Per #435 spectacleapp.com is now served over HTTPS using CloudFlare's _Flexible SSL_ feature. Though this adds a level of protection that didn't exist before it's only a temporary solution.
Unfortunately I don't think GitHub Pages will place nicely with CloudFlare's _Full SSL_ feature so odds are the best way to go about setting up end-to-end encryption will be to use Amazon's CloudFront with S3 serving all static assets.
Relevant discussion: https://github.com/isaacs/github/issues/156 (tldr: not yet possible)
GitHub Page actually works well with CloudFlare's _Full SSL_ feature (but not on the apex domain), just not _Strict SSL_. So if you move https://spectacleapp.com to https://www.spectacleapp.com. you can then enable _Full SSL_ without trouble. See https://github.com/isaacs/github/issues/156#issuecomment-110490178.
_Full SSL_ should provide more protection than _Flexible SSL_, and completely mitigates passive eavesdropping.
:+1:
Definitely something to consider as a temporary alternative until I get a proper SSL certificate and migrate away from GitHub Pages.
I enabled Full SSL.
@eczarny Awesome! Thanks for helping to encrypt the web.
Correct me if I got this wrong, but from what I understand, spectacleapp.com only serves to download the app and inform the user on what the app is. There does not seem to be any logged in section of the site, or anywhere you would enter sensitive information. So my question would be why does it need SSL?
So my question would be why does it need SSL?
@redfox05 mostly to help reduce the likelihood of a man-in-the-middle attack. Without SSL it's much easier for a third party to intercept requests to spectacleapp.com and replace the links you find there with links to their own, potentially compromised, binaries.
While the scenario above may not seem likely I like knowing that I'm doing what I can to help prevent it from happening.
@eczarny Sounds good. Thanks for the clarification! :-D
Most helpful comment
@redfox05 mostly to help reduce the likelihood of a man-in-the-middle attack. Without SSL it's much easier for a third party to intercept requests to spectacleapp.com and replace the links you find there with links to their own, potentially compromised, binaries.
While the scenario above may not seem likely I like knowing that I'm doing what I can to help prevent it from happening.