Enabling HTTPS for the Stan forums?


#1

Hi all,

New user here! Thank you, Stan team, for such a tremendous tool!

I noticed something when signing up: The Stan forum site isn’t configured to use HTTPS. That means that every time users login, passwords are sent to the Stan servers in plaintext.

Admins, would you be willing to make the switch to HTTPS soon? The Electronic Frontier Foundation explains what protocols to use here, and makes the case for why the switch does not impact performance. Please do post back once you make the change, so that users could change their passwords if they so desire.

Users: this is a good time to remind everyone not to use the same password for multiple accounts. Also, the HTTPS Everywhere plugin for Firefox, Chrome and Opera can help you to increase the security of your interaction with some domains that are configured to be able to use HTTPS but which do not have it enabled by default for some URLs. In the case of this site, the plug-in doesn’t seem to help because HTTPS connections do not appear to be enabled on the back end at all. So, we really need help from the admins.

(Admins, if I’m wrong about the site not running with HTTPS, I’m running Firefox 60 on Ubuntu 16.04.)

Thanks very much!

Richard


#2

Has someone looked at this issue since April 2018? I think the discourse
software has made switching to HTTPS easier:


#3

We should definitely change to https—I’m starting to get warnings from browsers. I’m pinging @syclik and @seantalts, in the hope that one of them can set this up (see link above).

Ideally we’d redirect http URL to the https version before passwords get implicated.

I’m happy to update the web and doc links.


#4

Who has shell access to the whatever machines are hosting it? I don’t know how it’s hosted.


#5

It’s hosted by Discourse.


#6

+1. We have 0 access to the machines themselves.


#7

Who is actually hosting our Discourse instance and is there doc for that? Do we have a contact there we can ask? Does anyone remember who on our team was initially in contact with them so we can follow up? I’m happy to do the email legwork here, but I don’t know where to start. And whoever it is, are we paying them for hosting through some kind of plan or is it still donated?

The hosting services seem to charge by storage space and page views, and their prices quickly ramp up to $100+/month.


#8

Discourse is hosting us. There isn’t doc – I’ve looked.

I have the contact for discourse somewhere, but I think the right thing to do is to send a message to support on Discourse’s discourse forums. That’s how I’ve gotten responses (a lot better than emails). I’ll forward what info I have over to you.

They haven’t charged us (yet). My personal credit card is still on hold. They haven’t mentioned anything about the hosting cost / limits since we started.


#9

Thank you all for addressing this! Here’s just a friendly bump to keep the issue on the radar, as I realize you’re busy.