It’s sad you do not support HTTPS on getkirby.com, especially at forum.getkirby.com as passwords are send in plain-text in this forum.
There are some CAs which provide free certificates (e.g. StartSSL), so you can just get a cert from there. Or wait until [Let’s Encrypt] (http://letsencrypt.org/) launches in November 2015.
The Kirby Forum is hosted at Discourse. As far as I can tell, they charge 20 USD extra for SSL (sic!, I hope they support TLS ;)).
I also think that HTTPS is vital for any kind of website (TLS all the things), especially for the forum or generally sites with user data. I don’t know how easy it is to implement TLS on the forum though (whether the cert is already included or not), so I invited Bastian to this topic.
PS: StartSSL is not actually free for this purpose, as the free certs may not be used on commercial sites.
In the Class 1 settings (free), the only possible relationship between
StartCom and the subscriber is with individuals, i.e. natural persons.
StartCom has no relationship with the organization a subscriber may
represents and acknowledges only the subscriber. All responsibilities
according to the StartCom CA Policy are that of the subscriber
personally, even in case he/she decides to obtain certification as an
employee or representative of an organization.
So as I read this this just means that - even if you are part of an organisation - the cert is still only given to you personally. I think this part is more a contract thing.
Of course they recommend their nice certificates so you can see (if you look veery closely ;)) the organisation name:
Organizations should perform Class 2 validation and an organization name
may only appear in a digital certificate at Class 2 level and higher.
Class 1 certificates are limited to client and server certificates, whereas the later is restricted in its usage for non-commercial purpose only. Subscribers MUST upgrade to Class 2 or higher level for any domain and site of commercial nature, when using high-profile brands and names or if involved in obtaining or relaying sensitive information such as health records, financial details, personal information etc.
You could argue that it only matters if you actually use the site to sell stuff (that’s why I know this policy exists, because I was in this exact situation and they didn’t give me a certificate), but “of commercial nature” is quite broad.
Okay, this sounds differently. Whether this forum is commercially - well… as it’s a legal terms you can never be sure. However as I see the in this forum there is nothing sold and there is also no advertisement - so probably it’s not-commercial.
I don’t know what “RESTed” is, but actually HTTPS is enforced by the HSTS header so http://forum.getkirby.com will only be accessed once over HTTP. Later all major browsers respect the HSTS header and only allow HTTPS connections. @bastianallgeier BTW if all subdomains of getkirby.com (can) use HTTPS you can also add the “includeSubdomains” directive.
The Strict-Transport-Security header is only set for HTTPS requests, so it won’t work if the user accesses the site via HTTP in the first place. Only a redirection to HTTPS will fix this.
This setting only means that it doesn’t automatically redirect. But as I said, the response for the Forum homepage without TLS is HTTP 200 and a HTML page, so no redirect, even if I enabled it.