It seems that just typing HTTPS makes texags think it is a link.

see here

Also, Texags doesn't support HTTPS to protect the privacy of its thousands of paying users except for on the account page. I get that it costs (and that its not your decision). But I would really like it implemented across the entire site, and it'd be a good gesture towards us if ya'll did it. Pass it up the chain?

quote:

---

thanks for the bug alert.

I have been considering the https move. i like the idea. i'll see if we can get it done this summer.

---

Awesome. I hope Brandon/etc see it as a good idea as we do.

HTTPS

test

https used to be there, at least it some capacity. but then it disappeared

Fail

It's not just a good idea. This site is currently vulnerable to session hijacking. If staff wants to see a demo, they can contact me at my username at micah dot ws.

quote:

---

It's not just a good idea. This site is currently vulnerable to session hijacking. If staff wants to see a demo, they can contact me at my username at micah dot ws.

---

I would like a demo.

After logging in (over https) the site then defaults to https. This should almost entirely mitigate the vulnerability. The only exception would be if a user had multiple tabs opened, logged in on one tab, and went back to the already opened, non-https tabs.

On second thought, anyone who opens up a new window and goes to texags but is already authenticated would still be vulnerable to session hijacking. The best solution is to redirect from http to https for every request.

I run the eff add-on for Chrome HTTPS Everywhere. Added a rule to always Https texags.com

quote:

---

I run the eff add-on for Chrome HTTPS Everywhere. Added a rule to always Https texags.com

---