Jump to content

SSL Certificates

Recommended Posts

Why isn't the site secured with SSL certificates? I'm not sure what your hosting situation is, but they're really easy to setup with LetsEncrypt.

Share this post


Link to post

I have already brought this issue up with the admins, and I don't think the guy who built the site actually knows how to use SSL. (he seemed to think it was already secured, and I knew nothing)

Share this post


Link to post

That is more than a bit worrisome, especially because Google (understandably so) is trying to get every website to switch over to HTTPS by prioritizing them in search results and Mozilla is doing the same with having warnings in Firefox for HTTP sites as well

Share this post


Link to post

I followed this guide a while back when I was running apache on my server. I looked up accursedfarms.com server information and it looks like they are running apache. And if the server admin gets that setup they should redirect all http requests to https

Share this post


Link to post

The site is already using CloudFlare to secure the server, they offer free HTTPS with not setup required.

 

What needs to be done is to enforce it using CloudFlare's site rules like so (the first rule is redundant):

2.jpg

 

Otherwise, you can already use a SSL enabled version of the site, just add the 's': https://www.accursedfarms.com/ :P

 

PD: The blog doesn't work well because all the assets are loaded from http:// using an absolute path instead of https or just relative (most likely a WordPress setting), so modern browsers blocks it from loading it but the forum seems to work just fine.

Share this post


Link to post
Otherwise, you can already use a SSL enabled version of the site, just add the 's': https://www.accursedfarms.com/ :P

That does not result in an actually secure connection, only a superficially secure one. (it appears to be secure, but is only as secure as regular HTTP)

Share this post


Link to post
Otherwise, you can already use a SSL enabled version of the site, just add the 's': https://www.accursedfarms.com/ :P

That does not result in an actually secure connection, only a superficially secure one. (it appears to be secure, but is only as secure as regular HTTP)

Hm? CloudFlare HTTPS connection is actually using modern encryption (TLS 1.2 and soon 1.3).

CF also allows to enforce a HTTPS connection between them and the server, now is set to flexible (Origin <----HTTP----> CloudFlare <---- HTTPS ----> User).

So, there are still uncrypted connections between the proxy and the server but for someone to monitor that traffic... we must be targeted by NSA :mrgreen: (are we?)

 

What makes it a bit "insecure" is not enforcing it, redirecting to a http version of the site may lead to cookie hijacking, however, just enabling it on the forums is good enough to prevent credentials being sent in plain text.

Share this post


Link to post

Just an FYI...

 

Because this site does not outwardly appear to use a proper secure connection, regardless of what it apparently says it uses on the backend, the Accursed Farms site is going to be flagged as "not secure" in July of this year. This will not only drive casual visitors away from the site, but also drop the Google Search ranking of the site, potentially allowing sites not affiliated with Ross Scott to come in at the top of the results instead.

 

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in the community.

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.