GPF News Archive

Hey there, folks. I hope you're still enjoying Scylla and Charybdis. It's been exhausting to write and draw, especially at this currently reduced update schedule, but we're finally at the climax, where everything is coming to a crescendo. That doesn't mean the story is over, of course... we still have quite a ways to go to wrap things up. That said, it just gets crazier from here on out.

I'm breaking my usual maddening silence to announce a new GPF Premium feature, which is actually something I've wanted to do for quite a while but have had trouble implementing in a reliable fashion. I finally made a compromise between what I wanted to do and what I could do, and I think it works well enough for now. That statement will probably make more sense once I explain how I arrived to at it.

Those of you who follow me on social media may have noticed that I've become more and more of a stickler about Internet security. I've posted things here and there about encryption, passwords, SSL/TLS, etc. Heck, I even maintain a rarely-updated Open Source password manager app for .NET and Android, mostly because I didn't like many of the similar offerings out there. A fair amount of this interest in Internet security comes with my day jobs; let's say I've worked in a few places over the years that would be high-value targets for hackers, identity thieves, and other malicious attackers, where security was (or at least was supposed to be) a high priority. Some of that interest has been personal; I find Internet security to be fascinating, and I just enjoy reading about it often. I try to transfer this fascination to the GPF site, making it as secure as humanly possible. I dare say that GPF is one of—if not the—most secure webcomic site online. I take great pride in that fact, and I hope it translates into a level of confidence and trust that you, my fair readers, can depend on.

Certain developments over the past couple years have made me uneasy about the state of the Web in general, and I've seriously considered increasing GPF's security by forcing SSL/TLS encryption on all traffic to the site. (For those unfamiliar with SSL/TLS, that's the same encryption used by your browser when you do online banking or visit an e-commerce site.) GPF already uses TLS in a number security-sensitive locations, such as the Premium Account Creator and Account Manager, or on login forms for the Forum and Wiki: places where I don't want sensitive data sent in the clear. That said, it's becoming rapidly apparent that standard, unencrypted HTTP traffic is becoming less safe, and at the time of this writing forcing TLS for all traffic is the only way to alleviate most of those concerns.

Sadly, GPF is still largely advertising funded: 50-66% of our income comes from ads, which varies for any given month. That means we're forced to adhere to the ad networks' requirements... or more properly, the lowest common denominator among them. Some of our ad suppliers offer TLS-encrypted traffic, but most of them don't. This means we at GPF have to make a choice between making money from ad-supported, unencrypted traffic, or encrypting our traffic and foregoing the bulk of our income. As much as I'd love for GPF Premium to pay all the bills, it still hasn't hit that mark yet, so it doesn't look like we'll be ditching the ads anytime soon. I'm still looking at our options when it comes to ad networks that offer TLS support, but it's a slow process of research that isn't ready just yet.

That all said, there's nothing that says I can't offer whole-site encryption to Premium subscribers who are actually paying us already.

Starting today, there is a new option available under the Site-Wide Options portion of the Premium Account Manager. Premium subscribers can now click the Force HTTPS for the entire GPF site option, which will instruct your browser to use Strict Transport Security for the duration of your subscription. What this means is that your browser will only access the GPF site over an encrypted TLS tunnel; it will silently rewrite all links to GPF from HTTP to HTTPS, even if you follow such a link from a third-party site. Once your subscription expires (or if you disable the option or disable Premium in your browser), your browser will revert to its old behavior and regular insecure links will remain insecure. Like most of our other site-wide options, unfortunately, you'll need to enable this option in each browser your normally use to access GPF, and your must have a relatively "modern" browser that supports STS. (See the linked-to Wikipedia article for a list of browsers that support STS.) Also, as a caveat to the ad discussion mentioned above, this STS option is mutually exclusive with the existing Keep showing ads even when Premium is enabled option; if you enable one, the other option will be disabled.

While this doesn't achieve my desired goal of making the entire site encrypted for everyone, it at least helps out the dedicated few who support the comic the most. I don't know if this is a new feature that will entice some folks who have considered subscribing but haven't to finally take the plunge (an alarming number of people simply don't care about online security at all), but I figure it might strike a chord with at least a few. After all, GPF was the first (and may still be the only) webcomic site to offer OpenPGP-encrypted e-mail notifications, years before Facebook made their recent pledge to do the same.