[SSL added Sep 29 2014] Spongepowered.org; why no SSL? (now discussing its implementation and other security related things)

SSL also encrypts the downloading website, this allows people to access sites from behind a censor wall, like at school, some of us here are using a crappy free internet http proxy during the weak days.

1 Like

I wish I had that, Thanks Lightspeed Systems!

Just though this would be handy for anyone who didn’t know what SSL was…
I know it is a bit biased to the GlobalSign but hey, its a great explanation.

1 Like

Nope, with Cloudflare will be totally free.

1 Like

By September the 28th all Cloudflare websites will have free SSL enabled.

Enjoy!

Disclaimer: 99% sure only

1 Like

Has been delayed until September the 30, and it will be progressive (not all websites at once).

Done, https://spongepowered.org (available the 30th)

2 Likes

although I get a browser warning when visiting the https version of the site. site.

I still feel safer with it than without it, even if the identity cannot be verified.

Cloudflare introduced free SSL today

It was their 4th birthday on saturday (1st Character of each paragraph = SSL TLS FREE)

Are we using Full SSL (Strict) yet?

All the other options are somewhat insecure between cloud flair and the origin server

well it says cssl2000.cloudflare.com so I am using it, even though it is insecure.

I think our connection is using “Flexible SSL”; ie. ssl to cloud flair, http from there to the web server, this is OK as it circumvents censorship at the local level as stated above but is not secure. We should also be forcing HTTPS with a 301 “moved permanently”. So we are half way there, and I for one, am not into HALF MEASURES!

1 Like

I agree, though at least no one can see stuff from us to cloudflare.

AFAIK, you can secure the connection from User <-> Cloudflare and Cloudflare <-> Server. The latter works with a self signed cert, I think.
Clouflare could still MITM everything, but it’s still better than no SSL.

they have a real cert, but this portion seems to not be turned on ATM, and they are also not redirecting to the HTTPS version of the site with a “301 moved permanently”, witch defiantly needs to be done.

Oh, and more infos here: End-to-end HTTPS with Cloudflare - Part 3: SSL options – Cloudflare Help Center

here: https://support.cloudflare.com/hc/en-us/articles/200170536-How-do-I-redirect-HTTPS-traffic-with-Flexible-SSL-and-Apache-

and here: Troubleshooting mixed content errors – Cloudflare Help Center

I hope that by tomorrow ssl will be served without the warning.

1 Like

Only between the client and cloud flair, not between you and cloud flair, they also will not verify you, so users cannot acces https at all using chrome or firefox, and explorer has a big warning screen telling people that you are a hackzer. So, no, not really. (safari will just pop up a lil bubble telling ppl you are a hackzer, 'cause safari don’t care if ppl get hacked)

I just changed my post after I did some reading.