As of today, the Wintreath website and forums exclusively use HTTPS to connect with you. This means that when you're on the website and forums, your connection is encrypted so that others can't listen in or tamper with the data that's flowing between you and the website (commonly called a man in the middle attack). You can identify pages that have been secured with HTTPS by the green padlock that appears in the URL bar in your browser.
Please feel free to post here if you have any questions or run into any problems.
Why are we doing this now?Traditionally, only websites that handled sensitive data such as e-commerce sites used HTTPS, but over the last few years there has been a major push for all websites to adopt HTTPS in order to make the web more secure. As part of this push, Google announced earlier this year that the Chrome browser would identify any webpage not using HTTPS as not secure beginning in July, giving the impression that those websites are not trustworthy. Obviously we want to avoid this.
Additionally, it only became possible for us to adopt HTTPS in the last month, due to our webhost not offering an affordable way to do so until then.
What did this involve?Before I could even do anything, two things had to happen. First, our forum software had to support HTTPS, especially to ensure that graphics that came from other image hosts were also secured by HTTPS when they were sent to you. This happened with the release of SMF 2.0.14 last year. Then our webhost had to offer an affordable way to adopt it, which happened just last month when they implemented free SSL certificates (required to encrypt connections) for their websites.
Most of my work involved areas outside of the forums where the SMF update didn't automatically apply. Part of the SMF update was an 'image proxy' that would load external graphics on the server before sending them to you through the secure connection, but I had to write new code so that pages outside the forums could use the proxy (this was a major issue on user profile pages). I then had to track down minor issues that had been overlooked over the years but caused mixed-content errors once we switched to HTTPS (again, ALL content has to be served through HTTPS or the page will be marked as not secure), which mostly involved finding graphics that had http in the link and switching them over, or fixing issues where graphics were non-existent. Did you know that polls are supposed to have a small image on the top-right, or that there should be a Youtube button in the post editor? It wasn't difficult making these fixes, it was just tedious and time-consuming tracking them down.
Finally, I updated the site to use HTTPS exclusively, meaning that even if you were to type in
http://wintreath.com, it would be updated to
https://wintreath.com.
