Look, you entered a conversation where the context was that there is "no excuse" not to be using TLS today. To agree means to place demands on the people operating the endpoints where HTTPS is not yet rolled out. Your response was that these operators can "just run" their websites with TLS by swapping out their backend. You either agree that's a reasonable demand, or you don't.
Now, it is possible that you don't agree with that specific demand, and that something that involves switching the backend is merely one viable option—it's sufficient and not necessary to achieve that goal. And that's fine. But as someone who showed up to throw in their support for the claim that it's inexcusable not to be using TLS today, then the burden reverts back to you to justify the claim.
So, I ask you, as someone on record as disagreeing that it's still forgivable to be running an HTTP-only site in 2017: what are, as you see it, the minimum reasonable demands to be placed on someone operating a website?
I'm not sure why you even want to discuss the details of my simple suggestion or "demand" at length like that...
But to answer your question: I think if you are running a message board / forum for people to discuss various topics in general you should try to keep your users as safe as possible within your means. That means https, no plain text passwords in the database - basic stuff really.
PS: The DNS on your website as linked in the profile isn't set. Only the www. subdomain works.
Are we talking about the suitability of operating any unencrypted endpoint without TLS, or are we limiting ourselves to message boards? If the latter, does that mean there are forgivable reasons to run HTTP-only applications that aren't message boards?
> The DNS on your website as linked in the profile isn't set
DNS is set up, it just doesn't have an A record or CNAME for the bare (second level) domain. That's intentional.
> Only the www. subdomain works
The other subdomains are certainly working.
> I'm not sure why you even want to discuss the details of my simple suggestion or "demand" at length like that
Because in response to this:
> failure to use HTTPS[...] is still a totally forgivable sin today
Now, it is possible that you don't agree with that specific demand, and that something that involves switching the backend is merely one viable option—it's sufficient and not necessary to achieve that goal. And that's fine. But as someone who showed up to throw in their support for the claim that it's inexcusable not to be using TLS today, then the burden reverts back to you to justify the claim.
So, I ask you, as someone on record as disagreeing that it's still forgivable to be running an HTTP-only site in 2017: what are, as you see it, the minimum reasonable demands to be placed on someone operating a website?