HTTPS inconsistencies

If you have found a bug, or have a suggestion/comment then leave it here

Post » Mon Apr 15, 2013 3:27 pm

It's nice that being logged in makes the site default to HTTPS for most things, but there's an unfortunately large number of pages that still get served over HTTP, like any section using the old site layout, and curiously the "Create New Topic" page is also served over HTTP.

If you want to keep your user's cookies secure, it's really a binary thing - either everything is served over HTTPS when you're logged in, or the cookies aren't really secure. It would be nice to see this addressed.

As a sidenote, the website field in the profile editor is prefixed to always use http:// - it'd be nice if you this could made part of the field itself. To avoid any linking issues, you could simply stick http:// in front if someone were to forget to include the protocol.
B
16
S
8
G
4
Posts: 136
Reputation: 3,144

Post » Wed Apr 17, 2013 2:01 pm

Hi!

Thank you for the post. You are correct that it's important to secure users cookies with a 100% https website.

As you observed older pages are not https secured. This is because as we're rolling out the new design/new sections of the site we are ensuring they are all forced to https one at a time. Unfortunately we can't just switch the site to https entirely as it would throw a lot of security warnings which is highly detrimental to visitor retention. It's going to be a gradual process and takes time.

I know this is not ideal, however we don't consider our website to be a high value target (if someone did hijack your cookie there's not much damage to be done). So for this reason we think the gradual change to https is satisfactory.

Tom
Image Image
Scirra Founder
B
124
S
37
G
25
Posts: 3,945
Reputation: 44,897


Return to Website Issues and Feedback

Who is online

Users browsing this forum: No registered users and 0 guests