TalonMan said:
HylianSwordsman said:
Came back to this thread to say this.
|
I've discussed this before, but I'll certainly answer again: It's definitely NOT a technical issue for us, it's a resource issue.
There are hundreds and hundreds of scripts, running this website (hell, I'm sure there are easily over a thousand - because there is 12yrs of code sitting on our server, and nobody has ever taken the time to figure out which scripts are even NEEDED at this point and which ones are obsolete!), that somebody will need to go through to clean any "http" URL references that have been hard-coded. It's not an impossible task, just a sh*t ton of tedious grunt work - and I don't have the desire or patience to even attempt it, right now.
More to the point, what is the actual value (vs. perceived value) in doing all of this work (beyond the Google threat of lowering our search rank)? HTTPS has nothing to do with cookies or passwords, beyond the ones used on the specific website in question - and we are not an eCommerce site (beyond our Supporter program, which is handled entirely by PayPal), so there is nothing of "real" consequential value that is stored in our database or passed around on these pages. Let's imagine the absolute WORST of ALL WORST CASE scenarios - somebody found a way to steal (and also managed to somehow decrypt, because passwords here are definitely NOT stored plaintext) your VGChartz userpwd... ...oh no!! They have access to your VGChartz profile and can post as you! But what else? We don't store SSNs or credit cards or any financial information - in fact, beyond an email address (for bot prevention), we require the barest of bare minimum information in order to create an account.
VGChartz is FAR MORE vulnerable to SQL injection and XSS attacks (something HTTPS has zero impact on), than any certificate could protect from - and if there was going to be any investment of time and effort into security, it would be in THOSE areas that we ought to be focused. Not a cosmetic "feel good" change, that has far less consequential impact...
|
For a potentially easier implementation of HTTPS without editing your scripts, you can setup an NGINX (or similar) server in front of your web application that handles HTTPS from clients, but HTTPS terminates at that NGINX server and forwards the unencrypted http request to your backend serving the site (and vise versa, the backend replies through the NGINX server to encrypt its HTTP replies into HTTPS). Your scripts/backend would never even know about HTTPS.
It's more for our protection than for VGChartz. When I send my password/cookie to VGChartz over http, any computer between us can read that request and nab my password/token. Sure, all I lose is my VGChartz identity, but identity is valuable and people could reuse passwords across sites. Is the password at least salted on the client side?