Enforce HTTPS

[glennlunder]

Excerpt from @gasman 's post on the mailing list;

Which leaves me in a bit of a quandary: maybe we should be considering HTTPS? I don't know of any other demoscene site that bothers with it - but at the same time, things like Firesheep http://codebutler.com/firesheep/ have made me aware that the typical demoparty WLAN provides plenty of opportunity for people to fuck around with network security if they so choose, so perhaps we should be leading the way. (And then that thought is immediately followed by "yeah, but if people wanted to be assholes at a demo party, they can just as easily find an unattended PC and post abuse to Pouet under the owner's account. Or just walk out with a rucksack full of laptops.") Also, I don't know exactly what's involved in setting up HTTPS (other than 'giving a certain amount of money to a certificate authority, and doing a certain amount of fiddling with server config').

[Defacto2]

HTTPS can be done on the cheap these days. I use RapidSSL on https://www.defacto2.net/ but there are cheaper certificates https://www.ssls.com/ https://www.namecheap.com All you want is end to end encryption that is acknowledged by the browser, rather than public identity validation etc. If you have any administration features or logins that are exposed to the Internet, it really should be locked behind SSL.

scene.org uses https https://www.scene.org/

[DannyCork]

Considering the security disclosures since this issue was created (2014) I would agree that any site not implementing https is lax and not following best practice.

https://letsencrypt.org is very popular nowadays and free of course.

[glennlunder]

I agree with this and strongly encourage us to adopt https. It's just good internet citizenship at this point.

[sagamusix]

I don't think that enforcing HTTPS would necessarily be a good idea (who knows what kind of retro devices our dear demoscene frieds try to visit the site with), but having HTTPS available would be a good first step. Things like the login form target URL may still point to the HTTPS version explicitely of course, so that login credentials are transmitted safely by default.

[glennlunder]

We are the "Next-Generation Website for the Demoscene" (https://www.youtube.com/watch?v=eehtu27IceU), so it's sort-of in our mission statement to apply modern principles to what we do. I do think that if you're trying to browse this site with a device that's so old it doesn't support HTTPS, then a lot of other functionality on there won't be available to your particular browser either.

[gasman]

From what I've heard, it's a lot more faff to make a site partially HTTPS (e.g. just login forms) than it is to go HTTPS all the way - you need to make cookies for logged-in users HTTPS-only (because transmitting those over clear-text is just as bad as transmitting passwords) which in turn means you have to prevent those users from accidentally switching back to HTTP (because then they'll show as logged-out)...

If we want to cater for weird oldskool hardware, it'd probably be better to do that through a dedicated alternate domain (lite.demozoo.org?). Actually, we should probably keep the API available over plain HTTP too.

[gasman]

HTTPS is now enforced as of 32d03bb10d8fd0d279543e981c198f54c3c41ddd. Yay!