Forum adverts like this one are shown to any user who is not logged in. Join us by filling out a tiny 3 field form and you will get your own, free, dakka user account which gives a good range of benefits to you: No adverts like this in the forums anymore. Times and dates in your local timezone. Full tracking of what you have read so you can skip to your first unread post, easily see what has changed since you last logged in, and easily see what is new at a glance. Email notifications for threads you want to watch closely. Being a part of the oldest wargaming community on the net. If you are already a member then feel free to login now.

I've somewhat embarrassed that I've only just noticed that DakkaDakka is missing an SSL certificate, which means that passwords and any other sensitive information being sent during login or at other times are entirely in the clear. SSL certs are really cheap and often free, especially now with https://letsencrypt.org/. There is a long list of reasons why this kind of thing is important that I'm sure the admins must be aware of. So please, would the admins install an SSL certificate?

Sounds serious!

I'd suggest PM'ing Legoburner directly.

Most forums don't use SSL, as there's really no need for it. A forum isn't like a webstore, where you're transitting a bunch of personal information.

Also, (as I understand it) because it slows everything down, and flags security errors for anything linked from off-site.

There used to be a lot of arguments against using SSL (with Insaniak pointing out two of the big ones), as well as the endless server vulnerabilities popping up in openSSL for a while. There are still a few headaches that stop us implementing it (with mixed content warnings being a major one), but we'll probably turn it on at some point.

 insaniak wrote:
Most forums don't use SSL, as there's really no need for it. A forum isn't like a webstore, where you're transitting a bunch of personal information.

Also, (as I understand it) because it slows everything down, and flags security errors for anything linked from off-site.

It's true that on a forum you're not usually transmitting a lot of personal information, but forums do transmit one very important thing: a username and password combination. Because people have a big tendency to reuse credentials, this means any one forum leaking a password could be endangering a person's credentials for a huge number of sites. It's an unfortunate consequence of human behavior. Speed has not been a realistic obstacle to SSL/TLS adoption in a very long time, but mixed-content warnings in the case of a forum that allows image embedding without rehosting the images can be a real headache.

legoburner wrote:There used to be a lot of arguments against using SSL (with Insaniak pointing out two of the big ones), as well as the endless server vulnerabilities popping up in openSSL for a while. There are still a few headaches that stop us implementing it (with mixed content warnings being a major one), but we'll probably turn it on at some point.

I've no doubt that mixed-content warnings are your biggest problem, since the boards allow inline display of external images. Firefox and Chrome both allow insecure images and will only log a warning in the dev console, but I suppose you still have plenty of users on IE that will get big obnoxious warning interstitials. I'm happy you're at least considering it, and I hope you choose to do so relatively soon. I'm sure you keep your own council on how to go about these things but if you want I'm happy to discuss it with you further.