I have no experience as a sysadmin, but I have the recollection that SSL support on the server is relatively heavy (compared to normal operation).
Of course if only the login page is SSL-encrypted and nothing else, that's a lot easier on the server. However, it still requires for it to be set up properly.
And note that the NSA can possibly decrypt your information anyway, depending on what kind of encryption keys the server uses (via some mathematical trickery explained here.)
I have no experience as a sysadmin, but I have the recollection that SSL support on the server is relatively heavy (compared to normal operation).
Kind of depends on what it's doing. If the board script dominates the runtime, it probably won't matter anyway. The only way to find out is to test it.
Of course if only the login page is SSL-encrypted and nothing else, that's a lot easier on the server. However, it still requires for it to be set up properly.
That's not rocket science. It's pretty easy to do that. Well, at least on a Windows server. Don't know about a Linux server. Besides, the site is already accepting SSL connections; it's just that the forum does not appear to exist when using SSL.
I have no experience as a sysadmin, but I have the recollection that SSL support on the server is relatively heavy (compared to normal operation).
As for key exchange, TLS doesn't currently support the really fast stuff.
As for bulk ciphering, if you have hardware support, AES-GCM really frickin' flies (but requires TLS 1.2). Then there's talk about adding some new ciphersuites that are pretty fast even without hardware support.
Well, it used to be the case that TLS was pretty heavy, but since the CPU speeds have increased, it has become pretty cheap CPU-wise (but that has done nothing to other problems).
The reasons why this site doesn't do HTTPS have absolutely nothing to do with CPU nor memory usage.
Warp wrote:
Of course if only the login page is SSL-encrypted and nothing else, that's a lot easier on the server. However, it still requires for it to be set up properly.
why didn't you simply message an admin to change the username for you,
i think it's possible ? (as double accounts are forbiden, it should be ? riiighht ? )
as for the site security, until it gets fixed, try to think of it as ridding a bike...
it's fun, but it's safer to walk...
especialy when ducks are involved
Just didn't cross my mind to bug an admin about it. Now that the two accounts already exist, merging them is a pain in the ass. Oh well, it doesn't really matter anyway. As for using them both, I won't. Should someone really care, they can audit my last login times or just ban the old account.
Of course if only the login page is SSL-encrypted and nothing else, that's a lot easier on the server. However, it still requires for it to be set up properly.
That's not safe, though. The session cookie can still be stolen, making it still just as unsecure.
All the people saying 'well, the internet is fundamentally unsecure' are missing the point. The point is as follows: A database leak is the thing identity thieves want the most, because it means thousands to millions of accounts and passwords are leaked all in one go, and you can mine them in bulk. Sure, there are exploits and attacks for any feasible authentication system between two people or a person and a server, but they only give you one password at a time, so they're not nearly as likely to be bothered with. (Just be careful when using airport wifi, where this is no longer true!)
