(RESOLVED) Will it ever be implemented? HTTPS
Discussion
Funnily enough during my network security lab, we were learning about stealing cookies using wireshark and the website on the lab sheet was PistonHeads! This got me thinking as to why a relatively simple yet essential feature hasn't been implemented to date. Is it something that perhaps the IT team would deem useful as it certainly is in my eyes
anonymous said:
[redacted]
Totally agree with you. In fact I was able to retrieve the failed log in attempts of others in the lab and could clearly see the username and password they entered! If they're unwilling to do anything about it they should at least make users aware about the dangers. We are currently, and have been, working on a project to move the whole site to HTTPS - so to answer the OPs question - Yes we are moving it, and it is important to us.
We have done most of the work, but the last part we are working on at the moment is the images in the classifieds that are a little more complicated due to the way it was initially designed back in 2011. So we hope to have this finished in April.
We have done most of the work, but the last part we are working on at the moment is the images in the classifieds that are a little more complicated due to the way it was initially designed back in 2011. So we hope to have this finished in April.
One line in an Apache config file would seamlessly rewrite all HTTP requests to HTTPS. Zero programming changes required.
I guess this will get more attention from Haymarket early next year when Google start punishing sites for lack of SSL, ie when it impacts advertisers rather then users.
I guess this will get more attention from Haymarket early next year when Google start punishing sites for lack of SSL, ie when it impacts advertisers rather then users.
Daft though really, the ads are all iframed in so I get that they have to have these HTTPS first before the main site else they'll hit the insecure content warning (iframes, yuk!)
But surely any ad company worth its salt can serve both secure and insecure channels? As a test, I just took 5 of the ads from the main site and requested the same ad under HTTPS specifically - each ad is served absolutely fine.
Surely this is trivial to switch over if you're using a centralised ad system? Then you just change IIS or your load balancer to use a HTTPS cert and force all bookmarked insecure requests to bounce to HTTPS, job done.
But surely any ad company worth its salt can serve both secure and insecure channels? As a test, I just took 5 of the ads from the main site and requested the same ad under HTTPS specifically - each ad is served absolutely fine.
Surely this is trivial to switch over if you're using a centralised ad system? Then you just change IIS or your load balancer to use a HTTPS cert and force all bookmarked insecure requests to bounce to HTTPS, job done.
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff