How much money would you need to raise to add more processing resources to your system SB? I would chip in yearly. Many would. I would like to see BLF grow.
If I recall correctly, BLF runs on a SuSE-based platform. But I might use your cert tips for a project I’m doing… thanks! 
(mostly, I just need ssl for a bit of a toy project, to enable secure cross-site data transfer)
I would also find it useful if BLF acted as an oauth2 (or similar) identity provider, which requires ssl, so I could slave other sites/services off it using a single sign-on. I’ve been tempted to add some kickstarter-like features to make community projects easier for everyone. But even if BLF had identity provider features, I’m not sure I’d actually have enough time and motivation to do the rest. Too many projects.
This would create a whole lot of warnings and/or break a lot of image links. Like, I’d probably have to add https to my site (finally) and edit every post I’ve ever made with images. Which isn’t really all that much of a problem for me personally, but in a site-wide sense it would be pretty disruptive.
The server-passthrough workaround could reduce disruption, but it’s even more complication and more server load for sb to deal with. And some of the sites I’ve seen with that method end up breaking half the time anyway.
It’s certainly an open attack vector, but it hasn’t been a problem here that I’m aware of. There are probably people in the NSA and KGB quietly collecting our login data and stuff. Large-scale route hijacking attacks have been found in the wild for at least the past five years, ever since people noticed BGP attacks routing traffic through Iceland in 2013.
But if they were to ever actually use that data, we’d have much bigger things to worry about. And in the mean time, ssl is a significant cost and complication for BLF.
…
TL;DR: What sb56637 said. Https should probably happen eventually, but it’s a major PITA.
You don’t have to force https. Just answer “no” to the force https option at install and nothing changes as far as the public sees. Leaving SB and some users free to doddle around with the https.
As the very title of this thread makes clear, browsers are on the verge of out-right blocking users with a red screen and scaring them away if the site is not https. Requiring SSL really is something that is going to happen soon. There are been years of marching, and some companies are now pushing hard.
Oh, cool. That certainly helps.
(in case it wasn’t obvious, I’ve been dragging my feet about https for a long time and haven’t really dived in yet… last time I really looked at it was before it was compatible with name-based vhosts, so I didn’t implement it then and haven’t gotten back to it since)
I’ll be honest, I expect SSL on any site I visit and it puts me off when I don’t see it. I’ve dipped into these forums over the last few months but would only login if I really needed something. Frankly there’s too much bad stuff happening on the web to be worrying about how secure my credentials are - I’d rather avoid a site entirely and avoid the issue.
Right now I am not seeing such “explicit” warnings. Why? Namely because I “downgraded” my browser version a little bit. I do not update my software if the developer is screwing up. I am the one deciding how and when to update my software. Those of you who regularly go to whatever software “stores” to “upgrade” your software blindly are allowing yourselves to be manipulated, sorry to say. Nowadays software development is quite focused on milking the cows and this means speaking half truths to people (how not?). SSL is not really necessary for many stuff no matter what bullying G00gl€ says.
There's too much bad stuff happening? Sorry? 
Bad stuff happens to those of you who allow it via your subconscious beliefs. My advice is for you to believe right, as the reality you experience is created via your chosen beliefs (as above, so below), not the other way around.
Cheers ^:)
I understand your viewpoint, and it’s definitely commendable to be conscientious about security. But please remember to always use a different password on all different websites, which will avoid most risks.
As mentioned above let’s encrypt would be a great idea… at least the login in page. Also, Google will be prioritizing ranking based on certain security variables including SSL.
You really won’t have much choice about implementing SSL going forward, it’s not going to be long until this is required by most consumer browsers and search engines.