Use TLS / HSTS for the site, discourse, etc.

[annevk]

That way active attackers cannot spoof download links for software from insecure pages and credentials cannot be leaked passively from the forums.

https://wiki.whatwg.org/wiki/TLS has more reasons if those are not sufficient.

Endgame: http://hstspreload.appspot.com/

[frewsxcv]

Related issue: #13180

[steveklabnik]

Discourse is now on https, and the earlier issue covers the site, so I'm giving this a close.

[annevk]

http://users.rust-lang.org/ does not use HSTS for me (or even redirects to HTTPS).

[annevk]

Does site include the blog and the docs?

[steveklabnik]

@annevk it does for me...

And yes, the site does include the blog and docs. The docs have HTTPs access, and the site and blog have the same root cause: github pages hosting.

[annevk]

I think it does not do a 301 or some such. When I open a fresh browser the initial load does not redirect to HTTPS.

[steveklabnik]

Which browser are you using? I'm on Firefox on linux. It still redirects for me.

(and really, this would be an upstream issue, as this change was made by requesting it from discourse /cc @brson @coding-horror)

[annevk]

Nightly on OS X. Then Safari (stable) on OS X. Now Chrome dev on OS X.

"Still redirects" is not the problem by the way, that bit works (and it's not a redirect, but a browser rewrite), it's the initial connection which you can only get if you clear your HSTS cache or use a different browser.