In hindsight, I think this whole idea is a bit pointless, since after login I get a session cookie to authorize future requests and if someone can get that cookie through eavesdropping he can actually access the site in full as if it was me (My IP is not of a session cookie hash, and that’s not really secure anyway).
But…. Instead I think I have a much better idea. I see you host this site on lunanode.com and they provide Load Balancer service that will do the SSL termination for you and for your usage metrics it will be even free of charge. So the server will still serve plain HTTP traffic while the Load Balancer will do the certificate provisioning (for free through LetsEncrypt) and SSL termination forwarding the plain HTTP traffic back to the server. Here are the docs: Load Balancers
I personally would always appreciate better security, though the content of this site is generally impersonal. Perhaps if people are sending shipping addresses etc via private message, that would be a risk.
Have you looked at things like Cloudflare that provide SSL by proxying your HTTP site? Cloudflare’s pricing starts at free. There’s a few similar providers around too.
@dave1010 True, but traffic between CloudFlare and the backend still goes over the Internet in plain text. BLF hosting provider has SSL termination feature for no charge so imho it’s a no brainer and secure too.
This was the reason for the instability of the site during the past ~12 hours, but I think I managed to work out most of the kinks. Please let me know if you run into anything odd relating to this change.
Holy SSL! Thank you SB! It’s so awesome to not have to worry about my PM’s being intercepted in every hotel and foreign country the receiver opens/accesses them from. SWEET.
