Why the forum doesn't use https?

[rainland]

Or more like: Error code: SEC_ERROR_UNKNOWN_ISSUER

I thought its very easy nowadays with lets encrypt etc.

[shubla]

It does, but you have to manually install the certificate. Most browsers wont allow you to install it, at least very easily.
Tbh most people probably dont use it because they dont even know that they should manually install it from some completely random domain.
Devs should just buy one or use the free alternatives and force everyone to use https on the site.

http://dolda2000.com/
Even that site basically asks you to call loftar in order to verify authenticity of the certificate

[rainland]

Devs should just buy one or use the free alternatives and force everyone to use https on the site.

Yeah, precisely. Current setup is just irresponsible and bad practice imo.

[Granger]

Current setup is just irresponsible and bad practice imo.

That is what the ones that want to sell certificates say, hoping for you to fall for it and pressure you site operator to pay up - basically it's a scheme to turn you into an unpaid mob enforcer for them. Given your post it seems to work

More details about this particular scam here.

[rainland]

Current setup is just irresponsible and bad practice imo.

That is what the ones that want to sell certificates say, hoping for you to fall for it and pressure you site operator to pay up - basically it's a scheme to turn you into an unpaid mob enforcer for them. Given your post it seems to work

More details about this particular scam here.

What do you mean? Let's encrypt doesn't cost anything

EDIT: Sorry I think you misunderstood me. The bad practice I was referring to is the fact to not enable https by default. This leaves majority of the userbase logging in with plain http!
IMHO using the self-signed certificate is a bit meh because you can get them from trusted CA:s for free now.

[Granger]

Current setup is just irresponsible and bad practice imo.

That is what the ones that want to sell certificates say, hoping for you to fall for it and pressure you site operator to pay up - basically it's a scheme to turn you into an unpaid mob enforcer for them. Given your post it seems to work

More details about this particular scam here.

What do you mean? Let's encrypt doesn't cost anything

Let's encrypt isn't the reason for the browser warning, but a recent reaction from a community that was fed up by such shit.
Some argue that using it is effectively just supporting the certificate scam, having the browsers featuring sites with higher paid certificates in more elaborate ways in their UI might be an indication toward this theory.

I'm quite confident that Loftar is aware of it, so my guess is that there are $reasons why it hasn't happened (yet).

A reasonable way to deal with the inherent flaws of the current certificate system would be DANE to have the cert delivered by the DNS which in itself is cryptologically secured against any tempering, afaik there is a smallish movement toward this but as the big browsers don't support it out of the box...

[rainland]

Thanks for the reply.

I'm quite confident that Loftar is aware of it

Yeah, he must be. I made this thread hoping to catch his attention and get him to answer to me.
I hope I haven't appeared to be too hostile