1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SPDY / SSL / HTTP/2 Questions

Discussion in 'Server Configuration and Hosting' started by SatGuyScott, Dec 2, 2015.

  1. SatGuyScott

    SatGuyScott Active Member

    Today I installed a Wildcard SSL Certificate on my server which is running NGINX 1.8.0. I mainly needed it for mail security. But figured what else can I do with it.

    So now looking into SPDY or HTTP/2 support.

    My question is if I use SPDY or HTTP/2 do I have move my website to https;//???

    This is something I do not want to do, as I have so much on the site that is coming from other sites (such as ads, image attachments, etc.) and do not want my users getting a message that the page they are viewing has both secure and unsecure elements on it. But I still would like to take advantage of the speed that SPDY / HTTP/2 offers.

    So can this be done?
  2. Tracy Perry

    Tracy Perry Well-Known Member

    Yes, you do - that's the nature of SPDY and HTTP/2. You connect via secure protocol (HTTPS). And yes, it will effect it so don't use it - because you will get content warnings if you do (that's why I took my Recumbent Bike forum back to HTTP - needed some BBcodes that pull from non-SSL sites).
    SatGuyScott and Marcus like this.
  3. Fayettemat

    Fayettemat Member

    If you have a valid SSL cert why not at least make some parts of the site use TLS/SSL. You will be providing passwords clear text othrwise!
  4. Tracy Perry

    Tracy Perry Well-Known Member

    Because it really serves no purpose since I don't sell anything, the speed difference was nice, but the additional hassle is not worth in in the long run. If I was really worried about security, I'd also force 2FA on all the users.
  5. Fayettemat

    Fayettemat Member

    I totally disagree with this. You are sending passwords that your members are likely to be using else where in clear text..
  6. Tracy Perry

    Tracy Perry Well-Known Member

    Again, as I said, it serves no useful purpose. Just because they use the same password on my site as others your assumption presumes that all other sites are SSL protected. They aren't (classic case of the BBcodes not working when under SSL as proof of that). You have to weigh the cost to benefit analysis. And for that site, it's not there.
  7. Fayettemat

    Fayettemat Member

    I can understand your point, however, I think we should agree to disagree on this as we've both laid out the case and reason for both sides. If you would like to talk more about this type of thing in private I'd welcome a PM on it but don't want to derail this thread.

    Back on topic though: what sites are not SSL that you are using bbcode for?
  8. Tracy Perry

    Tracy Perry Well-Known Member

    Bikely and Map My Fitness (also known as Map My Ride) were two that I found that do not have SSL for their "maps". The latter one in fact remaps any SSL connection to port 80 for non-SSL.
  9. MattW

    MattW Well-Known Member

    Should switch to Strava for mapping your activities, that uses SSL now :)
    eva2000 and SneakyDave like this.
  10. Tracy Perry

    Tracy Perry Well-Known Member

    You mean like this? :p


    There are several that the recumbent riders use... some of them like Strava, others of them curse it to no end.
    Fayettemat likes this.
  11. MattW

    MattW Well-Known Member

    I've switched to Strava 100% (I used to use Runkeeper, but that really started to annoy me).

Share This Page