1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Do you use SSL for XF ?

Discussion in 'Forum Management' started by DRaver, Apr 22, 2014.

  1. DRaver

    DRaver Active Member

    Is someone here using Xenforo with SSL and why?

    Do you have more activity in the forum?
    Do you have more registrations in the forum?
    Is your ranking in Google better?

    What exactly is the advantage to use SSL with Xenforo for you?
     
  2. Andy.N

    Andy.N Well-Known Member

    lot of people use it.
    It's about security.
     
  3. MattW

    MattW Well-Known Member

    Null and RoldanLT like this.
  4. RoldanLT

    RoldanLT Well-Known Member

    I'm using it for the sake of SPDY only :D
     
    Jeremy P likes this.
  5. digitalpoint

    digitalpoint Well-Known Member

    Same... SPDY is what finally pulled me off Apache to Nginx. SPDY requires SSL.
     
    Jeremy P likes this.
  6. Tracy Perry

    Tracy Perry Well-Known Member

    Or with OpenLiteSpeed also. :p
    I've converted my 3 XenForo forums over to it as well as my computer support site I have.
    I'm debating spending the money on the 4 myBB forums to do it, but they don't get any real traffic (they were more to play with than anything) so probably won't do them.
     
  7. Moshe1010

    Moshe1010 Well-Known Member

    Not really see any sense in SSL if you're not selling stuff through your board, and even than, payment getaways are usually secured regardless of your website. I don't know abouy SPDY+Nginx, but with Litespeed it made my website less responsive when SSL was activated (increase in about 300ms for every page).
    I've never seen any "hacked" XenForo board in terms of core security. If you know what add-ons you install and your server is usually secured, then SSL is pretty much useless (in my opinion of course).
     
  8. BamaStangGuy

    BamaStangGuy Well-Known Member

    Effy likes this.
  9. Tracy Perry

    Tracy Perry Well-Known Member

    It's just not about for you. A lot of users are getting to where they prefer to use a secured connection. I haven't noticed any real slowdown when I converted over to SSL on OLS. In fact, it appeared (once I enabled SPDY) to have sped up somewhat.
     
  10. Rigel Kentaurus

    Rigel Kentaurus Well-Known Member

    There is no good reason to keep using old plain HTTP

    The CPUs are fast enough now, the overhead is almost negligible, it provides better security, works well out of the box, does not impact SEO, and there are literally dozens of sites about how to configure it (almost sure CPanel even has something for people that use a GUI).

    Setting up a login that can be intercepted over the air is frankly irresponsible provided how easy it is to put things behind HTTPS
     
  11. digitalpoint

    digitalpoint Well-Known Member

    It's not about CPUs being fast enough for SSL now, it's more that the CPUs have a built-in encryption/decryption instruction set which more or less offloads the resources required to do SSL. Most Intel and AMD processors manufactured in the last 6 years have it.

    http://en.wikipedia.org/wiki/AES_instruction_set

    Additional interesting read here: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

     
    MattW likes this.
  12. Moshe1010

    Moshe1010 Well-Known Member

    A lot of users don't even know what secured connection mean. I can even be more presise, most users don't have any idea what SSL means, unless you're holding a tech board with tech people on it (or something at that sort).
    Try to open 2 different browser users at chrome. Open inspect elements, go to the network tab and refresh the page several time with https and without it (don't force SSL) with the same user as a guest and as a connected user, you would see the different in terms of page load.
    I even tested it right now again, and I get a difference of 600-800ms for the same exact page with the same exact page (homepage).
     
  13. BamaStangGuy

    BamaStangGuy Well-Known Member

    Most people don't care what forum software you are using, what your site looks like or a lot of other things.

    It costs less than a domain to put SSL on your site. What are the down sides that make you refuse to move to it?
     
  14. digitalpoint

    digitalpoint Well-Known Member

    Sounds like something funky is going on with the web server... because truthfully, I don't see anything like that.

    If you take a simple document where you aren't being limited at the application-level, and are able to strictly test it for the SSL connection, I can't tell a difference when the web server is properly configured. In fact, if the web server is SPDY enabled, it's *much* faster over HTTPS than HTTP.

    As an example, here's the same static document over HTTP and HTTPS if you want to see what sort of lag you get when you refresh/reload:

    HTTP:
    http://dpstatic.com/ad.js

    HTTPS:
    https://dpstatic.com/ad.js
     
  15. Moshe1010

    Moshe1010 Well-Known Member

    the 600ms was a glitch probably, I see the regular 200ms difference. Again, not sure who does it work with SPDY, I don't have it on my server. I'm with Litespeed and don't really want to to lose my htaccess (the only reason why I don't go the nginx route, which sounds better and defentily "cheaper" since Litespeed has funny licenses).

    Basically the speed difference, and the fact that if I force SSL, all users would be disconnected due to a new cookie.
     
  16. digitalpoint

    digitalpoint Well-Known Member

    Here's a real easy test to see which is faster (HTTP or HTTPS) in a real-world scenario (for whoever runs it, in THEIR browser).

    The physical distance to the server is the same (same server, same network, etc). The ONLY difference is one is going over HTTP and the other over HTTPS.

    http://whichloadsfaster.com/?l=http://dpstatic.com/ad.js&r=https://dpstatic.com/ad.js

    Better yet, use the "Repeat" option up top to repeat the test 100 times to see what the results are.
     
    RoldanLT likes this.
  17. Moshe1010

    Moshe1010 Well-Known Member

    Average over 100 runs: 24% faster → 36 ms / 29 ms
     
  18. digitalpoint

    digitalpoint Well-Known Member

    There you go... actually 24% FASTER over HTTPS (HTTPS is the right side).
     
    Steve F likes this.
  19. Tracy Perry

    Tracy Perry Well-Known Member

    Average on mine with https .244ms.
    Average on mine without https .162ms.

    For the difference... I think I'll keep it in place.
     
  20. Moshe1010

    Moshe1010 Well-Known Member

    How a single js file can be a test for this?

    The difference isn't that big for sure. 200ms or so isn't really noticible for users. But when there are heavy threads, the difference gets much bigger and it's annoying. I will play with that even more and see what happens.
     

Share This Page