deskthority

Hi,
as I am regularly forced to use an untrusted, unencrypted network, I don't feel fine using unencrypted HTTP to connect to Deskthority. Using an SSH-Tunnel or VPN isn't always an option, so it would be very nice if it was possible to reach Deskthority over HTTPS. I would think that a certificate signed by CACert should be sufficient, to avoid the cost of a signed certificate.

I'd be very happy if you implemented this!

StartSSL also does free certificates that would be sufficient.

Couldn't you just use any old generated cert, you'd just need to manually trust it. No need to buy one. Not sure on the *nix side but IIS, selfssl in the resource kit would be enough to get things working.

Manual trust isn't a good policy except for a private site.

bhtooefr wrote:Manual trust isn't a good policy except for a private site.

Not something I'd suggest people do, but if it's only for one or two people on here and they are aware...

But others may stumble on an https link and NOT be aware.

bhtooefr wrote:But others may stumble on an https link and NOT be aware.

You can host both ssl and non-ssl. Non secured would be the default.

Yes, you can host both (my server has a valid certificate and hosts both), but let's say that one of the users is used to using the SSL site. They copy a link to a post, and paste it somewhere.

Now, a user is getting directed to the SSL site, and gets the certificate error from their browser.

See the problem?

And, it's free and easy to do it right, so why not do it right?

It would be an interesting experiment to do it all over https. CPU capacity is not a problem any more with https, but there's still the extra negotiating. This means that in order for the site to remain fast, it must be optimized to make as little https requests as possible. So, example, you don't load 1 page + 1 css + 10 images, but 1 page + 1 css with base64 encoded images or one css sprite, reducing the number of requests. Also, there's the problem with mixed content. All in all, it's an effort for which we simply don't have the required amount of manpower on a hobby forum at this point of time.

HTTPS is best left for a login page only. Serving all content encrypted will make it crawl.

Not if done well. But that takes effort. The only really secure way to do https is to do it all the way.

Wow, people really optimize the number of requests? Can't you just set it up in a straightforward way and if somebody thinks it is too slow they can just use the regular kind?

Does open you up for an ssl handshake dos, but would normally come from the same IP and blocked quickly.

Just want to add that I'd appreciate being able to connect with ssl, too.