HTTPS Always
-
joakimwallden last edited byHi,
I would suggest making secure connection (HTTPS) available also when not signed in. As it currently is feels a bit obsolete in these times of surveillance and all kinds of spying and tracking of users’ activities.
Also, after signing in at https://auth.opera.com/account/login?service=forums&return_url=http://forums.opera.com/, as can be seen, the return-URL is http://forums.opera.com/, which means the http://forums.opera.com/ is opened and then redirected to https://forums.opera.com/. That does not look like a very secure solution.
If signing in without specifying a service (i.e. at https://auth.opera.com/account/login), https://auth.opera.com/account/login/success?service=auth is opened, and there the forum-link is http://forums.opera.com/.
Best would be to implement HSTS (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security , see also https://www.eff.org/deeplinks/2014/02/websites-hsts). Second best would be to at least make HTTPS available and usable also when not signed in (and changing the return-URL and forum-link mentioned above). Then people could add forums.opera.com at opera://net-internals/#hsts or enable the the ruleset for Opera in HTTPS Everywhere (https://www.eff.org/https-everywhere). Now it is impossible to sign in with that ruleset enabled.
Thanks.
-
-
-
joshl last edited by
Directly.
If a hoover has an Opera installed, the forums should be readable - easily - from a hoover.
Hoovers don't do hetepepese. -
joakimwallden last edited by
- Making the secure connection available when not signed in does not make the insecure connection unavailable.
- Clients that don’t support HTTPS also don’t support HSTS, so using that would not cause problems for those clients.
- Tell those hoovers to get ready for HTTP/2 (https://http2.github.io/).
-
-
joshl last edited by
What's your problem?
Really?
Myself personally ain't got no prom with all that stuff your seem to be talking about.
I blop a letter, the autofill autofills it toforums.opera.com, the [Overview] page loads, autoreloads to the signed-in state, https, I'm on "Overview", signed in, no prom, blah-blah, now you come, tell me as if "we all gonna die" - or what?
What's the problem, dudes?
-
digmed last edited by
Making HTTPS available also when not signed in is a perfectly valid request. Unfortunately I can't promise this will be prioritized, but we will be looking into making all Opera sites HTTPS by default.
-
joakimwallden last edited by
Thanks digmed.
Making all Opera-sites HTTPS by default is an ambitious plan, and it will take some time, I guess.
Why not, as a small first step, remove the redirect to HTTP for forums.opera.com.
-
