@aeroden: Thanks, but wouldn’t that make most browsers throw warnings about mixed HTTP and HTTPS content on the same page?
@sb56637 It works the other way around - when you have a page loaded over HTTP*S* and some content on that page is loaded through HTTP, then you get a warning. In our case we do the opposite and there is no problem with that. For example in my above post the image was loaded from Imgur through HTTPS. Actually we don’t even load any content through HTTPS - we only POST login form data through HTTPS and then it would need to redirect us back to HTTP.
In hindsight, I think this whole idea is a bit pointless, since after login I get a session cookie to authorize future requests and if someone can get that cookie through eavesdropping he can actually access the site in full as if it was me (My IP is not of a session cookie hash, and that’s not really secure anyway).
But…. Instead I think I have a much better idea. I see you host this site on lunanode.com and they provide Load Balancer service that will do the SSL termination for you and for your usage metrics it will be even free of charge. So the server will still serve plain HTTP traffic while the Load Balancer will do the certificate provisioning (for free through LetsEncrypt) and SSL termination forwarding the plain HTTP traffic back to the server. Here are the docs: Load Balancers
Sounds compelling?
Aeroden seems to be onto something there.
I personally would always appreciate better security, though the content of this site is generally impersonal. Perhaps if people are sending shipping addresses etc via private message, that would be a risk.
Fuzun, would a groupbuy for a VPN be a simple solution?
How does VPN help here?
Have you looked at things like Cloudflare that provide SSL by proxying your HTTP site? Cloudflare’s pricing starts at free. There’s a few similar providers around too.
@dave1010 True, but traffic between CloudFlare and the backend still goes over the Internet in plain text. BLF hosting provider has SSL termination feature for no charge so imho it’s a no brainer and secure too.
OK, SSL (https://budgetlightforum.com) is now implemented as @aeroden suggested. Thanks a lot for the tip!
This was the reason for the instability of the site during the past ~12 hours, but I think I managed to work out most of the kinks. Please let me know if you run into anything odd relating to this change.
Great teamwork guys!
Hurrah! Hurrah! Hurrah! Many thanks for making this effort!
Holy SSL! Thank you SB! It’s so awesome to not have to worry about my PM’s being intercepted in every hotel and foreign country the receiver opens/accesses them from. SWEET.
Hooray! This will help your search rank too 
that was definitely worth the down time
We did it reddit BLF!
Thank you for making the site more secure.
Looks like we’re running into a few quirks with the new setup, I’m not yet sure of the root cause. I’ll give updates here later on.
I will report anything I see unusual. I generally browse via FF on Win10 and Brave on Android or LineageOS.
Thank you SB for the effort here and all who helped as well! Long live BLF