I mentioned this in an API suggestion the other day, but it seems to have been missed.
You are letting users log in to this site over an insecure channel. Please consider urgently adding this, so our passwords do not get stolen.
You can get a free certificate from letsencrypt.org using one of the many automated clients, or if you have the DNS at cloudflare it's one click to set it up and about 1-2 mins to force https for the whole site.
Yawn.
Log in using a social account (Twitter, Facebook, or Google+), and then you won't need to enter a password on this site.
tvholic wrote:
Yawn.
Log in using a social account (Twitter, Facebook, or Google+), and then you won't need to enter a password on this site.
Why would you do that ? You might be giving personal info. Yeah, i don't like having a site pulling my personal info from FB for example. and FB cracking down on people using pseudonyms instead of real names make it even less tempting.
It's not as trivial as you might think, but it's definitely on our radar. SSL will be added in the future. :)
I understand David, but as a developer myself, letsencrypt should make this process trivial. Even more trivial is using Cloudflare's flexible SSL.
deanclatworthy wrote:
I understand David, but as a developer myself, letsencrypt should make this process trivial. Even more trivial is using Cloudflare's flexible SSL.
The implementation itself isn't a problem anymore since letsencrypt is live. :) But for example, ad revenue on HTTPS websites has been notoriously bad since not all advertisers support HTTPS. Fortunately the landscape has been improving, so we'll keep revisiting this subject in the future.
You have ads here ;-)?
At the very least you should add this to the login form. You could use nginx or apache rewrites to make sure it is only served there.
I sure don't want to diminish the importance of SSL and all... but you are aware that you are not on your Banking site, right ? He he.
Messing with you. ;)
Quinlan, sure. But the majority of people here probably re-use passwords. It's your responsibility as a site owner to secure the information for your users, and in this day and age not having SSL is a big oversight. In some countries, it's even a legal requirement.
dc1 wrote:
Quinlan, sure. But the majority of people here probably re-use passwords. It's your responsibility as a site owner to secure the information for your users, and in this day and age not having SSL is a big oversight. In some countries, it's even a legal requirement.
This is true for e-commerce sites, certainly. However, at the moment at least, TV Maze isn't selling anything or offering premium memberships where credit card information is collected.
:picard:
dc1 wrote:
At the very least you should add this to the login form. You could use nginx or apache rewrites to make sure it is only served there.
Hi dc1,
Late update: that's already the case and you can browse through TVmaze using https.
Thanks for voicing your concerns. Should you have any other concerns let us know.
best,
Jan
