Quote (ium @ Aug 18 2017 04:01am)
Force SSL would also slow down the loading speed drasticly, unfourtantly!
You couldn't be more wrong. HTTP/2 requires SSL and it loads pages faster.
Quote
I don't think ssl would be possible here since people upload their signatures and avatars to external servers, which would make modern webbrowsers alert a warning (correct me if I am wrong!)
You are wrong. Browsers would "warn" (but not by popup or anything - just color of the icon) if you tried to load external http: page when you're on https:. imgur and most other sites on the internet support https just fine and default to it.
I voted yes of course, there is ZERO reason not to, especially when it's offloaded to cloudflare. But they should also configure proper HSTS headers.
I still have working exploit on d2jsp which I alerted about like 2 years ago, but no one gave a shit, moderators just closed the topic. It is entirely prevented when you use currently optional SSL. If I know it, other guys know it too.