Implementing HTTPS/SSL certification on your server

[alexweissman]

From what I've been reading, "free" certificates are trouble. I ended up buying a cheap $9/yr cert from Namecheap (who resells for Comodo) for my website, and installation went pretty smoothly.

As far as compatibility, there are a few places in the code base where "http" is hard-coded, notably logout.php. This can cause browsers to (rightfully) complain about "mixed content", so we should fix that to use the appropriate protocol for https versions of websites that implement UserFrosting.

[alexweissman]

Importance of hosting your entire site over HTTPS: https://www.eff.org/https-everywhere/deploying-https

[alexweissman]

We should implement "bulletproof sessions" as per http://blog.teamtreehouse.com/how-to-create-bulletproof-sessions.

[alexweissman]

project is now SSL/https compatible, but we still need to implement "bulletproof sessions". This has been added to the TODO list.

[r3wt]

alex, right now SSL is very likely insecure, a false security blanket. some of the webs greatest minds are digging through the source code, and it doesn't look very good. Luckily, OpenBSD has taken over the project and they are in the process of rewriting it. Its hard, but its possible to hack SSL communications at the moment. This being said, its unlikely that any of our sitea would be the target for such hacks. There would have to be significant financial gain to lure the eye of a capable hacker. for more information, here: http://opensslrampage.org/

[alexweissman]

Wow, that's crazy. Don't really understand much of what I see on that site...have they found anything else interesting since Heartbleed?
For the purposes of this project, I think advising users to implement HTTPS is better than nothing. As Firesheep made abundantly clear, it's so easy for casual attackers to grab sensitive data from unsecured connections.