HTTPS for EsotericSoftware.com?

Cranktrain · 9 мая 2022

Hi Spine team! Why do you only have your SSL certificate active on the Spine payment page, and on the Login/Register pages here on the forums? Just have it apply to every page! Then the browser won't do that red lock icon with the "this connection is insecure" message all the time.

My logged-in-as-user token gets sent in plain-text whenever I load a page here on the forum, which may as well be my password as far as phpbb3 is concerned. All the esotericsoftware.com https urls already get rewritten to http, so just reverse that and all is well. Probably worth doing!

Cranktrain · 9 мая 2022

Nate · 9 мая 2022

Aye, we've been meaning to do this for a while. Long ago it was better to avoid the overhead of HTTPS for pages that don't need it, which can make a difference for some users, such as those in China. Nowadays it's standard to use HTTPS for everything, we just haven't made the change yet. We do use HTTPS for the most important pages (payments, Spine license, etc).

Fabiano · 22 авг 2022

So it doesn't really make any difference here on these forum pages?
Worst case is somebody can intercept these replies we're writing in?

Nate · 22 авг 2022

Pretty much. Even then it's not easy to execute such an attack.