SSL/TLS?

[polar_bear]

So, just saw a post on OGS about this site coming back to life after some issues, but was immediately concerned by the lack of security on the website as a whole. I don't quite understand how any site would even consider accepting passwords without SSL/TLS enabled and forced. This is putting users at a rather serious risk on the modern internet.

I know cost can be a concern, but now that free certificates from LetsEncrypt has full validity and default trust thanks to IdenTrust, that shouldn't be an issue. I saw that you're running Apache on an EC2 instance now, which means you can set up certbot to auto-renew these for Apache very, very easily.

Let me know if I can be of any help with getting this set up. Internet security is a very near and dear topic to me both professionally and personally, and I hate seeing users being put at risk. I know it's only a Go forum, but so many people have similar or identical passwords for critical and non-critical sites that it's worth the half an hour of time investment to do what's right for your users.

[Kirby]

Thanks for bringing this up, polar_bear. Admins are discussing some options.

[dfan]

In the meantime, this is a good reminder that not only should you avoid duplicating passwords between sites in general (any site can get hacked), you should doubly avoid using a password on a site like this that doesn't support https (yet) anywhere else.