When clicking login, you get linked back to http://ssl.dispenser.tf/openid/blah (With the default nginx page), changing it to https does indeed authenticate you, but, redirects you back to the http homepage (Default nginx page), changing back to https once again does end up with you on SSL and authenticated, but, at that time, your privacy and security is already leaked by the plaintext attempts from your browser.
Also, none of the cookies are actually SSL bound, so, any sort of http content that can invoke a redirect would also destroy the end-users privacy and security, this includes if the user just types in 'dispenser.tf' into their browser, which, would default to http.
I do understand the https version of the site is yet to be fully supported, but, it'd be nice to have it functional, as, a small httpseverywhere config could make this site very usable under https, the only downside is the client would need to have, and, be bothered to configure, httpseverywhere, when, I feel it's a webmaster's responsibility.
This is far from a critical bug, but, the https implementation is relatively flawed, even for it's original use (Protecting the user from people eaves dropping on the Google authenticater master secret), as, your site willingly accepts http requests, and, the entire rest of your site uses http, any attacker could easily script the page of the https link to the /btc* part of the site, and, the browser, and, your web-server, would know zero difference.
Just my two cents, broken security is basically equal to no security at all.
EDIT:- For reference, it claims it's 'secure' even after being stripped of all SSL, this is a pure plain-text connection to your server. There's no node between me and you (I hope!) proxying http to https to communicate with you:-
Replies