It has been pointed out that we don’t use HTTPS for the forum, which is certainly true, because it’s not easy to use it. HTTPS requires using an SSL certificate, for which there are two choices:
One could use a self-signed certificate, as CureTogether does, but users will be presented with a scary-looking “certificate is invalid” page (it’s not invalid, it’s just not signed by a big-name authority like Verisign)
One could buy a certificate from a big-name authority like Verisign, but they cost from $400/year for the least “secure” version. Thawte sells them at $250/year.
I’ve only started to look into this, and I was wondering if there’s already been some investigation by Alexandra, Daniel or Gary into getting an SSL certificate for QuantifiedSelf.com, or for CureTogether. Some certificates cover sub-domains, so we could have one that would work for the blog, forum and wiki.
I wasn’t the one who did the research for it, but for our site we used StartSSL, which was much cheaper. Perhaps that would work here, too?
I tried getting a certificate from StartSSL, but they require a validation step that involves sending e-mail to email@example.com. I tried requesting a certificate specifically for forum.quantifiedself.com, but that didn’t work.
So Alex/Gary/Daniel, looks like I need your help in getting the certificate, and then I can install it on the web server.
So firstname.lastname@example.org needs to be a working e-mail address, and someone with access to it should sign up for a certificate at https://www.startssl.com/?app=12 (click Express Lane).
This is now solved - the forum is accessible at https://forum.quantifiedself.com.