Any plans to serve pages over HTTPS?

Given that Chrome and Firefox both now flag any site that takes usernames and passwords over HTTP as insecure (in the address bar and in a popover respectively), are there plans to move the site to HTTPS?

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861

I'm assuming you are well aware of this. I'm just wondering if there are plans in place.

Hi,
A fair point but... To switch to a HTTPS login we would need to buy a public security certificate which costs in the region of £150. We run the site in our spare time on a voluntary basis so don't really have the funds to spend that much on a certificate, If we could find some sponsorship to pay for it, it would be easier to do. We both work in IT and I am also partly involved in security so its not due to a lack of understanding, more a cash verses risk scenario, There should be almost zero personal information on the site so a password being hacked will expose very little information apart from email addresses. Whilst not saying this is not a risk, its not really sufficient to justify the costs......

Why not a free certificate from https://letsencrypt.org/? Linode do support them.

My thoughts were just that as companies are moving more to flag up sites without HTTPS it might cause concern to users. Also, even though it's bad practice and everyone should know by now not to reuse passwords, the reality is that people do. So sending them over plain text...

Hi, Sorry I have already explained why we cannot get a certificate. A free certificate is not an option because free certificate providers are not in the trusted root certificates store in windows and have to be manually added. Sorry if this seems to be a bit blunt but I do work in IT and have involvement in security. I know how certificates and security work and get audited on these things every 6 months. If someone produces the cash I will be more than happy to do it. We did try to get financial help from Diabetes UK but they were not interested and the NHS don't have the ability to give us money unless we are a limited company which also means a load of financial costs. We run the site in our spare time with no money, This is not a sob story, we are happy to do it, we just have no financial resources.

That's the good thing about Let's Encrypt certificates. They are signed by a root certificate that is already installed on everyone's devices. So no manual work necessary on anyone's devices.

You can see one in place here ... https://www.mcmillan.cx

Hi, thanks it does look as though this would work. I will try to set something up to test it on our site, I just need to ensure that all devices can connect without an issue or we might have to change the site to use https on supported devices. This looks to be a new operation and is unlike the free one we currently use ( for email) that is not in the trusted root authority store. It too needs to be updated regularly but we can live with that since its worth it if its free. I will update this thread once I have tested it and ensured it works as expected on most devices.

I too have had problems with the new version of Firefox telling me the DAFNE site is unsecured. Have now stopped using this to log in, but find the Google Chrome still functions with no problems and lets me in without fuss

So, After a few headaches and some downtime we now support https. Thanks go to Alistair for pointing me in the direction of lets encrypt. We are still supporting both http and https so you can use either at the moment. Eventually I will try to re-direct http requests to the http site but I need a rest now ;-) Upgrading websites is really not as easy as it should be when you do it in your own time ( that's both Simon and me, not just me !). I will add a news item to the site to let everyone know they can now use https and get rid of the browser warnings about security.

That's great news. Thanks Mark and Simon for taking the time to do this. Sorry for giving your guys a headache. I feel bad for not offering to help out now.

On that subject, I've seen a few comments on here saying that the person that maintained the Android app no longer has the time to do that. I'd like to volunteer to help out there. In my day job I'm a developer for Glasgow City Council, and in my spare time I've contributed to various projects (you can see some here https://github.com/alistairmcmillan). How can I get involved?

Hi Alistair,

We are always looking for help, especially when it comes to the Android app. Do you want to drop us an email to [email protected] and we can kick off a conversation about it?

Cheers,

Simon