Why aren't we using SSL?

[Legacy Dash 439]

Hi.

I noticed that if I navigate to https://mlpforums.com/ it works, and it has a working SSL connection according to Google Chrome.

 

 

But because IP.Board doesn't use relative links, it takes me straight back to http when I use a link.

 

I don't really know too much about SSL - and I'm not sure if there is a reason we aren't using it - but I thought I'd bring it up. 

 

~ Mitchfizz05.

[nickdh 49]

Well, IMO, because I mainly don't know much about SSL certs, what is it specifically? How would it benefit the community?
Just a few questions :3

[Legacy Dash 439]

Well, IMO, because I mainly don't know much about SSL certs, what is it specifically? How would it benefit the community?

Just a few questions :3

Increased security.

It encrypts the connection between you and the MLP Forums server.

[nickdh 49]

Oh! Okay.
Well, it may be a good idea.

[Twilight Sparkle ✨ 8,529]

The reason we don't employ site-wide SSL is mainly because it doesn't play nice with third-party ad networks, which are an important source of income for MLP Forums. If we're serving a secure page (ie. one where the URL starts with https://), we need to ensure all of the page's additional resources arrive through a secured connection as well, or browsers will complain with a "mixed content" warning. Exactly how this warning looks differs from browser to browser - in some browsers, it's much more obtrusive than others - but it intends to make the end-user feel less secure, and rightly so, as most Internet users equate the "green lock" in their browser to a "trustworthy page". You can read more about mixed content here if you're interested.

 

Point is, if we're going to serve any pages via SSL, we need to go all the way and have every piece of the pages served securely, too - even third-party pieces we don't control! If our ad providers do not allow their ads to be loaded securely, any of our pages that display them will trigger a mixed content warning. We do make use of SSL on several key pages that carry sensitive data, such as our login and registration forms, the checkout screen, and the client area, but these pages do not display ads. In contrast, you'll notice that Pony.fm and Poniverse.net, both ad-free, function exclusively over HTTPS/SSL.

 

If you are aware of and fully understand the implications of "mixed content" and opt in to ads, you're more than welcome to allow the ads through your browser, and use an extension like HTTPS Everywhere to "force" all parts of MLP Forums to load over SSL - it'll work.

 

---

 

By the way, regarding ads, AdSense recently launched HTTPS support, but we serve ads from PulsePoint as well, which did not support it last time I checked. I'll look into this again in the coming days to see if the situation has changed, because if we're able to run everything via secure connections without killing our ads, I'm all down for it.

[Legacy Dash 439]

~ snip ~

Ok, fair enough.

Thanks for the clarification. 

Edited February 9, 2014 by Feld0
Please don't mega-quote.