Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

let's encrypt

by natxo (Scribe)
on Apr 21, 2017 at 20:38 UTC ( #1188584=monkdiscuss: print w/replies, xml ) Need Help??

Dear monks, every time I login without https my credentials can be intercepted. This is nowadays not necessary anymore, we have free certificates available using let's encrypt.

I tried https and the browser errors are annoying because the certificate does not match the hostname (*.pair.com).

Are there any plans to enable https without annoying browser errors? I could lend a hand to implement this (not that I think people here are not capable of doing it, just offering help ;-) ).

Replies are listed 'Best First'.
Re: let's encrypt
by Corion (Pope) on Apr 21, 2017 at 20:40 UTC

    Thank you for your offer!

    Moving the site to also accept logins via Let's Encrypt certificates is already in the works. We are just talking with our hoster about how we give them the certificates or how we can update them ourselves, as we don't have control over the webserver itself.

    As an aside, you can already access the website via https://perlmonks.org, but the certificate doesn't match the domain.

Re: let's encrypt
by haukex (Prior) on Apr 23, 2017 at 18:26 UTC

    I completely agree that supporting HTTPS would be a good idea. Not only is there the security issue, but also Google has been using HTTPS as a ranking signal for several years now, and since January 2017, they're further penalizing sites without HTTPS: Moving towards a more secure web.

    Note that you should be able to access PerlMonks via HTTPS without the certificate warning at https://perlmonks.pair.com/, although currently I'm having connection problems there.

    See also the recent thread https oddity.

      Ah, so that's why I see so many pointless https implementations out there. Example: at Penny Arcade, every link on the page is an http link, but they've configured their server to redirect http to https. It completely defeats the purpose of encryption, because all the redirects are in the clear, but hey, if it makes Google happy...
Re: let's encrypt
by Anonymous Monk on Apr 21, 2017 at 21:29 UTC
    It's not just when you login. The authentication cookie can be stolen at any time.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: monkdiscuss [id://1188584]
Approved by ww
help
Chatterbox?
[hippo]: Marketing should not be allowed near such utilities.
[Corion]: I should tell them about the "dim+lock all monitors to show the immediate alert centered" feature of that software so they can announce the next intranet website feature even better ;)

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (16)
As of 2017-05-24 14:47 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?