HTTPS support for the forum and main SFML website

[Jesper Juhl]

Could we, please, get HTTPS support for the SFML websites?

First of all I like knowing that the site I'm communicating with is the one I intended.
Secondly I like to know that my communication cannot be snooped upon by third parties while in transit.
Thirdly I'd like that third parties cannot inject content into the pages I'm viewing.

While it's been bugging me for a while that the SFML website(s) don't use TLS it became really annoying a few days ago when I was pair-programming with a friend at a pub and using their public wifi to look up details in the SFML docs. It was annoying since their access point injected ads and tracking cookies into the pages retrieved - which would not have been possible over a HTTPS connection.

If cost of a certificate is an issue, then contact me via PM and I'd be happy to cover that cost.

[binary1248]

The certificate is/was the only issue. I just hope you aren't underestimating the cost of a reliable and usable certificate.

[Jesper Juhl]

Well, certificates can be obtained at huge costs and fairly cheap.
As long as the cost is around 100euros or so I can cover it (no need to go for the most expensive option)
Sounds fair?

[zsbzsb]

One thing to remember is that the site is provided under multiple domains. So we would need a wildcard certificate or multiple single certificates.

[Jesper Juhl]

Well, if you can find somewhere to get what you need at under 100euros, then just send the bill to me. If more than that, then I can chip in and maybe together we can get it done...

[Tank]

The cheapest one I can find costs 93.99 $/yr for 1 yr period, at ssls.com.

However I'd suggest to wait until this settles: https://letsencrypt.org/

[Jesper Juhl]

Tank: that sounds like an even better idea. If letsencrypt will issue certs for free really soon, then that's probably preferable.

[Tank]

It will.

[zsbzsb]

Another place that offers free certificates is https://www.startssl.com/?app=1

Not sure if that would be usable or if they restrict you to a single certificate, but it is another option to look into.

[Tank]

AFAIR StartSSL asks for the pure domain name and allows one more sub-domain to be given. So you would choose "sfml-dev.org" and "www.sfml-dev.org" there -- the forum and the download mirrors would not be covered.

[tms]

Let's Encrypt is active now!

Check it here.

It's still in public beta but its certificates are already trusted by browsers. So now you can get an SSL certificate for free, with an automated system. Does this mean we can see HTTPS for the site soon? I too feel kind of insecure posting on a forum where any MitM could take over my account.

[eXpl0it3r]

It's not exactly news to us (all my sites already run with Let's Encrypt certificates). I'm not sure what exactly Tank's plan is, since he's the only one who can apply the certificates.

While the website is relatively easy to update, the forum will require extra work since we'll have to ensure that all the content on a site is loaded through HTTPS as well, which currently for example embedded YouTube videos or many images are not. And the forum software is really bad to work with...

Guess "soon" applies, whatever that means.

[Hapax]

Firefox version 52 brings with it in-your-face security notifications.

That is, entering stuff like usernames and passwords on unsecured sites (http) results in a security notification that links to a page that recommends not entering credentials on such a site without security. It's possible that this may scare away from the forum SFML users with genuine problems.

This is how it looks:

"Learn More" links to the page mentioned above.

Just thought you'd want to know...

[binary1248]

The only concern there was back then about converting to HTTPS was the issue with embedded content. Today, I can't think of any content one can embed (from reputable sites) that doesn't offer HTTPS support. Other sites on the internet embed stuff (including videos) all the time without too many problems. The cost of the certificate also isn't an issue any longer with letsencrypt fully functional.

I'm guessing the only thing preventing progress at the moment is the effort/time required. CI has been running with a letsencrypt certificate for over a year. Tank would have to take care of the forum and main site since they run on his server.

[eXpl0it3r]

Main site already has a certificate, but it's not enforced. There we need to exclude the ip address PHP file, which SFML uses via HTTP for remote IP resolving.

The forum might need some testing to make sure static files aren't included via HTTP, i.e. when using absolute URLs.
Plus the YT embedding might need rechecking.

In the end, Tank just needs to find the time to test and apply it.