Enable HTTPS

[crobertsbmw]

Seeing as this is not intended to be used for actual casino games, and we don't collect any user data at all. I've decided to save my time and mark this as a wontfix.

[mathiasbynens]

Seeing as this is not intended to be used for actual casino games, and we don't collect any user data at all.

That doesn’t matter. https://https.cio.gov/everything/ does a great job of explaining why.

If saving time is the goal, then note that with CloudFlare you could easily enable HTTPS in a matter of minutes without having to do any server configuration.

[crobertsbmw]

I added it to cloudflare. I don't know how they are magically going to change everything to be over https, but it's supposedly in the works ;)

On Wed, Jul 13, 2016 at 12:51 PM, Mathias Bynens notifications@github.com wrote:

Seeing as this is not intended to be used for actual casino games, and we don't collect any user data at all.

That doesn’t matter. https://https.cio.gov/everything/ does a great job of explaining why.

If saving time is the goal, then note that with CloudFlare you could easily enable HTTPS in a matter of minutes without having to do any server configuration.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/crobertsbmw/deckofcards/issues/7#issuecomment-232451252, or mute the thread https://github.com/notifications/unsubscribe/AFkFnuIytQKNTq4goxl9Z3DQDYhX7bUFks5qVTOwgaJpZM4EWZf2 .

[crobertsbmw]

Thanks for pushing me to do this. It's all available on https now, and I will update the documentation to say https://... instead of http://... But the question I have now is how does this cloudflare thing work? My nginx configuration is all setup to work over port 80 and not 443 (which I understand is the port for SSL), and I didn't install any ssl certificates on the server. I figure if I am going to support https , then all regular http traffic should be redirected to https. But if nginx is serving it all over port 80 with no ssl certs, how is it going to know the difference?

[mathiasbynens]

Thanks for doing this!

how does this cloudflare thing work?

You changed your DNS to point to CloudFlare’s servers, so they can do whatever they want to your site. They act as a man in the middle between your server and your site visitors, which enables them to perform all the crazy optimizations + to generate an HTTPS certificate. https://blog.cloudflare.com/introducing-universal-ssl/#how-does-it-work has more info.

[mathiasbynens]

On https://deckofcardsapi.com/ you may want to replace http://fonts.googleapis.com/ with https://fonts.googleapis.com/ to avoid mixed content issues.

[notpushkin]

@mathiasbynens CloudFlare's Flexible SSL (which is the mode you've suggested) is actually a bad idea as it just disguises HTTP as HTTPS (so it isn't really more secure).

The user is presented with a false sense of security, suggesting security that simply isn't there. This breaks the TLS model, and is extremely dangerous; users will behave more carelessly because they believe they are being protected, resulting in a greater compromise.

[mathiasbynens]

so it isn't really more secure

@iamale Providing HTTPS to end users at the cost of trusting the connection between the server and CloudFlare is a heck of a lot more secure than not providing HTTPS at all. In the latter case, you’d have to trust each and every end user’s network connection for it to be about as secure as the CloudFlare solution.

[notpushkin]

You're right. Still, there are better options for this, like Let's Encrypt, which is free and not too harder to set up (like, 2–3 shell commands on the server).

[zygimantus]

You should close this issue.