• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

SPDY / SSL / HTTP/2 Questions

SatGuyScott

Active member
#1
Today I installed a Wildcard SSL Certificate on my server which is running NGINX 1.8.0. I mainly needed it for mail security. But figured what else can I do with it.

So now looking into SPDY or HTTP/2 support.

My question is if I use SPDY or HTTP/2 do I have move my website to https;//???

This is something I do not want to do, as I have so much on the site that is coming from other sites (such as ads, image attachments, etc.) and do not want my users getting a message that the page they are viewing has both secure and unsecure elements on it. But I still would like to take advantage of the speed that SPDY / HTTP/2 offers.

So can this be done?
 

Tracy Perry

Well-known member
#2
Yes, you do - that's the nature of SPDY and HTTP/2. You connect via secure protocol (HTTPS). And yes, it will effect it so don't use it - because you will get content warnings if you do (that's why I took my Recumbent Bike forum back to HTTP - needed some BBcodes that pull from non-SSL sites).
 
#3
Yes, you do - that's the nature of SPDY and HTTP/2. You connect via secure protocol (HTTPS). And yes, it will effect it so don't use it - because you will get content warnings if you do (that's why I took my Recumbent Bike forum back to HTTP - needed some BBcodes that pull from non-SSL sites).
If you have a valid SSL cert why not at least make some parts of the site use TLS/SSL. You will be providing passwords clear text othrwise!
 

Tracy Perry

Well-known member
#4
If you have a valid SSL cert why not at least make some parts of the site use TLS/SSL. You will be providing passwords clear text othrwise!
Because it really serves no purpose since I don't sell anything, the speed difference was nice, but the additional hassle is not worth in in the long run. If I was really worried about security, I'd also force 2FA on all the users.
 

Tracy Perry

Well-known member
#6
I totally disagree with this. You are sending passwords that your members are likely to be using else where in clear text..
Again, as I said, it serves no useful purpose. Just because they use the same password on my site as others your assumption presumes that all other sites are SSL protected. They aren't (classic case of the BBcodes not working when under SSL as proof of that). You have to weigh the cost to benefit analysis. And for that site, it's not there.
 
#7
Again, as I said, it serves no useful purpose. Just because they use the same password on my site as others your assumption presumes that all other sites are SSL protected. They aren't (classic case of the BBcodes not working when under SSL as proof of that). You have to weigh the cost to benefit analysis. And for that site, it's not there.
I can understand your point, however, I think we should agree to disagree on this as we've both laid out the case and reason for both sides. If you would like to talk more about this type of thing in private I'd welcome a PM on it but don't want to derail this thread.

Back on topic though: what sites are not SSL that you are using bbcode for?