But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)
Because to do this means a server side redirect, which then forces everyone to use it... and not everyone can, or cares to.
The goal here is to allow you to bookmark it as HTTPS or HTTP depending on your preference.
Would that really be so bad? Pretty much all modern browsers support SSL nowadays. And I've never heard of any business/company blocking port 443 (as it's pretty much an essential) Now, apart from all that, SEO wise, EEVBlog would actually be ranked better on Google if https would be on by default, which is another thing to take into account.
This thread is not for this discussion, the decision has been made, and it is final, don't turn this thread into another argument on the merits of SSL. You didn't even have the option prior, don't complain about a free thing.
I might be taking a risk here (as you're in a power position) but I'm gonna stick to my principles and say what I have to say anyway.
I was just asking a simple question (and was making some observations), and you're making it sound like I'm the bad guy for doing so, and quite frankly, I don't like it! i think you could've definitely been nicer in your response. It's not like I was hardcore complaining about it not being on by default. Also, if you're gonna make it an optional thing, at least put it on the spotlight!
How bout some kind of big, clickable link on the top of the forums saying something like "Click here to load the forum in SSL mode"?
Not everyone follows the news section FYI.
Dude, it was not a personal attack on you, it was a clear statement for the general public because this has been discussed to death
, there has been two other threads discussing this, one of which devolved into a bitter complaint about how we should enforce and implement HSTS and various other things. The other thread was about how people don't want it, and then here people are saying they want the option... If Dave wants to put it in the spotlight, start a thread and ask him, it is not my place to rule on this.
As far as I am concerned, support both groups as best as possible while retaining full backwards compatibility is the best option here.
Reasons for SSL:
- Security, obviously, but this is not a huge worry with the content of this website
- Prevent content alteration by third parties such as governments
- Prevent your ISP from being able to track your browser habits so easily (they can still do it anyway)
Reasons for not using SSL:
- Old browsers that do not support SNI or modern encryption schemes that people insist on using
- Hardware devices, scripts, etc that people have built that tie into the website may not support ssl
- Performance, SSL slows things down considerably
- There is no sensitive information here to protect, if there is you shouldn't be posting it on a public forum in the first place
Everyone assumes that SSL is the way to defeat tracking, alteration, etc... It is not, it just helps a bit. If a third party is determined enough to track you or alter the content there are numerous avenues of attack they can take, one of which is completely undetectable for thousands upon thousands of websites. it's called CloudFlare.
I have seen people reset their passwords on this website since SSL was enabled, and fair enough... but how does that person know the server that is decrypting the SSL session has not been compromised? How do they know the admin of the server is competent enough to even notice if the server has had it's SSL private key stolen? And how do they know the owner/admin of that site is not just using it as a front to mine account details? And how do you know that the website that uses your password handles it correctly and stores it in a one way salted hash? Ultimately it comes down to blind trust in a random you don't even know from a bar of soap.
If you think it's not that common, look at Sony... SSL was in use there but it was pointless as they stored all their data in plain text and allowed the theft of an enormous amount of data that they had been entrusted with. How did SSL help here? Would HSTS have prevented this? In short no. I bet the attacker felt good knowing that the information they were stealing was being stolen in a secure way, don't want to risk a theft of a theft.