Enabling HTTPS for the Stan forums?


#1

Hi all,

New user here! Thank you, Stan team, for such a tremendous tool!

I noticed something when signing up: The Stan forum site isn’t configured to use HTTPS. That means that every time users login, passwords are sent to the Stan servers in plaintext.

Admins, would you be willing to make the switch to HTTPS soon? The Electronic Frontier Foundation explains what protocols to use here, and makes the case for why the switch does not impact performance. Please do post back once you make the change, so that users could change their passwords if they so desire.

Users: this is a good time to remind everyone not to use the same password for multiple accounts. Also, the HTTPS Everywhere plugin for Firefox, Chrome and Opera can help you to increase the security of your interaction with some domains that are configured to be able to use HTTPS but which do not have it enabled by default for some URLs. In the case of this site, the plug-in doesn’t seem to help because HTTPS connections do not appear to be enabled on the back end at all. So, we really need help from the admins.

(Admins, if I’m wrong about the site not running with HTTPS, I’m running Firefox 60 on Ubuntu 16.04.)

Thanks very much!

Richard


#2

Has someone looked at this issue since April 2018? I think the discourse
software has made switching to HTTPS easier:


#3

We should definitely change to https—I’m starting to get warnings from browsers. I’m pinging @syclik and @seantalts, in the hope that one of them can set this up (see link above).

Ideally we’d redirect http URL to the https version before passwords get implicated.

I’m happy to update the web and doc links.


#4

Who has shell access to the whatever machines are hosting it? I don’t know how it’s hosted.


#5

It’s hosted by Discourse.


#6

+1. We have 0 access to the machines themselves.


#7

Who is actually hosting our Discourse instance and is there doc for that? Do we have a contact there we can ask? Does anyone remember who on our team was initially in contact with them so we can follow up? I’m happy to do the email legwork here, but I don’t know where to start. And whoever it is, are we paying them for hosting through some kind of plan or is it still donated?

The hosting services seem to charge by storage space and page views, and their prices quickly ramp up to $100+/month.


#8

Discourse is hosting us. There isn’t doc – I’ve looked.

I have the contact for discourse somewhere, but I think the right thing to do is to send a message to support on Discourse’s discourse forums. That’s how I’ve gotten responses (a lot better than emails). I’ll forward what info I have over to you.

They haven’t charged us (yet). My personal credit card is still on hold. They haven’t mentioned anything about the hosting cost / limits since we started.


#9

Thank you all for addressing this! Here’s just a friendly bump to keep the issue on the radar, as I realize you’re busy.


#10

@syclik, @Bob_Carpenter we (https://discourse.pymc.io/) are also hosted by discourse and they enable the SSL for us.
You might need to send an email to them to ask them to switch it on.


#11

Thanks. We’ll do that!


#12

@junpenglao: Who are you in contact with at Discourse? We don’t have contact emails and their own forums seem to be not that responsive.

@breckbaldwin — could you take over figuring this out for us and managing our discourse connections? We’d really like to get both this and our web pages on SSL for https.


#13

Hey all, I reached out to the folks at Discourse and it looks like it switched over to https. Thanks for letting us know!


#14

Thanks! I saw that went through on email and should have reported back here.


#15

Thank you all for setting up HTTPS! It’s the little things in life. Much appreciated.


#16

Thank @junpenglao for letting us know that Discourse would do it for us.

We also converted Andrew’s blog to https—that was our sysadmin at Columbia.

We need to get Stan’s mc-stan.org pages switched still. Anyone know how to do that for GitHub hosted pages? We don’t want to break things out of not knowing what we’re doing.


#17

If you are using github page, there’s a button on the repository settings to switch on https


#18

Also, thanks @rjc10 for bringing it up, we actually switch on the https also for https://docs.pymc.io/


#19

" If you created your GitHub Pages site before June 15, 2016, you can manually enable HTTPS enforcement."
https://help.github.com/articles/securing-your-github-pages-site-with-https/


#20

Won’t work for us. Here’s what I see: