Raise the Hammer
Update: as of February 6, 2012, RTH now uses its own dedicated SSL certificate.
Effective immediately, you can now access Raise the Hammer using the HTTP Secure protocol:
Note that the start of the URL is "https" instead of "http". HTTPS is a protocol that encrypts requests sent from the browser to the web server and web pages sent from the server back to the browser.
Because the communications are encrypted in an HTTPS connection, it is much more difficult for third parties to intercept and eavesdrop on your browsing activity, for example if you are using a shared public wifi network to access the internet. Tools like Firesheep demonstrate just how easy it is 'hijack' an unencrypted browser session on a public wifi network.
A few caveats:
RTH uses the security certificate of WebFaction, our hosting provider. That means you may get a scary warning when you try to connect to RTH via HTTPS saying that there is a mismatch between the website domain and the certificate. Depending on your browser, you will be prompted to accept the connection anyway and/or add an exception for this domain.
If you access RTH using HTTPS, all the content - web pages, style sheets, javascript files, images, etc. - on the RTH web server will be served in HTTPS. However, some pages also include content from third party sites - like embedded images and media files - that are served in plain HTTP. On those pages, your browser will probably warn you that you have requested an encrypted page that contains both encrypted and unencrypted files.
Because all communications between your browser and the web server are encrypted on an HTTPS connection, page loading will be a bit slower than it is on an unencrypted HTTP connection.
This change is part of our ongoing efforts to make your use of RTH more secure.
By MattM (registered) | Posted March 17, 2011 at 11:21:22
Looks good, thanks Ryan.
By MattM (registered) | Posted March 17, 2011 at 11:25:56
Little note, for some reason the site keeps switching back to http. I think it happens after I submit a post. Happened twice now. Using IE 7/Windows Vista.
Edit: Confirmed, it happens as soon as I submit a post.
Comment edited by MattM on 2011-03-17 11:29:02
By Ryan (registered) - website | Posted March 17, 2011 at 11:31:04 in reply to Comment 61055
Testing reply.
Edit - it's happening for me as well. I'll investigate.
Edit 2 - I think I know what's causing this: I bet the 303 redirect after posting a comment is hard-coded with http.
Edit 3 - I confirmed that this is due to a bug in the framework I'm using - web.py - in which 303 redirects automatically forward to plain http. I've filed a bug.
In the meantime, I've added a workaround to the code that posts comments to force the 303 seeother redirect to go to the right protocol. I'll have to do the same thing to the code that edits and deletes comments.
Edit 4 - I've updated the code than edits and deletes comments as well. This issue should be fixed now.
Comment edited by administrator Ryan on 2011-03-17 13:44:33
By Undustrial (registered) - website | Posted March 17, 2011 at 17:29:11
Woot! I've been looking into HTTPS a bunch lately. Really rad stuff.
By TnT (registered) | Posted March 19, 2011 at 18:43:28
Perhaps unrelated, but I've been having trouble posting of late getting "Internal Server Error."
By Ryan (registered) - website | Posted March 20, 2011 at 12:35:02 in reply to Comment 61203
Hi TnT, can you email me with the details if that happens again? What URL you're trying to load, what you're trying to do (e.g. post a comment), etc. Thanks!
Ars Technica has an interesting write-up that considers the relatively slow uptake of https relative to http. In brief, https is slower because 1) it needs to be encrypted, and 2) intermediate servers can no longer cache results.
I'd add that the current high cost of an https certificate is another significant barrier to entry. RTH is able to use our hosting provider's certificate - which causes browsers to warn users that the certificate is unverified and might be fraudulent! - but if we were to get our own, it would cost around $200 a year, on top of the domain registration and hosting costs we already pay.