Apologies if this is already on someone's to-do list somewhere.
Just noticed today when signing-in and liking some proposals, that opensourcebridge.org (and all the JS served from it) is HTTP-only (no HTTPS).
Besides all the usual reasons (see https://indieweb.org/HTTPS#Why) since the site has logins (even if OpenID / IndieAuth), it needs to support HTTPS to mitigate the Firesheep vuln.
Apologies if this is already on someone's to-do list somewhere.
Just noticed today when signing-in and liking some proposals, that opensourcebridge.org (and all the JS served from it) is HTTP-only (no HTTPS).
Besides all the usual reasons (see https://indieweb.org/HTTPS#Why) since the site has logins (even if OpenID / IndieAuth), it needs to support HTTPS to mitigate the Firesheep vuln.
Hopefully https://indieweb.org/HTTPS#How_to (in particular the LetsEncrypt pointers) can be helpful here.
Thanks for your consideration!
(full disclosure I too need to add proper HTTPS support to my own site, beyond the self-signed cert I'm using)