metahacker (metahacker) wrote in suggestions,

Support secure connections by default

Support secure connections by default

Short, concise description of the idea
All connections to LiveJournal should be over HTTPS, not HTTP; all email from LiveJournal should be via secure connection, not insecure.

Full description of the idea
Insecure web connections are becoming very dangerous.

They do not only secure browsing; they largely eliminate the risk of code injection and drive-by exploits.

Please secure all web connections to LiveJournal, not just the login part. Require https. It's faster, too!

This includes outbound email; LJ comment notifications often contain sensitive information and links, but are one of the few emails I receive that are still transmitted in the clear.

Here is additional background:

An ordered list of benefits
  • Contents of communication are private between LJ and the viewer.
  • Much lower risk of malicious content injection. I hate the thought of having my readers getting their computer hacked just for viewing my blog.
  • HTTPS is now faster than HTTP, in some cases almost twice as fast.
  • Browsers show warnings to users for insecure connections, scaring away potential readers.
  • Google has already started ranking insecure websites lower than secure ones; this harms the LJ brand.
  • Some major browsers (e.g., Chrome) are disabling some features for insecure connections.
  • Let's Encrypt offers free, public, and automated SSL/TLS certificates.
An ordered list of problems/issues involved
  • Changing over will require development effort, and require LiveJournal to acquire and maintain a signing certificate.
  • Introduces overhead on the server-side (of less than 1% CPU load).
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded