I was just thinking after recently reading a post from Jeff Atwood (a founder of Discource, and author of the Coding Horror blog) titeld Let’s Encrypt Everything, we should check if our Discource host can enable HTTPS for our discource site. With free CA providers like letsencrypt.org, and no caching of discourse traffic like I think we do for our wiki.ros.org HTML, I think theres not much of an excuse to see if we can move to https. Thoughts?
Yeah, I saw that article too. I think it would be good to add support. I’ll check into what it would take to add it to our hosting.
From stardard option feature set from discourse.org:
(The host I assume we are using?)
https://payments.discourse.org/buy/
####SSL Option*
For an additional $20/month, your site can be served over a secure HTTPS connection, and increase your plan limits:
- Staff users 5 → 10
- Page views 100k → 150k
- Storage 10gb → 15gb
We’ve switched over and it should be enforced as https. Please reply here if anyone is seeing problem.
2 Likes
It is beautiful!
I now have an encrypted connection:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- 128 bit keys
- TLS 1.2
And it looks like the http -> https redirect is working to.
The SSL Labs report looks great.
https://www.ssllabs.com/ssltest/analyze.html?d=discourse.ros.org&s=64.71.168.201
Looks like there are some older Android and Java versions that will break, as well as people still using XP, but supporting those clients mean allowing protocol downgrade attacks.
Hopefully nobody is still using XP for Internet connected things…