HTTPS?

[FranklinYu]

I assume that http://www.jsondiff.com/ is hosted on GitHub Pages? Starting from May 1^st, custom domain also works with HTTPS.

[zgrossbart]

JSonDiff is hosted on a different service. Do you think it needs HTTPS support? The only data it normally sends is what available as open source in GitHub. It never sends the JSON data anywhere when comparing it.

[FranklinYu]

Yes I know that this is a static site. I just thought that we can make full use of GitHub Pages service since Chrome starts to mark HTTP site as “insecure”.

If it is not GitHub Pages then it may not be worth the bother so forget it.

[Artemis21]

Sorry to bump such an old issue, but one thing HTTPS also ensures is that the content received by the browser has not been modified. For example, without HTTPS, an attacker who was able to intercept and modify traffic could alter the page so it sent all submitted data to them.

[zgrossbart]

Hello @Artemis21,

You're making a valid point here. Having the SSL certificate would ensure the provenance of the site which would avoid man in the middle style attacks like the one you're talking about.

I need to think about that. The only thing giving me pause is the expense of the SSL certificate.

[FranklinYu]

You can try hosting it on GitHub Pages, which gives you an SSL (actually TLS) certificate for free.

[Artemis21]

You could also get a free certificate by using Cloudflare as a reverse proxy, or from Let's Encrypt.

[Pluckerpluck]

https://letsencrypt.org/ provides free certificates that are really easy to use. There really is little excuse to not use HTTPS nowadays as a result. So many web hosts now also provide free use of HTTPs certificates. It would be a minor but nice improvement to the site at stopping the easier MITM attacks

[zgrossbart]

@Artemis21 and @Pluckerpluck, you make a lot of sense. Thank you. I've added SSL support to jsondiff.com.