HTTP for passing user name and password

I'm not 100% percent sure of this, hopefully I'm wrong.

Is gamersplane using a HTTP post for user name and password? That is to say not using HTTPS.

If so, that's a big risk, its very easy to intercept HTTP traffic and peoples user names and passwords will be in plain text. Being able to steal a password for this site may seem not so important, but I'd be willing to bet there are users who have the same password here as for other sites, so it really opens up a can of worms.

If you're going to take a user's password. you really have to use HTTPS with a valid certificate.

I say this out of love for GP.

You are very correct. Its something I keep meaning to do, but never quite got to. I've never setup an HTTPS system myself, but I gotta learn it ASAP. I'll figure out the costs.

Not sure if any webdevs here who are aware of this, but should I setup the entire site to work with https? Just the login? Like I said, I don't know much here...

So I'm looking at what I need to do to setup SSL with Gamers' Plane, and it is more confusing than I'd hope. Not sure what the downside of a self-signed cert through OpenSSL would be vs buying a cert from someone like RapidSSL (which isn't cheap by any means).

I'd strongly advise against a Self signed certificate, because they are self signed, its very easy to set up a 'fake' site with a different self signed certificate, and imitate the original site.

Although I'm not familiar with either of these options I wonder if signing on using Google+ or Facebook or another consolidated entity is an option?

Maybe there is a hosting option which can have SSL built in?

At the end of the day if you take username and passwords via HTTP youre putting all your users at risk of more than just having their identity compromised on your site.

Self signed HTTPS is better than HTTP
A proper certificate better than self-signed.

A little googling seems to suggest that there are some options for getting "free" certificates like https://www.startssl.com/

I don't know the model under which these certificates are offered, and I don't know the trust model here. It might be worth researching this "free" option, but approach it with a skeptical eye.

I've been looking at StartSSL through the day; I'm trying to figure out why someone would give out a free SSL cert and what drawbacks it would have.

Certificates cost nothing to manufacture if you're a legitimate signing authority, and I notice that the certificates are valid for one year, so they might be doing it in the hop of drawing future business.

Its worth googling to see what information you can find out regarding peoples' experiences using StartSSL (and I assume there must be others doing the same thing).

Its worth checking with whoever you got the "gamersplane.com" domain name from. If they can issue domain names, they should be able to issue certificates, and might do so cheaply.

Suggestions: don't use a self-signed certificate because your SEO ranks will plummet because Google checks that now. And, where Google leads the other search engines are sure to follow.

Also, I don't recommend using StartSSL because you have to pay to revoke the certificate if it's stolen. Back when servers were vulnerable to POODLE many certificates were stolen, and StartSSL users suffered quite the setback when they had to pay to revoke their certificates. At least with a paid certificate you can ask for the issuer to revoke and reissue a new one when there's a vulnerability (typically gratis).

Namecheap (not an affiliate link) is where I do my domain registrations, and they offer affordable SSL certificates (starting at $9/yr). If you need an installation guide, check out Linode's community guides. I've found them very helpful in the past.

I'm with Digital Ocean, and they have pretty good guides themselves, but yah, I use Linodes as well. I use 1&1 for hosting; lets see what they have for certs, though from Stack Overflow and other sources, seems that StarSSL's free stuff is ok to use to start, though everyone recommends I move to a paid SSL once I'm comfortable with it. Given its between my server and the cert company, even if I use a free StartSSL cert to start then move to a paid cert, shouldn't go wrong, right?

Sounds like a pretty good starting option. Use them for a year and then see how you go.

I'll get started on the SSL cert tomorrow, and once I feel comfortable with it, I'll move to a RapidSSL though Namecheap (which is kinda crazy... $10 through them for RapidSSL, $30 through 1&1, and $50 through RapidSSL itself).