awhile as the bills are probably already pretty costly.