Forums >News and Announcements>Switched to SSL encryption for all pages
Hi all,
Technologies are constantly evolving. As our lives become intertwined with the internet, security becomes ever more important. I received several emails recently from privacy focused users expressing their dismay that the pages displaying their private messages were not encrypted.
With the latest changes that I deployed tonight, all traffic between your computer and RA are encrypted by default. The switch is more demanding on the servers but we can never be too safe in this day and age. The change is non-trivial despite the simple concept. If you see odd behaviors, please let me know. Thanks!
eric
Thanks Eric.
Rebuilding my aerobic base....racing next year.....nothing to see here....move along now.
Thanks. Does this affect the API?
No. The API has always been using https. There will be some upcoming breaking API changes though.
Maybe you could make it plain HTTP by default, but have an option in one's personal settings to encrypt all traffic, Probably a lot of people, myself included, wouldn't mind not having everything encrypted as I don't put anything on here I wouldn't want others to see.
Wouldn't that be a good tradeoff between offering full SSL encryption for anyone who wants it, without all the extra server load of having everyone's traffic encrypted?
Just a thought.
Interval Junkie --Nobby
A welcomed change. Thanks, Eric
2021 Goals: 50mpw 'cause there's nothing else to do
I think not doing SSL by default to preserve CPU was a solid reason 10 years ago, but on modern equipment you are talking probably a maximum of 5% impact and I would be willing to bet it is less.
Thanks, Eric, now our secret behind-the-scenes message clubs can go on with our mocking, feeling more secure that there is a slim probability that those we speak of will not find out. And for this fatherly act of SSL-ing us, you have been removed from the list of those who have been, are being, or shall be mocked, forever.
Hopefully, everyone will throw in an extra buck for you come subscription re-up time, as I know the cost of SSL sure ain't pocket-change.
Thanks, Founding Father and greaser of this little universe.
not bad for mile 25
Thank you Eric!
Hi all, Technologies are constantly evolving. As our lives become intertwined with the internet, security becomes ever more important. I received several emails recently from privacy focused users expressing their dismay that the pages displaying their private messages were not encrypted. With the latest changes that I deployed tonight, all traffic between your computer and RA are encrypted by default. The switch is more demanding on the servers but we can never be too safe in this day and age. The change is non-trivial despite the simple concept. If you see odd behaviors, please let me know. Thanks! eric
Thank you Eric. Cyber-privacy is a huge concern these days and ages. I take it quite seriously and appreciate your efforts in this regard.
Not dead. Yet.
It seems like overkill to me. I guess it doesn't hurt, but those certificates can't be cheap.
Do these users understand that it doesn't make their data any safer once it's uploaded? That it only keeps the data safe while it is in transit? For a criminal to get the data, they would need to be listening in on the line of traffic between the user and RA and extract the un-encrypted data from the stream. Why would anybody go to the effort of doing that for workout data? What would they get out of it? The worst I can think is that they might be able to figure out where the user lives based on the map data. And if a criminal wanted to find out where a user lived, there are probably easier ways than this.
Maybe I'm missing something. Either way, I just wanted to give my 2 cents. I appreciate this and all of the other work you do for us, eric
How can we know our limits if we don't test them?
delicate flower
Just curious, is this why while surfing at work this morning, no images display (lots of red x's) and I am getting interweb diagnostic errors? That never happened before. Not complaining...just asking. I'm on IE 8 and web security runs pretty tight 'round here.
<3
I'm on IE 8 and web security runs pretty tight 'round here.
Isn't there something of a contradiction here?
My only guess is that your company's policy allows only secured elements on a secured page to be displayed. All images hosted on RA should be pointed to https. Images posted by users tend to be http only. You can verify this by clicking on a red x and check its url. If you copy and paste the url into your browser and the image comes up, then it would back up my hypothesis. If not, post the url here and I'll take a look.