Factorio Forums

Just made an account and noticed the site doesn't use HTTPS, so all your account details including the password are sent unencrypted, seriously, WTF?

While I agree using ssl encryption is preferable I don't think "seriously, WTF" is a justified response,
considering that the vast majority of the web doesn't use it (https://www.trustworthyinternet.org/ssl-pulse/).
After all, SSL certificates are expensive.
I think it's rather safe to assume that factorioforums.com isn't where you're gonna be sending your most critical data.

Sending passwords in plain text is bad. "Other sites are doing it wrong, too" is not a valid excuse.
The login on factorio.com is using SSL so doing it right seems to be possible.

prg wrote:Sending passwords in plain text is bad. "Other sites are doing it wrong, too" is not a valid excuse.
The login on factorio.com is using SSL so doing it right seems to be possible.

yes, i'm putting it to our internal issues list, but it's sitll fairly low priority.

Gandalf wrote:While I agree using ssl encryption is preferable I don't think "seriously, WTF" is a justified response,
considering that the vast majority of the web doesn't use it (https://www.trustworthyinternet.org/ssl-pulse/).
After all, SSL certificates are expensive.
I think it's rather safe to assume that factorioforums.com isn't where you're gonna be sending your most critical data.

you have for 35euro a simple https certificate for one year.
higher certificates are more expencive

here is where i buy my certificates in the netherlands.

https://www.sslcertificaten.nl/SSLCerti ... ndaard_1_1

You can get a free cert for this basic "passwords not sent in cleartext" purpose.
Ever heard of StartSSL or what was its name?

Bump.

The "Let's Encrypt" certification authority is now available for everyone.
The goal of that project is free certificates + automatic expiration-handling tools

*bump*

FFS guys, get this fixed!

Here's the link to Let's Encryt. You can get a free certificate in minutes.


You're going Steam - what do you think will happen if the new users come over here.
We backers are probably inherently more forgiving but that's a new wave of new users, some not so forgiving and quite more than a few with proper skills.

You're not in a garage anymore - you're appearing on Steam


Sending passwords unprotected, unencrypted and sniffable is not funny.
Heck - it's just a checkbox I have to check here to see it when it goes over the wire; and I'm not even trying.

Shame!

+1

Certificates are free these days, and with a real Steam release coming, there is zero excuse to remain on unsecure http. It's a disservice to loyal fans at this point.

Factorio should be using HTTPS.

I admit that as time has passed, I think the priority should have raised to "fairly low" to "freaking high".
I know Steam release has needed a lot of work from the dev team, but this should have been included in Steam release.

Success!
Kind of a brave move implementing it just before the steam realease as it could screw up a few things if done inproperly.

This is very well played. Once again, Wube software has proved they know how to act responsibly, and do so.
Congrats

Awesome guys, Thanks!

now using the subdomain instead of new domain.

Now it's clear this is the official forum.

No HTTP2 support?

mophydeen wrote:now using the subdomain instead of new domain.

Now it's clear this is the official forum.

There is absolutely no reason for this.

Kane wrote:

mophydeen wrote:now using the subdomain instead of new domain.

Now it's clear this is the official forum.

There is absolutely no reason for this.

Yes there is, as the certificate now used on the forums only applies to *.factorio.com and the easiest way to switch the forum to HTTPS was to use the certificate they already had for the website used as certificate for the forums. Why have two certificates when one does the job?

My crusade has come to an end. Now I can lay down and rest in peace.

Thx!


PS: about that HTTP/2 thing...