Life In 19x19

Page 1 of 1

Author:  polar_bear [ Thu Apr 27, 2017 11:53 am ]
Post subject:  SSL/TLS?

So, just saw a post on OGS about this site coming back to life after some issues, but was immediately concerned by the lack of security on the website as a whole. I don't quite understand how any site would even consider accepting passwords without SSL/TLS enabled and forced. This is putting users at a rather serious risk on the modern internet.

I know cost can be a concern, but now that free certificates from LetsEncrypt has full validity and default trust thanks to IdenTrust, that shouldn't be an issue. I saw that you're running Apache on an EC2 instance now, which means you can set up certbot to auto-renew these for Apache very, very easily.

Let me know if I can be of any help with getting this set up. Internet security is a very near and dear topic to me both professionally and personally, and I hate seeing users being put at risk. I know it's only a Go forum, but so many people have similar or identical passwords for critical and non-critical sites that it's worth the half an hour of time investment to do what's right for your users.

Author:  Kirby [ Thu Apr 27, 2017 1:38 pm ]
Post subject:  Re: SSL/TLS?

Thanks for bringing this up, polar_bear. Admins are discussing some options.

Author:  dfan [ Thu Apr 27, 2017 2:31 pm ]
Post subject:  Re: SSL/TLS?

In the meantime, this is a good reminder that not only should you avoid duplicating passwords between sites in general (any site can get hacked), you should doubly avoid using a password on a site like this that doesn't support https (yet) anywhere else.

Page 1 of 1 All times are UTC - 8 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group