Page 1 of 1

Mandatory TLS on the 'goon forums.

PostPosted: Tue Dec 08, 2015 3:22 pm
by Zancarius
Hey guys,

So, we decided to just go ahead and setup TLS today. I asked Josh earlier what his preference was, because I was inclined to do a more gentle transition to TLS by allowing older browsers to access the site unaffected without it. He suggested that there's no point supporting older browsers and that we ought to migrate over without them. He's right, and considering that the majority of browsers we'll encounter trouble with are on Windows XP (which is around 15 years old) or Android 2.x (do those devices still work?), it's time to upgrade. Seriously: Software isn't a car or appliance. It changes too quickly.

As such, we've put a permanent redirect on all HTTP traffic. If you click any old links, they'll automatically redirect to the HTTPS site. Ideally, this should be entirely transparent. It'll also be about a million times more secure.

Also, I was wrong: It turns out that older browsers should still work, they'll just generate a certificate error when loading sites like ours that use the subjectAltName for domain matching in the certificate. But again, see above: We're completely dumping support for older browsers, and I don't think any of our regulars (or future members) will be affected.