Good evening everyone!
Back in September, we flipped the switch and started serving the Stonehearth Discourse over HTTPS. “But I didn’t notice anything”, you say? Good - you shouldn’t have. So what is HTTPS, and why should you care?
Already know about HTTPS? Great! Click here to skip the details.
##What is it?
HTTPS stands for HTTP over SSL, or HTTP Secure, or HTTP over TLS (ok, there’s a couple of possible names…). HTTP, or HyperText Transport Protocol is a formal protocol for transmitting information over the internet. I’ll spare the technical details, but if you’re interested you can read up about it on Wikipedia.
If you’re really interested, you can read the formal Internet Engineering Task Force (IETF) papers on HTTP here, here, and here, beware they are quite long and technical.
HTTP by itself is not secure. Someone with technical know-how can intercept the traffic and steal information like credit cards, personal information, and more. HTTPS, as the names imply, is a secure version of HTTP. Traffic is encrypted during transit, preventing information from being stolen during transit.
##Why is HTTPS important?
You may be wondering why we’d use HTTPS when we don’t really do anything private here on the Discourse. There are a couple of reasons:
- Logging In - When you logged in, you used a password right? Of course, I know no one here would possibly use the same password on multiple sites - but why risk that password being intercepted?
- It’s faster - Recent improvements to HTTPS have resulted in dramatic speed improvements. More secure and faster? Sounds good to me!
-
No interference - Loading a website is complicated:
First, you make the request by typing a URL into your browser. Next, the traffic is transmitted via your internet provider (ISP) - think Comcast, Charter, Time Warner, etc. here in the USA. Your ISP then likely sends the data over a transit company’s network. Eventually, it arrives at Discourse’s ISP, and finally to the Discourse server itself.
Without HTTPS, data being sent to, or received from the Discourse server could be changed, stored, or deleted. A rogue server could steal data. Your ISP could stick ads on top of the site. With HTTPS, you can trust that you are receiving data directly from the server (and only from the server).
For more details on the importance of HTTPS, check out Google Developers, CIO.gov, Discourse’s co-founder’s blog, and more.
What do you need from me?
When we flipped the switch, all topics, posts, uploads, and other content _stored on the Discourse servers_ are being transmitted securely. However, not everything on the Discourse is located on the Discourse servers. Some images are actually links to other websites, like Imgur, Photobucket, or Flickr. These images are still being transmitted over HTTP as we don't have any control over external sites.Help us find mixed-content
**Secure:** Chrome:  Firefox:  **Mixed-content:** Chrome:  Firefox: When you see a page that has mixed-content, please flag the topic so we (the moderators) can find the insecure content and either get a secure link, or upload the content directly.
Thanks for your help!
