Raise the Hammer
By Ryan McGreal
Published March 17, 2011
Update: as of February 6, 2012, RTH now uses its own dedicated SSL certificate.
Effective immediately, you can now access Raise the Hammer using the HTTP Secure protocol:
Note that the start of the URL is "https" instead of "http". HTTPS is a protocol that encrypts requests sent from the browser to the web server and web pages sent from the server back to the browser.
Because the communications are encrypted in an HTTPS connection, it is much more difficult for third parties to intercept and eavesdrop on your browsing activity, for example if you are using a shared public wifi network to access the internet. Tools like Firesheep demonstrate just how easy it is 'hijack' an unencrypted browser session on a public wifi network.
A few caveats:
RTH uses the security certificate of WebFaction, our hosting provider. That means you may get a scary warning when you try to connect to RTH via HTTPS saying that there is a mismatch between the website domain and the certificate. Depending on your browser, you will be prompted to accept the connection anyway and/or add an exception for this domain.
If you access RTH using HTTPS, all the content - web pages, style sheets, javascript files, images, etc. - on the RTH web server will be served in HTTPS. However, some pages also include content from third party sites - like embedded images and media files - that are served in plain HTTP. On those pages, your browser will probably warn you that you have requested an encrypted page that contains both encrypted and unencrypted files.
Because all communications between your browser and the web server are encrypted on an HTTPS connection, page loading will be a bit slower than it is on an unencrypted HTTP connection.
This change is part of our ongoing efforts to make your use of RTH more secure.
By MattM (registered)
Posted March 17, 2011 at 11:21:22
By MattM (registered)
Posted March 17, 2011 at 11:25:56
By Ryan (registered) - website
Posted March 17, 2011 at 11:31:04
in reply to Comment 61055
Testing reply.
Edit - it's happening for me as well. I'll investigate.
Edit 2 - I think I know what's causing this: I bet the 303 redirect after posting a comment is hard-coded with http.
Edit 3 - I confirmed that this is due to a bug in the framework I'm using - web.py - in which 303 redirects automatically forward to plain http. I've filed a bug.
In the meantime, I've added a workaround to the code that posts comments to force the 303 seeother redirect to go to the right protocol. I'll have to do the same thing to the code that edits and deletes comments.
Edit 4 - I've updated the code than edits and deletes comments as well. This issue should be fixed now.
Comment edited by administrator Ryan on 2011-03-17 13:44:33
By Undustrial (registered) - website
Posted March 17, 2011 at 17:29:11
By TnT (registered)
Posted March 19, 2011 at 18:43:28
By Ryan (registered) - website
Posted March 20, 2011 at 12:35:02
in reply to Comment 61203
Ars Technica has an interesting write-up that considers the relatively slow uptake of https relative to http. In brief, https is slower because 1) it needs to be encrypted, and 2) intermediate servers can no longer cache results.
I'd add that the current high cost of an https certificate is another significant barrier to entry. RTH is able to use our hosting provider's certificate - which causes browsers to warn users that the certificate is unverified and might be fraudulent! - but if we were to get our own, it would cost around $200 a year, on top of the domain registration and hosting costs we already pay.