Do you use SSL for XF ?

DRaver

Active member
Is someone here using Xenforo with SSL and why?

Do you have more activity in the forum?
Do you have more registrations in the forum?
Is your ranking in Google better?

What exactly is the advantage to use SSL with Xenforo for you?
 
Yes, on all my sites. Using it because it means you can use SPDY with NGINX.
Or with OpenLiteSpeed also. :p
I've converted my 3 XenForo forums over to it as well as my computer support site I have.
I'm debating spending the money on the 4 myBB forums to do it, but they don't get any real traffic (they were more to play with than anything) so probably won't do them.
 
Not really see any sense in SSL if you're not selling stuff through your board, and even than, payment getaways are usually secured regardless of your website. I don't know abouy SPDY+Nginx, but with Litespeed it made my website less responsive when SSL was activated (increase in about 300ms for every page).
I've never seen any "hacked" XenForo board in terms of core security. If you know what add-ons you install and your server is usually secured, then SSL is pretty much useless (in my opinion of course).
 
Not really see any sense in SSL if you're not selling stuff through your board, and even than, payment getaways are usually secured regardless of your website. I don't know abouy SPDY+Nginx, but with Litespeed it made my website less responsive when SSL was activated (increase in about 300ms for every page).
I've never seen any "hacked" XenForo board in terms of core security. If you know what add-ons you install and your server is usually secured, then SSL is pretty much useless (in my opinion of course).
It's just not about for you. A lot of users are getting to where they prefer to use a secured connection. I haven't noticed any real slowdown when I converted over to SSL on OLS. In fact, it appeared (once I enabled SPDY) to have sped up somewhat.
 
There is no good reason to keep using old plain HTTP

The CPUs are fast enough now, the overhead is almost negligible, it provides better security, works well out of the box, does not impact SEO, and there are literally dozens of sites about how to configure it (almost sure CPanel even has something for people that use a GUI).

Setting up a login that can be intercepted over the air is frankly irresponsible provided how easy it is to put things behind HTTPS
 
It's not about CPUs being fast enough for SSL now, it's more that the CPUs have a built-in encryption/decryption instruction set which more or less offloads the resources required to do SSL. Most Intel and AMD processors manufactured in the last 6 years have it.

http://en.wikipedia.org/wiki/AES_instruction_set

Additional interesting read here: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.
 
It's just not about for you. A lot of users are getting to where they prefer to use a secured connection. I haven't noticed any real slowdown when I converted over to SSL on OLS. In fact, it appeared (once I enabled SPDY) to have sped up somewhat.
A lot of users don't even know what secured connection mean. I can even be more presise, most users don't have any idea what SSL means, unless you're holding a tech board with tech people on it (or something at that sort).
Try to open 2 different browser users at chrome. Open inspect elements, go to the network tab and refresh the page several time with https and without it (don't force SSL) with the same user as a guest and as a connected user, you would see the different in terms of page load.
I even tested it right now again, and I get a difference of 600-800ms for the same exact page with the same exact page (homepage).
 
A lot of users don't even know what secured connection mean. I can even be more presise, most users don't have any idea what SSL means, unless you're holding a tech board with tech people on it (or something at that sort).
Try to open 2 different browser users at chrome. Open inspect elements, go to the network tab and refresh the page several time with https and without it (don't force SSL) with the same user as a guest and as a connected user, you would see the different in terms of page load.
I even tested it right now again, and I get a difference of 600-800ms for the same exact page with the same exact page (homepage).

Most people don't care what forum software you are using, what your site looks like or a lot of other things.

It costs less than a domain to put SSL on your site. What are the down sides that make you refuse to move to it?
 
A lot of users don't even know what secured connection mean. I can even be more presise, most users don't have any idea what SSL means, unless you're holding a tech board with tech people on it (or something at that sort).
Try to open 2 different browser users at chrome. Open inspect elements, go to the network tab and refresh the page several time with https and without it (don't force SSL) with the same user as a guest and as a connected user, you would see the different in terms of page load.
I even tested it right now again, and I get a difference of 600-800ms for the same exact page with the same exact page (homepage).
Sounds like something funky is going on with the web server... because truthfully, I don't see anything like that.

If you take a simple document where you aren't being limited at the application-level, and are able to strictly test it for the SSL connection, I can't tell a difference when the web server is properly configured. In fact, if the web server is SPDY enabled, it's *much* faster over HTTPS than HTTP.

As an example, here's the same static document over HTTP and HTTPS if you want to see what sort of lag you get when you refresh/reload:

HTTP:
http://dpstatic.com/ad.js

HTTPS:
https://dpstatic.com/ad.js
 
the 600ms was a glitch probably, I see the regular 200ms difference. Again, not sure who does it work with SPDY, I don't have it on my server. I'm with Litespeed and don't really want to to lose my htaccess (the only reason why I don't go the nginx route, which sounds better and defentily "cheaper" since Litespeed has funny licenses).

Most people don't care what forum software you are using, what your site looks like or a lot of other things.

It costs less than a domain to put SSL on your site. What are the down sides that make you refuse to move to it?
Basically the speed difference, and the fact that if I force SSL, all users would be disconnected due to a new cookie.
 
Here's a real easy test to see which is faster (HTTP or HTTPS) in a real-world scenario (for whoever runs it, in THEIR browser).

The physical distance to the server is the same (same server, same network, etc). The ONLY difference is one is going over HTTP and the other over HTTPS.

http://whichloadsfaster.com/?l=http://dpstatic.com/ad.js&r=https://dpstatic.com/ad.js

Better yet, use the "Repeat" option up top to repeat the test 100 times to see what the results are.
 
  • Like
Reactions: rdn
Here's a real easy test to see which is faster (HTTP or HTTPS) in a real-world scenario (for whoever runs it, in THEIR browser).

The physical distance to the server is the same (same server, same network, etc). The ONLY difference is one is going over HTTP and the other over HTTPS.

http://whichloadsfaster.com/?l=http://dpstatic.com/ad.js&r=https://dpstatic.com/ad.js

Better yet, use the "Repeat" option up top to repeat the test 100 times to see what the results are.
Average over 100 runs: 24% faster → 36 ms / 29 ms
 
A lot of users don't even know what secured connection mean. I can even be more presise, most users don't have any idea what SSL means, unless you're holding a tech board with tech people on it (or something at that sort).
Try to open 2 different browser users at chrome. Open inspect elements, go to the network tab and refresh the page several time with https and without it (don't force SSL) with the same user as a guest and as a connected user, you would see the different in terms of page load.
I even tested it right now again, and I get a difference of 600-800ms for the same exact page with the same exact page (homepage).
Average on mine with https .244ms.
Average on mine without https .162ms.

For the difference... I think I'll keep it in place.
 
There you go... actually 24% FASTER over HTTPS (HTTPS is the right side).
How a single js file can be a test for this?

Average on mine with https .244ms.
Average on mine without https .162ms.

For the difference... I think I'll keep it in place.
The difference isn't that big for sure. 200ms or so isn't really noticible for users. But when there are heavy threads, the difference gets much bigger and it's annoying. I will play with that even more and see what happens.
 
Top Bottom