why html5gamedevs.com is not https ?

[espace]

hi,

all is in the title

[Jadegames]

I think @espace3d has a valid concern. I thought at least the login page would be encrypted, (perhaps there isn't much point in using encryption for anything else on this site?), but you log into this site over HTTP not HTTPS.

If you have a login for this forum, odds are you know at least a little bit about security and probably/hopefully use either a password manager and/or your passwords follow best practices (i.e. not password123) 

But over HTTP, password length doesn't matter when it's sent over plain text. (I've read a few articles that state that password length is much more important than password complexity)

IRL I found out that Tumblr for iOS sent passwords over plain text and after Tumblr changed this to use HTTPS, Tumblr asked its users to change their passwords, perhaps we should do something similar for this situation?

http://www.theregister.co.uk/Print/2013/07/17/tumblr_ios_uncryption/

[bruno_]

SSL certificates from Let's Encrypt are free and a good choice: https://letsencrypt.org/

[erezson]

I use Cloudflare. They provide DDOS protection but also CDN and SSL. All free. 

[Gio]

Just my $.02, because I won't waste an opportunity to rant about SSL

There's been a lot of pressure recently to get everyone to move to https. Chrome and Firefox have started disabling some of the more interesting features for websites that are not on https.

Why wouldn't you do it, they say it's supposedly "secure", you can get it for free, it's simple to set up, etc.

Reality, sadly, is a bit different. In 2017, setting up SSL is still a big headache. True, it's easier than it used to be, but still...

Let's encrypt is free and automatable, but good luck getting it to work on systems that aren't what they desgined it for. While it can be very simple in some cases, if your server doesn't run on linux, if it's not apache or nginx... well, then it's not so simple anymore, is it. You need to spend days to figure it all out. And if you don't manage to automate it, when the time comes to renew your SSL certificates (they last just 3 months), you may have to spend days again if they've changed something.

Cloudfare is OK, but they can screw up big time, and also the free option gets you a shared SSL certificate - that's only as good as the people you're sharing it with.

Not to mention that if you have a HTTP site then move it to HTTPS, then it's suddenly a different domain, with all that it entails in terms of SEO, cookies, localStorage and all that.

In short, sometimes it's just not worth it. Out of 8 servers that I manage, I have 4 set up with SSL. When I can avoid it, I do - fewer things that can go wrong. But then I salt and hash all passwords client side (as well as server side), so nothing is ever sent in plain text. I feel that's generally a good solution, unless you do need proper security - for a forum you don't IMHO.

[arkamedus]

While you make valid points @Gio, the amount of work required to make something function should not be an excuse for not doing it.

Google has also confirmed moving a site to SSL does not affect rankings, and actually, in a few anecdotal examples, has improved the ranking of some sites over their insecure counterparts.
I'll go back an say that word again "insecure".

Any website that is not using SSL is insecure. This is not conjecture, and literally with a single program I can read every communication between someone and their connection to an insecure website, including their passwords, email addresses, submitted information, etc. Salting and hashing is not longer considered secure either, this includes SHA-1 and MD5. Salts are no longer truly secure because they must be stored somewhere as well.

All in all, this site, along with every other site that deals with user information should be migrating to SSL.

[magallanes]

HTTP vs HTTPS.

HTTP is insecure in the next cases:   passing via a proxy, connecting to a HUB (not a switch) or connecting to a open WIFI.  Other that, HTTPS gives nothing.   Instead, HTTPS has their own troubles, for example encryption (that it uses machine resources), and cache is not part of the HTTPS specification.

 

 

[espace]

since my post the situation have no changed...

[Branlin]

Engineering ethics: "If it works, don't touch it."

[stubrady78]

First, I only have a basic knowledge of encryption and tech more generally. However, I did wonder about this as I saw a presentation by the Lets Encrypt guys a few months ago and sort of thought HTTPS was standard now. As a result, when I joined up today, I used Twitter to sign in. Was that wise? I also saw someone who wrote about getting spam to an email address that was unique to this site.  I am interested to know more about this as I'd like to start developing some HTML5 games with Phaser and this forum is obviously going to be really useful for that. Thanks for your time.

[stubrady78]

Oh, and Lets Encrypt went to great lengths explaining what their service was not good for so understand it isn't a magic bullet. Cheers again.

[kurhlaa]

Hi,

Guys.. it's 2018 - still without HTTPS ? Bad example of not responsible service provider. There is no magic needed to add a key/certificate and forward to the HTTPS, it's not a rocket-science too.

You do much more difficult things on this website, so this shouldn't be a problem.

[espace]

+1

 

[sable]

There is now also the issue that the web notification API does not work in chromium based browsers for sites with insecure origins (notification permission requests for this site are now silently denied, even if notifications for the site are explicitly allowed in browser settings).

https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-powerful-features-on-insecure-origins

https://bugs.chromium.org/p/chromium/issues/detail?id=679821

[Ravonus]

I do agree. If you guys would want some to volunteer i wouldn't mind helping. Things like this will start effecting new members,etc coming to this site.  There should be very easy way to test this before even going live.

[Jadegames]

OK, to revive this post, it seems that Chrome are not accepting any excuses if you aren't using SSL. https://www.theregister.co.uk/2018/02/07/beware_the_coming_chrome_certificate_apocalypse/ 

This website (and everyone else's for that manner) should really should start putting plans in place to use SSL certs, before April 17th.

In light of this news, are there any plans in the pipeline for this to be done?

[ShrewdPixel]

Greetings!

As an app developer (I make games for my portfolio because my clients usually have me under non-disclosure agreements) I agree that it's pretty trivial now to add SSL to a website. I've made apps that are hosted on Digital Ocean that use LetsEncrypt for SSL, and I've been brought in to update Wordpress sites to using SSL. So I can say from experience that adding SSL to most sites has become much more accessible, and that's it's a prudent move for almost any site.

Google has gotten downright militant about it recently, both for their search engine and the Chrome browser. (Something that has brought me more business as a freelancer updating sites that didn't want a big "Not Secure" message chasing off their clients.)

To be fair, it's still the responsibility of any competent dev to not use the same password on every site(Hell, use a password manager already), and for sites that don't take any form of payment info the biggest drawbacks of not upgrading are the possible loss of user passwords and the cosmetics of how their site shows up in the browser.

I would suggest that any site do the update to SSL, just for the bonus to reputation. But I also suggest to any of my clients that I work for to NEVER take passwords anyway; it's a huge newbie mistake to do so.

But don't take my word for it; here's Tom Scott's video that's a classic on the subject.