On 4/12/2014 8:05 PM, Dicebot wrote:
On Saturday, 12 April 2014 at 21:27:10 UTC, Nick Sabalausky wrote:
On 4/12/2014 11:21 AM, Dicebot wrote:
You do realize that, for example, forum.dlang.org does not use https and
thus passwords are sent in plain text over the internet upon every login
attempt anyway?
I didn't know that (I normally use the NNTP interface and have only
ever used forum.dlang.org sans-login). But, yea, that should be fixed.
How would expect it to work? No secure connection of some sort pretty
much equals to plain text passwords, one way or another. I am pretty
sure forum.dlang.org account is not expected to be any secure, we don't
even reserve those nicknames from being used by non-registered posters.
It is just small convenience thing to help track posts read.
Well, *technically* there's https now, but I agree self-signed is likely
to just scare people away. So I'll grant it's not a trivial problem
(unless StartSSL really does allow multiple free subdomain certs to the
same base domain, which IIRC didn't seem to work for me when I had tried
it, but maybe I'm wrong. Granted, I did have trouble recently with
StartSSL, but as long as multiple subdomains turns out to be ok, then
it's still better then self signed. I'd just recommend using a CSR
instead of having them generate the key, to minimize chances of anything
going wrong. If anything were to go wrong, worst case scenario is
nothing more than dlang.org being forced back to self-signed, which is
exactly where were already are right now anyway. So I think it's worth
trying unless someone wanted to donate a "dlang SSL cert fund")
