It’s mostly relevant for when you’re logging in. Yeah, a message board login isn’t as critical as online banking, but you still want some security in place there.
well, as of now, the security is not working for me.
(if it’s relevant: I use a 4 year old PC with Windows 7)
Only issue I have now is that the link on straightdope.com is http
Yeah, I’m still on HTTP, too. I can get to the HTTPS version, but I’m not being automatically redirected. And, when I post, I’m taken back to the HTTP version.
Even once you add the redirects, it’s not good to send people to the HTTP version. That basically negates the security. Anyone can still fake the HTTP URL. So a web app always needs to always take you to directly to the HTTPS URL.
Well, login is most important to the users here. It’s unlikely that anyone sniffing traffic at the coffee shop wants to login here and post spam, but there’s often a decent chance that the same username/password combo is valid at one of several common email domains, since folks tend to repeat those things. Heck, I did that myself here after I had long known better from personally seeing passwords in a packet capture.
From the perspective of the people running the board, it’s important to implement https because of its effect on search results and therefore traffic. Google is public about preferring sites that offer https over those that don’t. Unless you’re one of the only places that match a particular search string, you’re likely to be ranked lower than several other sites that macth, but offer https.
Heh. I remember mentioning in an ABTMB thread that setting this site up for https was going to be more difficult than just editing an apache config. I’m sorry to see you guys having trouble implementing this. However, it’s nice to be proven right, and I appreciate the hard work. Give us an update when you’ve got it worked out. As of now, you’re not offering a cipher or certificate to an openssl s_client connection on 443.
ETA: You are however offering a TLSv1.2 protocol, somehow.
Missed the ETA2, but: You’re also closing the connection immediately. I don’t have any time to make a request. It’s rude, but that may just be part of Cloudfront’s DDoS protection.
There a more-than-middling chance that when this change happens, I will have to go to the public library to access SDMB, or else buy a new computer.
I’ve no idea if I’m connecting via http or https, because the URL on display is simply “boards.straightdope.com”. It’s never had the prefix.
Well, only if they force a redirect to https. That’s common, but not absolutely necessary for them to do.
[EVANGELISM]
If this turns out to be true, you could always venture in to a new frontier of computing between trips to the library! Your old computer could run just fine with Linux and a lightweight desktop environment!
The sad part is, I’m pretty much serious. Installing something like LUbuntu is pretty easy once you understand the PC. You can even resize your Windows partition and dual boot while only partially understanding what’s going on.
But, it’s still different from Windows in many fundamental ways. It’s a different world. Don’t go into it too lightly, and back up your stuff before you do anything to your disks.
[/EVANGELISM]
Woah, I’m a terrible evangelist. Either way, I love the damn operating system, and if you’re going to trash the compy anyway, might as well learn something, huh? My first install was 50 floppy disks of Slackware. The lesson in that install was: test your floppy disks. I think I went through 60 floppies before I got a good install. Mmmmmmm, Wlnut Creek CD-ROM.
OK, I’ll shut up. Let us know what’s fit for us to know!
On preview: Morgyn, most browsers these days don’t display the prefix. If you type https://boards.straightdope.com into the URL field of the browser (or click on that link), it will attempt an https connection. At the time of this post, Firefox is falling back to a normal http connection. If it doesn’t have to fall back, it will normally display a lock icon at the beginning of the URL. I’m not sure what browser you’re using, so I can’t offer more specific info.
Why am I offering so much free tech support? BECAUSE I CAN’T HELP MYSELF. Sorry, I sometimes really can’t. It’s non-committal support anyway, I’ll just leave in the morning, baby. Then you’ll be stuck trying to understand the solution I put in place.
Really, I’ll shut up now.
The “http[s]” part is hidden but will be included in a copy and paste, but in any case you should be able to tell because you will typically have an icon to the left of it in the address bar. Firefox for instance will display either a green padlock for https, a gray one with a red line through it for http, or a circled “i” that you can click on for information. Currently I’m getting http connections.
I’m fine on my actual computers but I fear for my old tablet that I use quite a lot to surf the net. The https link in #15 works in Firefox + Windows 7, but on the tablet I get “network not available” – and it does support https. I don’t expect SDMB to accommodate obsolete browsers, but if I can no longer use the tablet for access it would put a major crimp in my surfing habits! 
Well, to be honest, the response I’m getting with a lower-level encryption tool above aren’t normal responses to refusing/redirecting an https connection to http, in my experience. I wouldn’t start to worry about how your tablet tries to behave when forcing an https connection until the SDMB starts to fore a secure connection through an http redirect.
Thanks, **wolfpup **and scabpicker. For some reason, I hadn’t noticed that a lot of sites no longer show the http/https as part of the URL.
I’ve got the circled i on Firefox, and it tells me my connection is not secure. Clicking the link **scabpicker **provided just bounced me back to the insecure address. Everything works, so I’m not going to worry about it.
I’ve just tried the https set-up. No oddities on nav that I’ve found. Though I didn’t venture far. Because …
I’ve set IE 11 to warn about any non-secure content on an https page. And I get that warning on every page view. https is a screen-doored submarine unless 100% of a page’s content is served that way. So I’m not going to switch that warning off.
Which means I’ll be using http for the foreseeable future.
The board *can *get configured into a legitimately secured config. But it’ll be a bit of a PITA for the IT folks. Good luck and best wishes.
Preaching to the converted, are we? 
As a matter of fact, this machine is running Linux. (ETA: Fuck Windows!) The box itself is about 10+ years old, has all of ONE Gig of memory (almost), Ubuntu Ver. 9.10, Firefox is about equally as old. Last time I tried upgrading (several years ago), it crashed incessantly (some hardware incompatibility apparently), so I re-installed everything that I had just wiped out and haven’t upgraded anything for years.
Little by little as various web sites get updated, more and more of them don’t work for me. This pisses me off because most of the stuff that doesn’t work consists of HTML/CSS/JavaScript stuff that worked perfectly well in older versions, and they don’t need to be using all the newest versions of HTML/CSS/JS just because they can! Hey, c’mon, simple buttons have worked since Day One, and still do, and they don’t need to write fancy-schmancy custom button code just to do what a simple button has always done. So my attitude is screw those sites.
In fact, this has forced me to discover that paying my credit cards by phone instead of on-line not only works, but is actually faster and easier!
I do have one device that can’t handle modern HTTPS. But it’s an old Kindle, and posting on it would be a pain anyways.
What bugs me more is that there isn’t an HTTP version of Wikipedia. I see no reason there shouldn’t be an HTTP version that doesn’t allow logging in or editing. As xkcd put it, it made your Kindle into basically the Hitchchiker’s Guide.
It was one of the things I was looking forward to when I found a Kindle 2 in eBay.
I’ve always said that your site’s browser requirements should be dictated by the content of the site. If your content consists of in-browser games, for instance, then it’s fine to require Javascript, Flash, and the like. But if it consists of a photo gallery, then it should run in Mosaic, and if it’s textual information, then it should run in Lynx. It’s fine if you use those other technologies to make it prettier on browsers that can handle them, but they should always, always be implemented in such a way as to be backwards compatible, and if you can’t do that, then your site shouldn’t use them.
Nice sentiment. But …
Other than complying with ADA requirements, that quickly turns into a decision to quadruple the design and maintenance costs to increase your usership by 1 or 2%.
The fancier the marketing and style zeitgeist gets, the farther the plain-Jane 1995 html-only site deviates from the 2018 buzziest & coolest.
Even Microsoft (they of “Quirks forever!”) eventually drop backwards compatibility.
ISTM the major user problem with advanced website tech (which I share) is that most of it is used to deliver the ads we hate, not the functionality we want. If there was a way to say “disable all ad-related css, script, etc., but none of the functional stuff” we’d *all *have that checkbox checked.
Said another way: “The commercial instinct ruins everything. Even commerce.” 
In addition to securing your login/password (which for most normal people is something they unfortunately re-use on more sensitive websites), HTTPS provides significant privacy protection. Various public and private entities watching your data are unable to see (or at least have to use much more sophisticated tools to see) which particular pages you navigate to when accessing an HTTPS site. So the fact that you read nothing but threads about the grooming of goats will remain unknown to the corporations trying to sell you goat shampoo and the countries trying to blackmail you over your goat habits.
Could this be affecting tapatalk? I can go as far as selecting which forum I want, then it just loads and loads and loads without being able to see even any thread titles.
Missed edit window:
Uninstalling and reinstalling the tapatalk app seems to have solved the issue.
Sent from my SAMSUNG-SM-G900A using Tapatalk