New user here! Thank you, Stan team, for such a tremendous tool!
I noticed something when signing up: The Stan forum site isn’t configured to use HTTPS. That means that every time users login, passwords are sent to the Stan servers in plaintext.
Admins, would you be willing to make the switch to HTTPS soon? The Electronic Frontier Foundation explains what protocols to use here, and makes the case for why the switch does not impact performance. Please do post back once you make the change, so that users could change their passwords if they so desire.
Users: this is a good time to remind everyone not to use the same password for multiple accounts. Also, the HTTPS Everywhere plugin for Firefox, Chrome and Opera can help you to increase the security of your interaction with some domains that are configured to be able to use HTTPS but which do not have it enabled by default for some URLs. In the case of this site, the plug-in doesn’t seem to help because HTTPS connections do not appear to be enabled on the back end at all. So, we really need help from the admins.
(Admins, if I’m wrong about the site not running with HTTPS, I’m running Firefox 60 on Ubuntu 16.04.)
We should definitely change to https—I’m starting to get warnings from browsers. I’m pinging @syclik and @seantalts, in the hope that one of them can set this up (see link above).
Ideally we’d redirect http URL to the https version before passwords get implicated.
Who is actually hosting our Discourse instance and is there doc for that? Do we have a contact there we can ask? Does anyone remember who on our team was initially in contact with them so we can follow up? I’m happy to do the email legwork here, but I don’t know where to start. And whoever it is, are we paying them for hosting through some kind of plan or is it still donated?
The hosting services seem to charge by storage space and page views, and their prices quickly ramp up to $100+/month.
Discourse is hosting us. There isn’t doc – I’ve looked.
I have the contact for discourse somewhere, but I think the right thing to do is to send a message to support on Discourse’s discourse forums. That’s how I’ve gotten responses (a lot better than emails). I’ll forward what info I have over to you.
They haven’t charged us (yet). My personal credit card is still on hold. They haven’t mentioned anything about the hosting cost / limits since we started.
@junpenglao: Who are you in contact with at Discourse? We don’t have contact emails and their own forums seem to be not that responsive.
@breckbaldwin — could you take over figuring this out for us and managing our discourse connections? We’d really like to get both this and our web pages on SSL for https.
Thank @junpenglao for letting us know that Discourse would do it for us.
We also converted Andrew’s blog to https—that was our sysadmin at Columbia.
We need to get Stan’s mc-stan.org pages switched still. Anyone know how to do that for GitHub hosted pages? We don’t want to break things out of not knowing what we’re doing.
