As many of you have noticed, UER is served over plain-old, unencrypted HTTP. Over the past few years there has been a trend to push SSL to many popular sites (and most can admit this is a popular site).

Unfortunately, UER still seems behind the times, especially considering that Let's Encrypt provides free certificates to enable this capability not to mention plethora of community scripts for most major web servers (e.g. IIS on which this site is hosted).

Furthermore, many browsers now display a warning for non-SSL logins (as in the case of UER).

And to end on a hilarious note, just this week: https://arstechnic...gin-page-insecure/

"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (the link was made private shortly after this post went live). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."

But until then, hopefully nobody here is stupid enough to use a password for this site that is shared with anything of importance. Is it possible that a bunch of several year old accounts with no posts that are suddenly applying for FM are farmed accounts?

UER has been running SSL for a while and is accessible at https://www.uer.ca

But I do agree that all HTTP trafic should be redirected to HTTPS by default.

Meanwhile, you can use HTTPS Everywhere and create a rule for UER, so you never have to browse the unsecured site by accident.

Posted by Mickael UER has been running SSL for a while and is accessible at https://www.uer.ca But I do agree that all HTTP trafic should be redirected to HTTPS by default. Meanwhile, you can use HTTPS Everywhere and create a rule for UER, so you never have to browse the unsecured site by accident.

Worth it. I do have HTTPS Everywhere setup. Microsoft also provides an offical plugin for IIS to automatically redirect all requests to https.

UER has had SSL available with a self-signed cert for years, and with a proper cert for a year and a half now.

People can use SSL if they choose to.

I don't use Let's Encrypt because it requires the certificate to be renewed every 3 months and I just don't have that kind of time. It also doesn't work with my firewall.

-av