Site is now running on HTTPS

Announcements about changes to the forums will be posted here. Also for suggestions and requests for technical assistance, etc.
Forum rules
Please read the Forum rules and policies before posting.
Post Reply
User avatar
Gambit37
Should eat more pies
Posts: 13155
Joined: 31-May-00 11:57
Location: Location, Location
Contact:

Site is now running on HTTPS

Post by Gambit37 » 13-Dec-16 15:23

The site is now running on a secure certificate, which means any information transmitted between yourself and the site is now fully encrypted and secure.

It's something I should have sorted out years ago and kept forgetting. Luckily our web host has recently upgraded the server control panel software to cPanel 60, which includes AutoSSL and free SSL certificates. This measn SSL was enabled automatically and I didn't even have to do anything, other than make sure all insecure URLs get redirected correctly.

This won't mean much to most of you: everything should work as normal. But if you do notice anything weird, please do let me know.

Phoenix
Artisan
Posts: 207
Joined: 11-Oct-11 05:32

Re: Site is now running on HTTPS

Post by Phoenix » 5-Jan-17 02:34

As someone who was unable to connect to the site until now, I have to question the need for HTTPS on a non-commerce web site. There was also no warning given prior to the change. Of course you just had to do this just when my SSL proxy died. :(

Also note that your SSL certificate has both domain and date issues (certificate expired 2015!)

User avatar
Gambit37
Should eat more pies
Posts: 13155
Joined: 31-May-00 11:57
Location: Location, Location
Contact:

Re: Site is now running on HTTPS

Post by Gambit37 » 5-Jan-17 08:44

Sorry, but it was implemented by my host automatically as I noted in my post. I didn't know anything about it myself until it happened. (FYI here's what they implemented: https://blog.cpanel.com/autossl/)

As for why: The web is moving towards all sites being secure by default and that is a good idea. No-one can predict what data people will share with any site (commerce or otherwise), so encrypting the data over a secure connection is now considered best practice. Google indexing now also now consider unsecure sites as an indicator of 'less worthy', and in their Chrome browser will soon start explicity showing unsecure sites as 'Not Secure' (https://security.googleblog.com/2016/09 ... e-web.html)

I'll check the date issue you reported, thanks. What are the domain issues you refer to? I can see that avatars are served unsecure and I'll fix that, but is there anything else you've spotted? Thanks :)

UPDATE: The expiration date for the certificate is 15/Feb/2017, it's valid, and will be automatically renewed. Not sure where you got 2015 from, maybe confused the '15' part?

Phoenix
Artisan
Posts: 207
Joined: 11-Oct-11 05:32

Re: Site is now running on HTTPS

Post by Phoenix » 5-Jan-17 12:08

When I go to this site I get a server certificate expired warning from alphatec47.fr which expired on 01/22/215 6:59 PM. If I accept that certificate, I get a domain mismatch error because the certificate belongs to alphatec47.fr and is not registered directly to http://www.dungeon-master.com.

I understand the rational, but I don't agree with it. HTTPS can be MITM and it doesn't solve the true problems with web traffic(super cookies, beacons, XSS, superfish, etc...). Too many people have been indoctrinated into believing https equals security.

User avatar
Gambit37
Should eat more pies
Posts: 13155
Joined: 31-May-00 11:57
Location: Location, Location
Contact:

Re: Site is now running on HTTPS

Post by Gambit37 » 5-Jan-17 13:41

Huh. alphatec47.fr seems to be selling shoes. No idea what that is or why you're seeing that.

I'm no expert on this stuff and I'm interested in your experience and would like to fix it. Can you provide more info on your setup and how you access the web? You said you use a proxy?

User avatar
Sophia
Concise and Honest
Posts: 3951
Joined: 12-Sep-02 19:50
Location: Nowhere in particular
Contact:

Re: Site is now running on HTTPS

Post by Sophia » 5-Jan-17 19:58

Gambit37 wrote:No idea what that is or why you're seeing that.
For what it's worth, I'm not having this problem. The certificate that I see is issued by the "cPanel, Inc. Certification Authority" and has expiration date in February 2017. The only problem I'm perceiving is the page is currently "not fully secure" due to avatars still being sent over http, which you've already noted.

Post Reply