search

leezer3 / OpenBVE

OpenBVE- A free train simulator
http://www.openbve-project.net
280 stars 52 forks source link

Use HTTPS for openbve-project.net #228

Closed WPFilmmaker closed 6 years ago

WPFilmmaker commented 6 years ago

At the moment the website does not uses HTTPS (not even for the download page). Switching to HTTPS would provide security for the user and would make the site future-proof (both Firefox and Chrome are enabling tactics to warn users against non secure websites).

cwfitzgerald commented 6 years ago

Unfortunately that isn't possible. We use github-pages for hosting and HTTPS isn't available for custom domains. If @leezer3 wants to, I would be willing to sponsor hosting for the website on an actual VPS.

Connor Fitzgerald Sent from my Phone. Please excuse my brevity.

On March 11, 2018 10:14:09 AM EDT, WPFilmmaker notifications@github.com wrote:

At the moment the website does not uses HTTPS (not even for the download page). Switching to HTTPS would provide security for the user and would make the site future-proof (both Firefox and Chrome are enabling tactics to warn users against non secure websites).

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/leezer3/OpenBVE/issues/228

WPFilmmaker commented 6 years ago

@Sirflankalot Thanks for the reply, browsers are pushing hard to move to secure connections so in the future you will probably have to add it anyway, but for now what about redirecting to github for the download? It would be safer and at no cost since github already uses HTTPS.

cwfitzgerald commented 6 years ago

That would be possible and is probably the best solution until me and leezer3 can work something out.

Connor Fitzgerald Sent from my Phone. Please excuse my brevity.

On March 11, 2018 10:57:40 AM EDT, WPFilmmaker notifications@github.com wrote:

@Sirflankalot Thanks for the reply, browsers are pushing hard to move to secure connections so in the future you will probably have to add it anyway, but for now what about redirecting to github for the download? It would be safer and at no cost since github already uses HTTPS.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/leezer3/OpenBVE/issues/228#issuecomment-372121541

leezer3 commented 6 years ago

I think we can actually use Cloudflare to proxy the current hosting setup with SSL, although I'm by no means convinced it needs it. It's only simple Jekyll generated static HTML, with no data input or anything like that, which is where the browsers are pushing.

FWIW, the downloads are served via my VPS with SSL at the minute (256mb, 2 core + nginx) :) Load averages are currently low, but I dunno what adding the main site to the mix would do; It's surprisingly high traffic, as we pickup a lot from searches such as 'Free train simulator'

cwfitzgerald commented 6 years ago

So I think that at least solves the problem is the downloads :)

I think he does have a point regarding Chrome and Firefox's warning about http. It will detract possible users from playing the game of they set big scary warnings.

Connor Fitzgerald Sent from my Phone. Please excuse my brevity.

On March 11, 2018 11:16:25 AM EDT, Christopher Lees notifications@github.com wrote:

I think we can actually use Cloudflare to proxy the current hosting setup with SSL, although I'm by no means convinced it needs it. It's only simple Jekyll generated static HTML, with no data input or anything like that, which is where the browsers are pushing.

FWIW, the downloads are served via my VPS with SSL at the minute (256mb, 2 core + nginx) :) Load averages are currently low, but I dunno what adding the main site to the mix would do; It's surprisingly high traffic, as we pickup a lot from searches such as 'Free train simulator'

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/leezer3/OpenBVE/issues/228#issuecomment-372122936

leezer3 commented 6 years ago

OK, download links changed to https

Cloudflare also ought to be proxying the main site whenever the DNS config updates, let's see how that works before we try anything else.....

FWIW: Big scary warnings are never going to happen with static sites IMHO, too much of the internet uses them. Worst we're going to see is the little unsecure icon there.

WPFilmmaker commented 6 years ago

@leezer3 Thanks! Hope to see #229 implemented as well when you got time and resources.

cwfitzgerald commented 6 years ago

@leezer3 That's a very fair point, if we see problems we can fix it.

leezer3 commented 6 years ago

Right, complete site is now https served and working, so closing this one :)

cwfitzgerald commented 6 years ago

Awesome! Thanks!