Authentication on this Website

[ArnavS]

These forums still use unsecured, vanilla HTTP as opposed to encrypted HTTPS. This is bad for security reasons, but also because browsers are making it increasingly difficult to authenticate without encryption. See, e.g., the attached screenshot from Firefox.

I think all that needs to be done is for the site to acquire an SSL certificate (from a certificate authority like Google), and use it. I understand the forums use a point-and-click template called phpBB, and it looks like there instructions on moving phpBB sites to HTTPS.

[Wartortullian]

I agree with Arnav's post, but Let's Encrypt is probably sufficient. I doubt there's any need to use a paid CA.

[jonah]

I've been asking for this since August 2017 and have been told (several times, last in September 2018) that it's on the radar. All the relevant people are volunteers, so I don't feel comfortable pinging too often.

[ArnavS]

Is there a way that we could volunteer to make it happen? All that the admins would need to do is delegate access to somebody for (say) a day or two. Or, we could write a small step-by-step instruction set that we could execute.

Alternately, we could chip in to fund time for one of the maintainers to make this happen. But I think it would be really useful, since people are probably reusing passwords here that they use for other (more important) services.

[Mike Bentley]

Is there a way that we could volunteer to make it happen? All that the admins would need to do is delegate access to somebody for (say) a day or two. Or, we could write a small step-by-step instruction set that we could execute.

Alternately, we could chip in to fund time for one of the maintainers to make this happen. But I think it would be really useful, since people are probably reusing passwords here that they use for other (more important) services.

Probably. Send an e-mail to Dan Goff ([email protected]) and see if you can work out the details.

[ArnavS]

He's done some work on this the LetsEncrypt front (good call @Matt, I didn't know there were free CAs like this) and will be taking another look this weekend. They will also be reviewing the archives to make sure nothing is impacted.

[Stained Diviner]

Any update on this?

How often should we ask why nothing is being done about this? Should we ask again in three months, or would it be more appropriate to wait a year?

[The Goffman Prophecies]

Surprise!

HTTPS is enabled on the entire site. For the moment, forced redirection is only happening when you access the forums. There's some issues with the CSS on the other pages (the tournament database and packet repository) that need to be resolved before this redirection happens sitewide.

[Stained Diviner]

Thank you!

[ScoBo]

There's some issues with the CSS on the other pages (the tournament database and packet repository) that need to be resolved before this redirection happens sitewide.

I think I have these fixed now, but let us know if you run into any problems while accessing the database or quizbowlpackets.com over https. One thing I'm aware of is I'm seeing https://hsquizbowl.org still redirecting to unsecure hsquizbowl.org/db, and it seems that is on Dan's side and not something I can fix myself.

[The Goffman Prophecies]

There's some issues with the CSS on the other pages (the tournament database and packet repository) that need to be resolved before this redirection happens sitewide.

I think I have these fixed now, but let us know if you run into any problems while accessing the database or quizbowlpackets.com over https. One thing I'm aware of is I'm seeing https://hsquizbowl.org still redirecting to unsecure hsquizbowl.org/db, and it seems that is on Dan's side and not something I can fix myself.

Yup, it was a quick configuration change I had to make. It's fixed now.