Mandatory HTTPS!

MoparScape.org has supported TLS/HTTPS for years now, but I’ve finally flipped the switch and now it is mandatory. I’ve also added it to the chrome preload list and enabled the Public-Key-Pins HPKP header so if you’ve visited the site before, your browser will not allow you to be man-in-the-middled.

If you have any questions, go ahead and ask them, but you really shouldn’t notice a difference except maybe a slight increase in speed. :slight_smile:

Great! Now both irc and site force it. NSA won’t be able to read our chats about taking over the government and creating a new one based around the #mopar channel.

i don’t understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn’t/hardly inconveniences the end-user.

[quote=“t4, post:3, topic:553635”]i don’t understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn’t/hardly inconveniences the end-user.[/quote]yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security :rolleyes:

[quote=“Davidi2, post:4, topic:553635”][quote author=t4 link=topic=672553.msg4497711#msg4497711 date=1445647133]
i don’t understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn’t/hardly inconveniences the end-user.
[/quote]yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security :rolleyes:[/quote]
So you’re suggesting that it should be up to the user to enable secure transmissions? What if the user makes a mistake or is unaware (not technically versed)? Why even run the plaintext service if the secure service doesn’t generate that much overhead?

[quote=“t4, post:5, topic:553635”][quote author=Davidi2 link=topic=672553.msg4497713#msg4497713 date=1445647962]

So you’re suggesting that it should be up to the user to enable secure transmissions?[/quote]Yes, that is exactly what I’m saying. Or rather, users should be able to disable it if they wish. If the option is there, im pretty sure any modern browser will default to https.

I thought HTTP 2.0 mandated that SSL be enforced.

Awesome

The spec doesn’t, however, all major browsers only implement HTTP/2 over TLS.

You guys who want it to be optional need to appreciate the benefits of HTTPS-everywhere internet. Namely the gross amount of noise created to assist in obscuring the transmissions of people living under less fortunate regimes.

For anyone wanting it to be optional I’d ask this honest question, and I really do want an answer:

Why?

I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren’t any downsides, and there are a bunch of upsides. For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.

Soon Moparscape will be illegal under the current Cameron regime.

[quote=“Moparisthebest, post:11, topic:553635”]For anyone wanting it to be optional I’d ask this honest question, and I really do want an answer:

Why?

I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren’t any downsides, and there are a bunch of upsides. For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.[/quote]No one has an answer to that question because there is no valid answer. These people start with a shitty argument, maybe re-state the shitty argument a bit, make some jokes and/or personal attacks, and then just stop posting. I really don’t understand their thought process… maybe it’s government brainwashing??

[quote=“Justin Bieber, post:13, topic:553635”]No one has an answer to that question because there is no valid answer. These people start with a shitty argument, maybe re-state the shitty argument a bit, make some jokes and/or personal attacks, and then just stop posting. I really don’t understand their thought process… maybe it’s government brainwashing??[/quote]Maybe it’s Maybelline.

[quote=“Moparisthebest, post:11, topic:553635”]For anyone wanting it to be optional I’d ask this honest question, and I really do want an answer:

Why?

I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren’t any downsides, and there are a bunch of upsides. For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.[/quote]Ok, you can ask “Why?”, but the exact same can be asked about not supporting HTTP as a fallback. Why? Nobody is denying the upsides of HTTPS here. You can keep it enabled and it’ll stay default. But still, I see absolutely no reason for this website (and I do use ‘this’ on purpose, because some websites should force https) to not offer http as an option if https is already enabled and default. As far as I can tell, there aren’t any downsides, and it’s a good fallback if for some reason we have a cert problem and everyone wont be able to view the site because “THIS CONNECTION IS UNTRUSTED”

The expired cert problem is a webmaster problem, not a TLS problem. Also, I don’t think the content of the data has any bearing of whether or not to implement and enforce security. I don’t see any negatives of TLS.

[quote=“t4, post:15, topic:553635”]Also, I don’t think the content of the data has any bearing of whether or not to implement and enforce security.[/quote]Really? I personally believe you need to factor in everything when you weigh the pros/cons of implementing any type of security. Not every worksite needs ID badges and fingerprint scanners if the benefit doesn’t outweigh the hassle. Obviously when you deal with more sensitive information, you implement more security, no? We’ll just assume you were speaking strictly about TLS though, because like it’s been said the hassle is pretty low and probably wont be noticeable if everything goes as it should. So yes, I think it’s fair to say there is no reason to not implement SSL.

When you go from ‘implement’ to ‘require’ though, you have to reevaluate everything. You say “no negatives”, but you listed one right there? If a cert expires, I don’t really care whose problem it is, do I? Now it’s my problem, because I can’t access the website. Sure, it’s not “directly” a negative of SSL, it’s a negative of inattentiveness. Whatever. If only I had a HTTP version of the site to access in the meantime. So now we have one negative. We wont talk about any others because personally I don’t know if the caching or ad-related mixed mode issues are still there. So now we weigh the benefits of enforcing TLS over allowing TLS, taking into account that it is used by default if available. What are those benefits? That’s what I haven’t heard yet, which why I am not yet convinced that the benefits of enforcing it outweigh even the slightest chance of something like an expired cert.

As a side note, I was getting NGINX errors when trying to access the site early today. What was that?

Dude, if that’s your one worry then don’t sweat it - the current certificate won’t expire until 2017.

Stop prattling, it’s unbecoming.

Hey, I said it was a slight chance. But even 0.00001 is greater than 0 if there’s no benefit to enforcing over implementing it as a default. Which is what I’m asking about

Complaining about https because the cert might expire is like demanding a host support telnet because their ssh support is unreliable and sometimes doesn’t let you login (man the 70s were great telnet always worked, none of this encryption shit). It might well be a real problem and you’re within your rights to take it up with the host, but it would be foolish to downgrade to telnet.

You’re taking a very narrow minded view of this - as people have already stated in multiple topics, the reason for enforcement is that there’s no reason for any website to support unencrypted comms in 2015. This isn’t just about moparscape.

[quote=“Justin Bieber, post:19, topic:553635”]the reason for enforcement is that there’s no reason for any website to support unencrypted comms in 2015.[/quote]I guess I just disagree then. I see nothing wrong with supporting unencrypted comms in -insert year-, if that’s what the client has explicitly requested. Whatever, it’s done. I’m sure it wont actually cause problems, it’s just a principle thing that I disagree with I guess.