Basically, the announcement is that I've renewed our self-signed
certificate and enabled SSL on this site, meaning that you can now use https for security while browsing and logging into the enigma website, forums, etc.
However, that's hardly in english, so I'm going to dumb it down into something you guys can actually understand and read, and in the process I'm going to show my ignorance of the technologies and probably explain something slightly incorrectly. Feel free to correct me, but I think I will get the gist of it, so...
Http is a great way to send and receive plain text, and maybe even some binary data like images and files. But it's not exactly secure. If you log in over http, the following happens:
You generate some packets with your username and password, and send them in the general direction of the server. This information is pretty much plain text. Along the route, it will go through your network, to your router. Then, your router sends it off to your ISP, and it bounces around the internet before it gets to the server ISP, the server's router, and then the server. At any point along that line, a number of computers can easily "sniff" those packets and see what's in them. Anybody on your network can (connected to your router). Your router can, but they're never set up to, because it's useless information for them to keep storing packets. Your ISP can. After that, it bounces around the internet, where not many people really care about it. Then it gets to our server's ISP, router, and server, where nobody's going to sniff it because we pay good money for that server, so it's going to be secure.
There is encryption, and there's a fairly standard way of doing that, and that's called HTTPS, courtesy of SSL. When you use https, your packets are encrypted at your computer. People can still sniff it, but they can't see what's inside. Eventually it gets to the server, and the server knows how to decrypt the packet because it more or less told your computer how to encrypt it (also, the server sends you back encrypted data, which only you can decrypt, so that's nice. Makes loading a page use a tiny bit more cpu, but hey, encryption ftw).
This is done through the magic of certificates and signing and keys and other stuff I won't bore you with. But the certificate is important to explain because it is "self signed". When the server is telling you how to encrypt it, you want to make sure you have the right server, and that our server isn't just someone pretending to be our server.
We provide a certificate, and your browser needs to trust it, because nobody else can provide our exact certificate, but they can provide their own certificate and pretend like its ours. To prevent this from happening, we can ask some other company will sign our certificate - preferably a company that is known to do good signing. Your browser has a list of a bunch of well-known ones already written in. Which means that if our certificate is signed by a company that your browser knows, it will automatically trust our certificate - there's virtually no chance that you're being phished.
However, we haven't asked some other company to sign our certificate (yet), because it costs money, and some of them (like digicert, probably the best-known one) cost hundreds of dollars. We're not paying that. So we've self-signed our certificate until we can find a cheap signer (we're looking into it and we'll make a decision very soon).
So, if you want to use our website/forums securely, you need to navigate your browser to https://enigma-dev.org
at which point your browser should hopefully yell at you and say "This certificate is self-signed! Are you sure you trust this website?!" and you need to decide if you trust it's us, or if you think it's a phisher. Since we just set this up, it's unlikely that anybody phished it that quickly, so I'd say it's fairly safe to trust it. In firefox, this is done by "I understand the risks - Add an exception".
The alternative is to continue sending your password to the server as plaintext. If someone's going to phish, it'll be even easier to steal your password that way, rather than all the hastle of setting up a certificate and stuff like that. So frankly, there's no reason not to trust our certificate - even if it is phishing, because what's the difference?
At any rate, NOTE, if we get our certificate signed by someone else, we'll probably need to replace our certificate. Your browser will automatically recognize that one, so you won't need to take any steps, but the old certificate won't be valid. So you could just wait until then, rather than taking the extra steps to trust our self-signed (possibly temporary) certificate - and we'd understand. It's your choice. Our self-signed certificate is provided for those who want that extra layer of security, especially in their own network (even in the meantime).
I've mainly done this for myself, since I'm on a network with a bunch of people who are network programmers and use packet sniffers on a daily basis.
Anyways, there you go. Now you can use our website through https.
Please make sure you see the Lock icon next to the URL (in firefox at least. Or whatever it is on other browsers) before submitting your password.