Deskthority over HTTPS?

User avatar
RC-1140

19 Sep 2012, 17:08

Hi,
as I am regularly forced to use an untrusted, unencrypted network, I don't feel fine using unencrypted HTTP to connect to Deskthority. Using an SSH-Tunnel or VPN isn't always an option, so it would be very nice if it was possible to reach Deskthority over HTTPS. I would think that a certificate signed by CACert should be sufficient, to avoid the cost of a signed certificate.

I'd be very happy if you implemented this!

User avatar
bhtooefr

19 Sep 2012, 17:43

StartSSL also does free certificates that would be sufficient.

User avatar
dirge

19 Sep 2012, 18:38

Couldn't you just use any old generated cert, you'd just need to manually trust it. No need to buy one. Not sure on the *nix side but IIS, selfssl in the resource kit would be enough to get things working.

User avatar
bhtooefr

19 Sep 2012, 18:45

Manual trust isn't a good policy except for a private site.

User avatar
dirge

19 Sep 2012, 18:49

bhtooefr wrote:Manual trust isn't a good policy except for a private site.
Not something I'd suggest people do, but if it's only for one or two people on here and they are aware...

User avatar
bhtooefr

19 Sep 2012, 19:50

But others may stumble on an https link and NOT be aware.

User avatar
trax

19 Sep 2012, 20:32

bhtooefr wrote:But others may stumble on an https link and NOT be aware.
You can host both ssl and non-ssl. Non secured would be the default.

User avatar
bhtooefr

19 Sep 2012, 21:13

Yes, you can host both (my server has a valid certificate and hosts both), but let's say that one of the users is used to using the SSL site. They copy a link to a post, and paste it somewhere.

Now, a user is getting directed to the SSL site, and gets the certificate error from their browser.

See the problem?

And, it's free and easy to do it right, so why not do it right?

User avatar
webwit
Wild Duck

19 Sep 2012, 22:04

It would be an interesting experiment to do it all over https. CPU capacity is not a problem any more with https, but there's still the extra negotiating. This means that in order for the site to remain fast, it must be optimized to make as little https requests as possible. So, example, you don't load 1 page + 1 css + 10 images, but 1 page + 1 css with base64 encoded images or one css sprite, reducing the number of requests. Also, there's the problem with mixed content. All in all, it's an effort for which we simply don't have the required amount of manpower on a hobby forum at this point of time.

woody
Count Troller

19 Sep 2012, 22:16

HTTPS is best left for a login page only. Serving all content encrypted will make it crawl.

User avatar
webwit
Wild Duck

19 Sep 2012, 22:46

Not if done well. But that takes effort. The only really secure way to do https is to do it all the way.

User avatar
Icarium

20 Sep 2012, 14:35

Wow, people really optimize the number of requests? Can't you just set it up in a straightforward way and if somebody thinks it is too slow they can just use the regular kind?

User avatar
dirge

20 Sep 2012, 16:58

Does open you up for an ssl handshake dos, but would normally come from the same IP and blocked quickly.

User avatar
sirtetris

27 Sep 2012, 22:39

Just want to add that I'd appreciate being able to connect with ssl, too.

Post Reply

Return to “Deskthority talk”