Forums only available over HTTPS

I hope you are aware that modern malware is very capable of spying on the OS level, not only network traffic where it makes no difference whatsoever what protocol you are using between your server and the clients browser. In other words, securing over HTTPS for what must be 99.99% public information vs 0.01% private messages makes it a big waste of resources to the point I'd call it overkill. The chance that someone is interested in what people post here is close to zero in reality - if anything, the likelyhood of your server / forum-software being hacked (and private content being read) is proportionally a lot higher - either by bruteforce based attacks directed at individual member or admin accounts - or by exploit based attacks directed directly at your software. In these cases, HTTPS matters absolutely zero. The likelyhood of HTTPS being a factor in securing login details and the little amount of private messages (relative to the rest of the content that is being created) is a very small fraction.

But sure, in the paranoid world we live in with the NSA & KGB with their supercomputers and teenage l33t hackers and their cousins breathing down our necks and interested in every single individuals public tweets or their view on gaming; lets crank up TLS/SSL with at least 65536bit encyrption (so that no one in at least a billion years will ever be able to decypher it, not withstanding that everyones browser will take 30 minutes to load each click) so that everyone can feel safe & secure...
 
Given that it's a low-friction change to make that does improve security and privacy for those without malware, I'm not sure why you're so against it. I have a responsibility to protect the forum users' private information, and making it only available over a secure channel is a cheap, easy and painless thing for me to do.
 
Phil said:
I hope you are aware that modern malware is very capable of spying on the OS level, not only network traffic where it makes no difference whatsoever what protocol you are using between your server and the clients browser. In other words, securing over HTTPS for what must be 99.99% public information vs 0.01% private messages makes it a big waste of resources to the point I'd call it overkill. The chance that someone is interested in what people post here is close to zero in reality - if anything, the likelyhood of your server / forum-software being hacked (and private content being read) is proportionally a lot higher - either by bruteforce based attacks directed at individual member or admin accounts - or by exploit based attacks directed directly at your software. In these cases, HTTPS matters absolutely zero. The likelyhood of HTTPS being a factor in securing login details and the little amount of private messages (relative to the rest of the content that is being created) is a very small fraction.

But sure, in the paranoid world we live in with the NSA & KGB with their supercomputers and teenage l33t hackers and their cousins breathing down our necks and interested in every single individuals public tweets or their view on gaming; lets crank up TLS/SSL with at least 65536bit encyrption (so that no one in at least a billion years will ever be able to decypher it, not withstanding that everyones browser will take 30 minutes to load each click) so that everyone can feel safe & secure...
Click to expand...

Or you're browsing from the office and your employer scans internet transactions for one reason or another, and you don't think it deserve access to your private forum account...
Just a thought.
 
https://www.eff.org/https-everywhere/faq

Q. Isn't it more expensive or slower for a site to support HTTPS compared to regular HTTP?
A. It can be, but some sites have been pleasantly surprised to see how practical it can be. Also, experts at Google are currently implementing several enhancements to the TLS protocol that make HTTPS dramatically faster; if these enhancements are added to the standard soon, the speed gap between the two should almost disappear. See Adam Langley's description of the HTTPS deployment situation for more details on these issues. Notably, Langley states: "In order to [enable HTTPS by default for Gmail] we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead."

Although we're quite concerned about the certificate authority system, certificates in the current system are now quite cheap — paid certificates can cost just ten to twenty dollars a year.
Click to expand...
 
Yes the overhead is inconsequential and with SPDY support now, it's just as fast.
 
I was gonna say, pretty much everyone on B3D will have a SPDY enabled browser. Performance is definitely fine for me in Chrome. If Rys hadn't posted this I probably wouldn't have noticed.
 
You must log in or register to reply here.

Similar threads

Z
Does anyone think YouTube is lame now?
Replies
7
Views
479
Zombietoid
Z
R
Valve just pushed out a massive Steam Beta Client Update (UI improvements, new features)
Replies
2
Views
837
Pressure
P
Rys
  • Sticky
Hello again
3 4 5
Replies
91
Views
12K
homerdog
homerdog
Rys
Reopening Architecture and Products + rules and guidelines changes
3 4 5
Replies
90
Views
16K
Shifty Geezer
Shifty Geezer
iroboto
B3D IQ Spectrum Analysis Thread [2021-07]
2 3 4
Replies
63
Views
15K
OlegSH
O
Back
Top