SSL/TLS?
Posted: Thu Apr 27, 2017 11:53 am
So, just saw a post on OGS about this site coming back to life after some issues, but was immediately concerned by the lack of security on the website as a whole. I don't quite understand how any site would even consider accepting passwords without SSL/TLS enabled and forced. This is putting users at a rather serious risk on the modern internet.
I know cost can be a concern, but now that free certificates from LetsEncrypt has full validity and default trust thanks to IdenTrust, that shouldn't be an issue. I saw that you're running Apache on an EC2 instance now, which means you can set up certbot to auto-renew these for Apache very, very easily.
Let me know if I can be of any help with getting this set up. Internet security is a very near and dear topic to me both professionally and personally, and I hate seeing users being put at risk. I know it's only a Go forum, but so many people have similar or identical passwords for critical and non-critical sites that it's worth the half an hour of time investment to do what's right for your users.
I know cost can be a concern, but now that free certificates from LetsEncrypt has full validity and default trust thanks to IdenTrust, that shouldn't be an issue. I saw that you're running Apache on an EC2 instance now, which means you can set up certbot to auto-renew these for Apache very, very easily.
Let me know if I can be of any help with getting this set up. Internet security is a very near and dear topic to me both professionally and personally, and I hate seeing users being put at risk. I know it's only a Go forum, but so many people have similar or identical passwords for critical and non-critical sites that it's worth the half an hour of time investment to do what's right for your users.