SSL Certificate

doveroftke · June 4, 2019, 7:22pm

Currently this site does not offer secure connections. Most hosts now offer free basic SSL certificates. I would suggest adding this certificate and at least making the secure connection an option if not mandatory.

responseBot · June 4, 2019, 7:22pm

This is an automatically-generated Wiki post for this new topic. Any member can edit this post and use it as a summary of the topic’s highlights.

StatGren · June 4, 2019, 7:53pm

It doesn’t?

cert

doveroftke · June 4, 2019, 7:59pm

My bad, looks like it works when I put in www, it doesn’t work without the www.

StatGren · June 4, 2019, 8:17pm

You did find an issue. It’s just not due to the lack of a cert. There needs to be a redirect from htttp://www.fragiledeal.com to https://www.fragiledeal.com.

Bookmark https://www.fragiledeal.com

ZenNuts · June 4, 2019, 8:21pm

Interesting, in Chrome, it says “your connection is not fully secure” even though it says https://

StatGren · June 4, 2019, 8:36pm

You are correct. Looks like the offender is this content on the main page (d-logo-sketch-small.png). If that http: could be changed to https:, it might fix the main page. Then again, I stopped looking once I found the first incorrect reference. But I looked through quite a bit before finding that one.

gremln007 · June 4, 2019, 10:58pm

Despite the push by Google and others, I would argue that SSL is not needed on a web site like this. (Others will disagree, of course).

scripta · June 5, 2019, 12:02am

The SSL is not to protect the website, it’s to protect the users from having their opinions (posts) collected by their ISP or some other man-in-the-middle or TLA. When it comes to most of what’s here (financial advice, rates discussion, etc) I agree, but we do have a few threads with more controversial subjects. User privacy is important.

StatGren · June 5, 2019, 1:28am

Me! Me! Whether or not it is needed is almost beside the point. The technology is there and universally supported in browsers. The cost to implement and the cost in terms of performance are both absolutely negligible. So the question becomes, why not? Not only is there the aforementioned encryption in transit, but you are sure that you are actually talking to the web site that you think you are.*

* Or are you? He who controls the certificate store on your machine rules your world. It is quite common (I’m looking at you, Zscaler) to have an intermediate site decrypting and re-encrypting the traffic and getting away with it by having their own certs on your machine. That way your employer has access to your “encrypted” traffic, and you’d never know.

gremln007 · June 5, 2019, 3:11am

Good point! Thanks @scripta. I can get behind that reasoning.

One of the reasons I love this site and FW before it. Great group of smart folks on a variety of topics.

MeatCat · June 23, 2019, 4:10pm

I can manually adjust my address to add the “s” in there, but each time I click an email notification, I’m back to http.

Is there any way to get the links in emails to contain the “s” or to get the entire site to forward all links to https?

StatGren · June 23, 2019, 5:01pm

For the person that controls the web server for the site, this is trivial. A redirect of http: to https:. But I assume this site is hosted and that level of access may not exist.

That also doesn’t solve the problem initially reported, which I think, is due to an http: reference to the logo on the main page.