I got a real salty feeling after this. When i asked a question, i just get told "Yeah we don't care if someone leaks your passwords, we are more advanced than HTTPS" There's no way you have something more advanced than TLS/SSL. And then after that, no actual answer or anything and it gets closed. It was just a friendly suggestion/question..

22 hours ago, Cyan said:

We just don't have interest in supporting it, sorry. It's not a significant challenge, I mean we have SSL certificates deployed for our management systems, it's just not something I'm interested in offering at this time.

This site isn't a confidential resource like your bank account. Simply do not reuse passwords and don't exchange information that you're not comfortable being public. If you think you're important enough that you're being monitored, or you're using a public access point, you may opt to not use the site or use anonymous data.

Did you see this answer? I think it answered your question, if not, let me know.

"We won't use HTTPS even if it's easy to configure, just don't use the same passwords elsewhere" Just seems a bit weird to me. Why not do it if it's easy and would let me re-use my password and not have it different for just one site? 

4 minutes ago, MSG2735 said:

"We won't use HTTPS even if it's easy to configure, just don't use the same passwords elsewhere" Just seems a bit weird to me. Why not do it if it's easy and would let me re-use my password and not have it different for just one site? 

You should never reuse your password, even if there is HTTPS. We use HTTPS for a lot of things on the site, not just for "what you see" if I remember correctly. 

Furthermore, it's a site run by us in our spare time. We can only do so much with the time we have. Security is something we take very seriously, of course. I have the highest confidence in Cyan however!

The reason i got even more salty was because of the response i got before. You answered this well :) Tack

3 hours ago, MSG2735 said:

I got a real salty feeling after this. When i asked a question, i just get told "Yeah we don't care if someone leaks your passwords, we are more advanced than HTTPS" There's no way you have something more advanced than TLS/SSL. And then after that, no actual answer or anything and it gets closed. It was just a friendly suggestion/question..

Nobody on the staff team told you we had anything 'better' than TLS/SSL. I think the unofficial answer you were given was stressing the fact that we have a very custom setup and that SSL is not outside the scope of what we can do. I then gave you an official answer - by telling you that we're not interested in supporting it.

I would read a bit into how routing works to understand why I've come to the conclusion that SSL is not for us. Nobody can see your password or other details as they travel between us bar upstream partners and ISPs. These partners and ISPs deal with terabytes of traffic daily, they aren't interested in your password. They are also bound by law as to how they handle data. I guess baring using an unprotected Wifi network like a coffee shop, a big three letter agency and perhaps having some malicious monitoring device on your own network, nobody is going to see your password as it travels to us. We hash passwords on our database so they aren't stored in plain text on our side.

I am keeping a keen eye on the HTTP 2.0 implementation, and looking at performance benefits. HTTP 2.0 practically requires SSL, so it might be the case we end up supporting SSL due to the performance benefits we see in HTTP 2.0. That is work that is not for the near future though.

Your topic was closed as the discussion was closed - we gave our answer to you that this won't be supported in the near future.

I'm using the term SSL interchangeably with TLS here. SSL 3.0 etc is mostly deemed as insecure now.

SSL? Useless. I really meant TLS and the encryption. And you are not resistant to a mass hack like other forums get when not paying attention to security. Forums are the best place to steal passwords