HTTPS and account creation

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Paal Braathen Paal Braathen 1 year, 2 months ago.

  • Author
  • #27846
    Profile photo of Paal Braathen
    Paal Braathen


    I have some comments on some issues on this website which if resolved would make it a better website, IMO.

    I've actually tweeted about the HTTPS issue before, but I thought I could mention it here too.

    Since this is a website where users log on with their usernames and password the page should make sure this information is sent encrypted. What I find strange is that the page actually have an valid certificate, but still doesn't redirect users to HTTPS ( ). It looks like there is just some minor theme issues that prevents that link from working beautifully. Since this is a WordPress site the issue might even be resolved by just altering the site URL in the settings.

    The other thing is account creation. Why would anyone running a site prevent users from creating their own account for just the web site? I.e. demanding that you link your account with another social network. What about the users that don't have any other account or maybe don't want to link their account? Should they not be able to use this site? The whole linking should be optional and there for the people who want it.

    I think both of these is a must if you want to run a good site 🙂

  • #27923
    Profile photo of Don Jones
    Don Jones

    We don't have an SSL certificate; the SSL is provided by CloudFlare, which is our front-end proxy. Anything between them and us would be unencrypted anyway.

    As I mentioned in response to your tweet, we don't accept usernames or passwords for most users. We ask you to log in with a social networking account, and the social networking provider actually logs you in and hands us a token. That token is only valid with our site, and there are processes in place to validate it. So we never have your credentials.

    We prevent account creation because we don't want the responsibility of storing usernames or passwords. That way, we don't have any risk of someone's password being compromised. Please keep in mind that this is a volunteer site, and we have a limited amount of time and effort to put into overhead tasks – we'd rather focus on helping answer people's questions. So we've elected to go with as simple a system as possible, where we store as little sensitive information as possible. That way if this site was compromised, there'd really be nothing personally identifiable or usable in our database.

    I'm sorry you don't think it's a good site as is, and appreciate your feedback. If you don't want to use the site, I understand, and would be happy to recommend other sites that might better fit your requirements.

  • #29084
    Profile photo of Paal Braathen
    Paal Braathen

    I didn't mean or intend to say that it's a bad site. I just think it could be better 🙂

    And I've done a lot of volunteer work myself and understand that you only have a limited amount of time available to spend on the site.

You must be logged in to reply to this topic.