Discussion in 'Declined Suggestions' started by Proximity, May 19, 2016.
I can give this site a wildcard ssl if they want?
They could use one IMO.
EDIT: they use cloudflare which gives them ssl, they just need to force it.
Banned Forever For: Selling users IP addresses & threatening to release users private information.
They have a redirect so it doesn't work.. Also cloudflare just passes it though I was told it isn't as secure as a real one.
They should've had SSL from the start. You could've gotten a free one using Let'sEncrypt or something.
Also, apperently bebos refuses to add SSL because search engines such as Google would have to rebuild all their search indexes or something... but then again, this logic is so flawed: the longer you wait, the deeper the hole is going to be...
I get it from AlphaSSL
I'll just drop that there as I really don't feel like basically explaining all the downsides of SSL as Overlord has done that already.
The biggest problem we're facing is blockscript. It's a script we use for blocking VPNs and Proxies. The script is really resource intensive. Even though we have quite a powerful and reliable InterNAP dedicated server, the performance issue the script causes are crazy. Having SSL on our end would only make the problem worse and probably force us to make a cluster of the website which is basically only asking for trouble.
I'd rather use a paid and reliable one than Let'sEncrypt.
We're not digging ourselves into a deeper hole as we don't actually need SSL that bad. It's not like we transfer bank information or w/e.
Another big known issues that I've seen getting discussed on other forums is that Google Adsense income tends to drop by more than 50%.
Talking about costs, that reminds me, we'd have to upgrade our CDN package too to support dedicated SSL.
So to recap:
Fancy green HTTPS URL bar(??), "Privacy"(??), So called "better SEO".
Here's why I added the question marks.
SSL and privacy, sure, it enhances privacy a bit but as a forum, do we really need it? I don't think you should share your bank and credit card information on here in the first place. Instead of being scared of MIM attacks, most of you guys should consider not using the same password for every website you've ever been on.
Less adsense income, upgrade to a new server, upgrade the CDN and all browsers will have to deal with 301 redirects, non https images won't load.
For those who don't know, if there's any resource non-https on the website, your browser will deem it as unsafe. This includes images. So everyone that has his own personal imagesite without HTTPS will suffer. Sure, there's a thing called proxying it but that again, adds server load, bandwidth more costs, etc.
Right now, we're with InterNAP. I spend a few hundreds a month for a powerful server with limited bandwidth, I really don't feel like spending more hundreds to have SSL and still have questionable privacy and questionable performance as I'm not sure how intensive it would be for a forum our size.
I don't think it's really all that bad as you make it out to be. There are some more advantages to having SSL and I believe you're undermining them here.
The website has a login form and you know as well as I do that not everyone follows that "don't use the same passwords on all sites" rule. Encrypting that information being sent would prevent those that are spying on the transmission from getting user's passwords. Right now, user passwords are sent in plain text to the server, which is then encrypted and checked against the database.
I honestly doubt the performance of this site would decrease much, if at all, because you install an SSL certificate. If anything, it might improve. If something doesn't perform well for the site, why do we have it? Are there alternative solutions you can use? Have you tried implementing them?
You mentioned ad revenue may decrease? Personally, I would find you to be a fool if you were relying on AdSense for your revenue. Obviously, I know you're not. But honestly, I wouldn't be that concerned about ad revenue unless you really are relying on it that much, in which case, perhaps you need to rethink your business model?
You don't feel like spending hundreds to have SSL? SSL certificates don't cost that much. You can get them as low at $10/yr these days, even free. Even if you get a higher end one, that's generally not hundreds of dollars and you certainly don't *need* a higher end one. This community pays you more than enough to cover the costs of adding an SSL certificate to the site. It shouldn't break your bank.
There is also the SEO boost. Though, there are millions of things wrong with this site in terms of SEO, that I'm not sure how much of a boost you'll get, to be fairly honest.
While I think there are some negatives, don't think lightly of the positives. I think you're more concerned with the hassle of setting it up and don't want to deal with it, which is clouding the positive side of things.
Does MCM need SSL? No, it will survive without it. Would it be nice to have? Yes, I think it would. It would provide useful benefits, such as a sense of security, to MCM's members, which I think is important. Should this be considered? Yes, it should be, and it shouldn't be taken lightly. Those that suggested in the past have just been shut down while everyone let the negative side take over.
Granted, this is probably being suggested for the sake of being suggested, but doesn't mean we should treat it like any less of a suggestion and just as much positive thought should be put into it as negative. BeBos, I don't think you've weighed the two fairly.
Now, Agent Smith, I don't know who you are and based on the 28 posts you have as I'm writing this, I doubt much of anyone else here does either. I'm not sure why we'd take a random SSL certificate from you as we could just as easily get our own. That being said, I like the idea behind the suggestion.
I've look into alternatives and no, there isn't anything that could replace blockscript at this moment. Feel free to correct me if you find software which does this. I actually really wanted to move away from blockscript as it's only usable with PHP5.6 at the moment due to ioncube loader being outdated.
You can call me a fool but adsense gives us a much higher budget to spend on development, servers and staff wages.
Some people live off adsense if you didn't know. Not sure why that makes me a fool for relying on it.
For all you know, adsense generates more money than user upgrades.
I personally don't think there's much to rethink.
I was referring spending hundreds of dollars to upgrade to a more powerful server if we want to make this possible.
Or I could switch to budget hosting but I prefer something reliable and enterprise level with consistent uptime.
That's why I'm giving this thread a chance.
The ssl is signed by AlphaSSL which the wildcard ssl from them is atleast 120
bebos, just make it so people can go to ssl, dont force it.
right now the https:// redirects to the www
I never called you a fool. You aren't using AdSense as your sole source of income. Some people do live off AdSense, yes. But they also have other means of income, if they are smart. Google can shut down your AdSense revenue at any moment if you even come close to violating their policies (or maybe just because they feel like it) and you'd be screwed. Of course people do it, but you'd still be a fool to rely solely on it, in my opinion. That was my point there. I never said you were a fool, because obviously, I know it's not your only source of income.
I also didn't say you needed to rethink anything. I was saying that if you were relying solely on AdSense and a drop in AdSense revenue was a big concern, some rethinking may need to be done.
Back on the topic of SSL though, I think this site should have it and should consider using an SSL certificate. Is it absolutely necessary? No, it's not, but I do think it would be nice to have. Clearly, I'm not the only that thinks that an SSL certificate would be a good thing. I may have different reasons, but I really think this should be implemented at some point. If not now, we could at least work toward it.
I will also point out that if you are making more in AdSense revenue then you are with user upgrades, then I believe you should be able to well afford any upgrade that you would want with MCM's income alone. If you opted for enterprise hardware, why not opt for an SSL certificate?
Problem with BS and other scripts of the same type is that every request is processed through either a cached, downloaded list (most commonly) or (much, much worse) an external API request to lookup the API to see if it fits the block descriptions.
Every request? It will definitely increase load times and it's going to be quite a load on the server to be querying an internal database for every request. To load this page I probably made around 25 requests. That adds up... a lot.
I don't think blocking VPNs and proxies are the way to go here. I've already expressed my view on preventing scams, just as my view on healthcare and education (as examples) is to privatise them as much as possible. Anyway, I'm really busy so this reply will be incomplete. Perhaps there's something constructive in this half post.
--- Double Post Merged, May 23, 2016 ---
OK I got time now.
Yes, Google encourages SSL. No, it doesn't encourage SSL. The logic with Google is so flawed. They give a minor SEO boost in return for reduced Adsense income and they hurt your rankings too with all them damn 301 redirects. So basically, they want a "securer" web, while not offering less bullshit in the process doing so.
There's no "longer you wait" - you just don't do it. Forums don't need SSL. Maybe have an auth.mc-market.org domain that handles authentication that has SSL if you *really* want, but again, it's unnecessary. This site isn't handling credit card data or something. Until Google stops beating around the bush with it and actually offers incentives and not punishments, don't even consider doing it for an existing site.
Not exactly how it works (BeBosny can confirm my knowledge in this subject). Yes, it is 'insecure'. You forget point 1: 2FA exists. Point 2: if I was at Heathrow Airport or something and trying to spy on data and try to get some sensitive data... saving something to/from "mc-market.org" would be the last thing I'd be saving on my hard drive.
SSL always decreases performance. Yes, there are things like SPDY for SSL (oh, btw, heard of HTTP2?) but due to the data having to be sent to OpenSSL as well and the handshakes and all that crap, it will always cause higher loads and longer response times than a non-SSL site with optimal configuration also. Not like it's a noticeable difference for the end user in terms of load times, but server load is noticeably increased. It shouldn't result in upgrading your server necessarily.
That would mean a career in YouTube also sucks. A HR guy can also fire someone's ass for no reason too. There is risk everywhere. Certain areas more than others. With Adsense, you can sue Google for BS if you're big enough and obviously move platforms pretty easily. Google aren't interested in BSing people, if you make enough money they will give two shits about blocking you off. I don't know how big MCM weighs on that scale, but I doubt MCM is a problematic site.
--- Double Post Merged, May 23, 2016 ---
It kind of is, With stripe..
After switching more than 3 hosts over the past couple of months due to "performance issues", I honestly don't think that you're in the position to say that adding SSL will hurt the site's "performance". That's just insanity, this site's hardware should've been well prepared for additional software, not hanging on by a thing thread. I don't find that to be a valid excuse.
Google Adsense... frankly, I've no idea how that all works, as I've never touched on that before. As far as I'm concerned, a huge portion of the community uses AdBlock to prevent those ads from appearing. I'm actually pretty interested in seeing some stats on the site, if you're willing to disclose them. Not going to really go into something I don't understand here anyways...
BlockScript is a poor excuse for lowering the performance too. Instead of blocking the entire site, why do you not just limit the script onto the User Registration page? Simple and easy. You'll be able to track registration IPs and block them manually thereafter.
Forums don't need SSL? Man what the heck? There's a saying that it's better to have and not need than to need and not have. You're already implementing things on the payment page in which transition details are sent to the page through an insecure port (Stride or whatever). There's a login page on the forum. User credentials are sent there. There's a chat box on the forums. Chat requests are sent there. I'd like to be assured that whatever I say isn't being read by someone else monitoring the network. Nor will by credentials be disclosed.
I believed I explained to you about a month ago where a guy in my class stole my MCM credentials by MITM the school's network. Sure, this was a "small" case, but IT SHOULD NOT HAVE HAPPENED REGARDLESS. There are ACTUALLY people that are affected by this lack of security. Just because the majority aren't doesn't suggest that you should overlook the rest. It's just pure absurdity.
I don't think Stripe is used here, but even if it is Stripe's overlay (Checkout) is an overlay. It's a direct iframe to Stripe and credit card data shouldn't touch MCM's servers at all. (Although, I believe Stripe want you to use SSL on these pages anyway, even though it makes no security difference). If they are making a direct implementation not using Checkout or Stripe.js, SSL is the least of your problems. PCI compliance will be a huge problem.
It's actually an iframe that's loaded over HTTPS.
Mana & Overlord please stay on topic and take it to a PM.
Site performance isn't calculated as you believe it is. There is a peak load, server resources are built to be marginally above this peak load. SSL will increase load, peak load will increase and server resources may need an upgrade to ensure smooth, reliable performance. I can't tell you that this will necessarily be a huge difference, likely it won't be too big of a difference, but it is a (non-primary) reason.
I use AdBlock on YouTube too. Doesn't mean YouTube stop serving ads. It's revenue and it's appreciated to serve ads. I block them usually because it's a waste of page load time, I'll gladly donate towards a site I use to keep it running, however. I'm not going to waste bandwidth and my time loading ads which, quite frankly, load slowly. Some users don't mind though, and overall this accounts to a reasonable amount of forum revenue.
Yes, forums don't need SSL. I'm going to buy an i7-6700K clocked at 7GHz, GTX 1080 and a 1000W power supply for a computer to run a PS2 simulator. It's better to have and not need than to need and not have. Doesn't matter if I just spent 100x the amount + 100x the electricity bill. What if I want to render 25 videos at once whilst playing The Witcher 3?
I already explained Stripe is an iframe. I believe Stripe want the page to have SSL, regardless, but it's not a security hazard. I believe they only want users to have that because some person might put their card info elsewhere on the page. Regardless, it's a secure iframe and the data does not touch MCM servers at all. If it did, I definitely wouldn't be putting my card info in there.
Forums don't tend to discuss sensitive information. If you're passing sensitive data online, you should need more than just SSL. Should be using a secure, encrypted method of passing data that is not subject to interception by others (i.e. staff). An encrypted email is one example of that. Yes, I take into account this is a marketplace. Just use a home connection? Don't tell me you don't want your mother to know what you're doing online as an excuse.
He should've been expelled I assume, assuming you reported it. Use 2FA, job done. XenForo thinks of the minority, such as yourself.
Mind telling me where you're getting these stats from? Sure, SSL will increase the load. Oh wait. No. Then you said that it will likely not be a huge difference (hence, a contradicting statement... lol). How would we know if we don't test it out based on fear? You say that resources will need to be upgraded to maintain performance. Got any evidence to support that?
So, what exactly are you trying to say? YouTube is encrypted. It uses Google AdSense. MCM is not encrypted. It uses Google AdSense. By your order of comparison, you're saying that we should mimic YouTube? Didn't you just contradict yourself once again?
What? You see, what I meant by that quote is, if you need something and can get it easily, then why not get it? Did I say blow your budget entirely on upgrades? LOL You seriously have some wild imagination, using hyperbole to exaggerate your opinion.
Yep. I just checked. The iFrame is secure, no worries there. But for inexperienced individuals who are weary about where their information goes, I doubt that they'll have the time to read an explanation about the protection of their information.
Well. I don't even know why you bothered typing this up. Below, you clearly acknowledge that I use the forums on public hotspots. Yet you want to focus on a home connection for the sake of your argument. Not even going to bother responding to this part.
Ahh. Yes. Because using 2FA prevents you from getting your password stolen / looked at. Great reasoning (as expected of somebody of your intellect).
And before you comment something saying "use passwords for different sites" (which I do), I still don't want people looking at my mcm password and judging me for it, like he did. And no, I'm not a snitch. He was only able to take my MCM password as it's one of the only forums that I use which DOESN'T have an SSL Cert.
It's not a contrasting statement. Load will increase, not significantly. Is that better for you? I swear you argue with me for the sake of it.
I only commented on it serving ads, I didn't comment on its use of SSL. I can give you an endless list of non-SSL AdSense users, and it's agreed that revenues are higher. If you stayed up to date with webmasters and forum administration, you'd know ad revenues take quite the hit. You're taking one statement, picking out a word, finding some relevance to your point and classing it as a contradicting statement, which is quite funny. I like your style of arguing, I guess?
At least I made a good English technique. I have no comment on this as you didn't make a point other than "yeah, I was wrong" - SSL isn't easy and if you were paying attention for the last bit of time, you'd realise why. Read BeBosny's link to my post earlier on for why SSL is problematic, more-so than my example.
They'll likely contact the forum and ask about it, if they're serious about buying a membership. A FAQ also helps.
Again "yeah, I was wrong" - I advised you to use 2FA (what's wrong with 2FA, btw?) and furthermore use home connections where possible. I also said why SSL on "chat requests" isn't required.
No, it doesn't, but your problem was losing your MCM account. A user cannot login without the 2FA data, therefore the account isn't compromised. Learn to use random passwords.
"snitch" so you're an advocate of MITM attacks. Well done. You just supported the loss of credentials.
Anyway, I've already suggested auth.mc-market.org if really necessary for authentication requests.
I present to you the #1 XenForo forum (by posts): http://www.ign.com/boards/
Let's click the magical sign in button.
HTTPS??? OMG??? MY INFO IS SECURE. I'M SO HAPPY. NOW I CAN BE HAPPY MY FRIEND WON'T STEAL MY ACCOUNT INFORMATION. THANK YOU BEBOSNY FOR THE GLOBALISED AUTHENTICATION SYSTEM!!!!
Anyway, you've taken enough time to reason. I refuse to argue with you further. It's been great talking to you. Do your research and come back to me once done, give me a pros and cons list and stop being ignorant and biased.