AT needs https

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Markbnj

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
drebo said:
It takes about 10 minutes from the time you decide you want to offer HTTPS to the time it's installed and working to implement an SSL certificate. And it costs about $6.
Click to expand...

Sort of, yeah, in terms of just the basic steps you need to complete. But tell me that you would make that change on a big public site in ten minutes and just flip the switch to go live. Right :).

If the site isn't well written there could be hard coded links that need to be hunted down and changed, and just in general you are not going to switch to https without testing the entire board to make sure everything works. That's the bulk of the actual workload.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,623
13,818
126
www.anyf.ca
drebo said:
It takes about 10 minutes from the time you decide you want to offer HTTPS to the time it's installed and working to implement an SSL certificate. And it costs about $6.
Click to expand...

More like a couple hundred bucks to a grand per year if you go with a real certificate, as opposed to self signed which is free but will cause a warning.

Markbnj said:
Sort of, yeah, in terms of just the basic steps you need to complete. But tell me that you would make that change on a big public site in ten minutes and just flip the switch to go live. Right :).

If the site isn't well written there could be hard coded links that need to be hunted down and changed, and just in general you are not going to switch to https without testing the entire board to make sure everything works. That's the bulk of the actual workload.
Click to expand...

The sad part is, something as simple as implementing HTTPS here would probably involve about 3 days of downtime. :biggrin: You'd think they would have a local test/dev environment or something.
 
G

ghost_of_bman

i think https came too late... i was logged in this morning but now am logged out and when i tried to put my password in it says that the password is incorrect and so i think someboddy hacked my account and its probably gone forever :(
 
lxskllr

lxskllr

No Lifer
Nov 30, 2004
60,130
10,601
126
ghost_of_bman said:
i think https came too late... i was logged in this morning but now am logged out and when i tried to put my password in it says that the password is incorrect and so i think someboddy hacked my account and its probably gone forever :(
Click to expand...

Could be. I worry more about the bug of non-logged in posters being able to post :^P

I'd guess you're using the wrong password.
 
mikeymikec

mikeymikec

Lifer
May 19, 2011
21,063
16,298
136
Vic Vega said:
Exactly. ;)
Click to expand...

Funny how you haven't come up with a single technical reason why it would be a good idea, yet you're trying to tell me that I'm out of my depth.

drebo said:
It takes about 10 minutes from the time you decide you want to offer HTTPS to the time it's installed and working to implement an SSL certificate. And it costs about $6.
Click to expand...

That depends on the platform of the server, and the competence/experience of those administrating the server (it's also something else to go wrong), as well as testing (as someone pointed out already). Also, these forums get a fair bit of traffic, they're not exactly a money-making machine (AFAIK the advertising revenue and the possible extra visitors to the main part of the site are the commercial benefits of these forums), and the added daily server workload due to adding SSL support. The SSL workload of the forums is probably going to be far higher than most sites deal with; Amazon for example doesn't direct users into SSL until either they're logging in or during the purchase process. I haven't admin'd a service using SSL that had a particularly high workload, but right now there are 9225 users on the forums, which may or may not be the peak workload. That's a lot of encryption work to do.

As someone already pointed out, the forums are down a surprising amount of time as it is, as well as the apparent search/indexing issues that spring up from time to time. Does this sound like a service that has a huge amount of revenue/resources at its disposal?
 
Last edited:
V

Vic Vega

Diamond Member
Sep 24, 2010
4,535
4
0
mikeymikec said:
Funny how you haven't come up with a single technical reason why it would be a good idea, yet you're trying to tell me that I'm out of my depth.
Click to expand...

I don't have to come up with any reasons - the industry already did it and there's lots of them. You're trying too hard. You're not good at this. It's painfully obvious you're far too stupid to converse with, therefore you've made the list.
 
Imp

Imp

Lifer
Feb 8, 2000
18,828
184
106
I use an ancient password that's never been changed here. Last year, I got paranoid and started using different passwords for my bank accounts and main email. Email's actually THE most important considering that it's the main link and method to unlock/change passwords for everything else.
 
olds

olds

Elite Member
Mar 3, 2000
50,124
779
126
ghost_of_bman said:
i think https came too late... i was logged in this morning but now am logged out and when i tried to put my password in it says that the password is incorrect and so i think someboddy hacked my account and its probably gone forever :(
Click to expand...
If you are a RBM, it may have been a Mod.
 
C

Codewiz

Diamond Member
Jan 23, 2002
5,758
0
76
Red Squirrel said:
More like a couple hundred bucks to a grand per year if you go with a real certificate, as opposed to self signed which is free but will cause a warning.



The sad part is, something as simple as implementing HTTPS here would probably involve about 3 days of downtime. :biggrin: You'd think they would have a local test/dev environment or something.
Click to expand...

Just want to add a little more technical information as well. I do not know the architecture of how anandtech runs the forum. But I would bet that they would need to dedicate a machine to doing the SSL. SSL has considerable overhead that will eat some CPU cycles. Depending on traffic, it might crush their servers.

With that said, I could have a small barebones nginx server stood up within about 2 hours that would function as the SSL accelerator.
 
waggy

waggy

No Lifer
Dec 14, 2000
68,143
10
81
lol

you would think they would do something. after loke, and all the other shit because of how "secure" it is.
 
Leros

Leros

Lifer
Jul 11, 2004
21,867
7
81
Markbnj said:
Sort of, yeah, in terms of just the basic steps you need to complete. But tell me that you would make that change on a big public site in ten minutes and just flip the switch to go live. Right :).

If the site isn't well written there could be hard coded links that need to be hunted down and changed, and just in general you are not going to switch to https without testing the entire board to make sure everything works. That's the bulk of the actual workload.
Click to expand...

Can't you just have HTTP requests get redirected to HTTPS? I think that's fairly simple to do in Apache.

I'm assuming you're using something like Apache or have an Apache in front of the forum server.
 
lxskllr

lxskllr

No Lifer
Nov 30, 2004
60,130
10,601
126
Leros said:
I'm assuming you're using something like Apache or have an Apache in front of the forum server.
Click to expand...

Code: 
Status: HTTP/1.1 200 OK
Date:	Sun, 14 Jul 2013 18:35:16 GMT	
Server:	Apache/2.2.3 (CentOS)	
X-Powered-By:	PHP/5.3.9	
Set-Cookie:	atvbsessionhash=795aa4daf5822d681cbb538a1450fa5d; path=/; domain=.anandtech.com; HttpOnly	
Set-Cookie:	atvblastvisit=1373826916; expires=Mon, 14-Jul-2014 18:35:16 GMT; path=/; domain=.anandtech.com	
Set-Cookie:	atvblastactivity=0; expires=Mon, 14-Jul-2014 18:35:16 GMT; path=/; domain=.anandtech.com	
Cache-Control:	private	
Pragma:	private	
X-UA-Compatible:	IE=7	
Content-Encoding:	gzip	
Content-Length:	23200	
Connection:	close	
Content-Type:	text/html; charset=ISO-8859-1

http://web-sniffer.net/
 
RossMAN

RossMAN

Grand Nagus
Feb 24, 2000
79,020
435
136
ghost_of_bman said:
i think https came too late... i was logged in this morning but now am logged out and when i tried to put my password in it says that the password is incorrect and so i think someboddy hacked my account and its probably gone forever :(
Click to expand...

WTF?

Banned & deleted member?
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,623
13,818
126
www.anyf.ca
boomerang said:
http://forums.anandtech.com/announcement.php?f=14&a=67
Click to expand...

LOL wow, what are the odds. I'm guessing one would have needed to open that post for that exploit to work though? Also because it was most likely javascript or some other client side code I don't think encryption would have done anything anyway.

Actually, I'd be curious to know how often this forum actually gets updated. Bet there are lot of 0 day exploits that arn't exactly, 0 day. :biggrin:
 
waggy

waggy

No Lifer
Dec 14, 2000
68,143
10
81
Red Squirrel said:
LOL wow, what are the odds. I'm guessing one would have needed to open that post for that exploit to work though? Also because it was most likely javascript or some other client side code I don't think encryption would have done anything anyway.

Actually, I'd be curious to know how often this forum actually gets updated. Bet there are lot of 0 day exploits that arn't exactly, 0 day. :biggrin:
Click to expand...

you know whats better? that was not the only time something like that happened.


for a tech site its really amazing how poor it is. with all the down time and "hacks" lol
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom