lichess.org
Donate

Let's Encrypt Lichess??

Why bother encryping chess games? I don't understand the trade-off here...
Maybe a donation of hardware could be made for an HTTPS load balancer front end. This is the piece of equipment that contains the actual server certificate.

Another idea is to have additional javascript that will use for example SHA 512 to hash together a list of FEN positions, starting with the game id as the first line. Basically at the end of your game (or for any particular move) there will be a unique hash but the one at the very end for completed games will probably be the most useful.

This isn't quite encryption yet but perhaps a useful first step? I'm not suggesting inventing an encryption/encoding algorithm, but rather using one of the message based ones such as in libsodium, however ported for a web solution.

I think having an HTTPS front end is still useful in this regard. As mentioned the major downside is that _all_ traffic must be encoded. Hence having some dedicated hardware (that can handle the load) so there is one less thing to worry about.

#3 Anything is possible given unlimited time and budget, but why bother in the first place? There really isn't much personal data on lichess, and it would be a shame to slow down bullet games due to encryption/decryption.
Whenever a password is required (login and some actions in the profile), it is my firm belief that HTTPS has to be implemented.

For the rest of the traffic, the benefit is to ensure no-one is sniffing. It might make sense for the private messages but it doesn't make much sense to encrypt every move.

On the other hand is performance. It may bring problem for bullet games.

If the performance issue is resolved, I would be in favor of encrypting everything, to enhance privacy.

Anyway, it should be mandatory to encrypt the login.
@nonobvious #1

SSL would be nice, to prevent any sniffing/hijacking of usernames and passwords.

However, it does add some resources overhead, so just for the login part would be a nice idea.

For example, the free blog option at Jimdo has SSL login option, but the rest plain http :
http://support.jimdo.com/blog/

#5 IMO lichess requires passwords mainly for authorization purposes, not so much for authentication for authentication purposes:
http://stackoverflow.com/a/6556548

That is, as long as you do not violate terms of service lichess allows you to participate, regardless of your identity. IMO the only case you could make for data encryption would be that lichess also contains private content (messages and email addresses) which ought to be protected. But this doesn't affect 99% of the site and regardless how fast the server is, encrypting game player would to some degree slow client-server communications. And for what benefit -- so some man in the middle cannot see the chess move played by the client?
Let's Encrypt isn't even out of beta. Why would we use it?

This topic has been archived and can no longer be replied to.