TalonMan said:
I've discussed this before, but I'll certainly answer again: It's definitely NOT a technical issue for us, it's a resource issue. There are hundreds and hundreds of scripts, running this website (hell, I'm sure there are easily over a thousand - because there is 12yrs of code sitting on our server, and nobody has ever taken the time to figure out which scripts are even NEEDED at this point and which ones are obsolete!), that somebody will need to go through to clean any "http" URL references that have been hard-coded. It's not an impossible task, just a sh*t ton of tedious grunt work - and I don't have the desire or patience to even attempt it, right now. More to the point, what is the actual value (vs. perceived value) in doing all of this work (beyond the Google threat of lowering our search rank)? HTTPS has nothing to do with cookies or passwords, beyond the ones used on the specific website in question - and we are not an eCommerce site (beyond our Supporter program, which is handled entirely by PayPal), so there is nothing of "real" consequential value that is stored in our database or passed around on these pages. Let's imagine the absolute WORST of ALL WORST CASE scenarios - somebody found a way to steal (and also managed to somehow decrypt, because passwords here are definitely NOT stored plaintext) your VGChartz userpwd... ...oh no!! They have access to your VGChartz profile and can post as you! But what else? We don't store SSNs or credit cards or any financial information - in fact, beyond an email address (for bot prevention), we require the barest of bare minimum information in order to create an account. VGChartz is FAR MORE vulnerable to SQL injection and XSS attacks (something HTTPS has zero impact on), than any certificate could protect from - and if there was going to be any investment of time and effort into security, it would be in THOSE areas that we ought to be focused. Not a cosmetic "feel good" change, that has far less consequential impact... |
Thanks for answering! I'll admit, this came from a position of ignorance on my part on this matter. I thought HTTPS did more than that. Thanks for putting it into perspective. Sorry to trouble you to answer something you've answered before.
