Author Topic: SERVER SSL Upgrade  (Read 30262 times)

0 Members and 1 Guest are viewing this topic.

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
SERVER SSL Upgrade
« on: March 31, 2017, 05:12:33 am »
gnif will be installing SSL support on the server shortly.
This is a thread to discuss issues and rejoice for those who have been asking for it.
 
The following users thanked this post: madires, apelly, voltsandjolts, Kean, MatthewEveritt, bitseeker, RGB255_0_0, Jacon

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #1 on: March 31, 2017, 05:32:36 am »
Note: This does not mean the website will enforce SSL usage, there will still be things to verify/check update, etc. before we can do this.
 
The following users thanked this post: EEVblog

Offline amspire

  • Super Contributor
  • ***
  • Posts: 3802
  • Country: au
Re: SERVER SSL Upgrade
« Reply #2 on: March 31, 2017, 05:45:33 am »
Enabling SSL will result in many threads being marked on the browsers as insecure. To get the proper green SSL icon in your address bar, everything on the page has to be SSL. If there are links to non-ssl images, the page does not get the  green SSL icon, and if you left click on the greyed icon, it will say "This connection is not protected".

If you look into the details, it will say something like "This site has unprotected content".

If there is a link to an image on a remote site, the address bar SSL icon will be green as long as the remote image address is also SSL.

Probably impossible to get around this with old threads, and for new threads, to get the green SSL icon, you would have to insist on https:// links only.

Edit: many users have uploaded images, and then posted the image address into their post to get the full sized image. All of these addresses start with "http://www.eevblog.com/....", so they will force to SSL icon to grey. It may be possible to write a script to find these links, along with links to other posts, and turn them into relative addresses to make them SSL compatible.
« Last Edit: March 31, 2017, 06:04:41 am by amspire »
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: SERVER SSL Upgrade
« Reply #3 on: March 31, 2017, 06:07:16 am »
Probably impossible to get around this with old threads, and for new threads, to get the green SSL icon, you would have to insist on https:// links only.

In that case it's impossible to police, nor should we even try.
It's a public forum, the content doesn't have to be protected, just that some poeple are paranoid about their login details etc.

 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #4 on: March 31, 2017, 06:37:01 am »
Enabling SSL will result in many threads being marked on the browsers as insecure. To get the proper green SSL icon in your address bar, everything on the page has to be SSL. If there are links to non-ssl images, the page does not get the  green SSL icon, and if you left click on the greyed icon, it will say "This connection is not protected".

If you look into the details, it will say something like "This site has unprotected content".

If there is a link to an image on a remote site, the address bar SSL icon will be green as long as the remote image address is also SSL.

Probably impossible to get around this with old threads, and for new threads, to get the green SSL icon, you would have to insist on https:// links only.

Edit: many users have uploaded images, and then posted the image address into their post to get the full sized image. All of these addresses start with "http://www.eevblog.com/....", so they will force to SSL icon to grey. It may be possible to write a script to find these links, along with links to other posts, and turn them into relative addresses to make them SSL compatible.

This is not entirely correct, links to other sites do not have to be https, only embedded content, such as links to youtube, which is handled by the forum dynamically so this is no issue. As for manual entries in the database we have four options:

1) Search and replace across the database to replace the links we can.
2) Use mod_pagespeed to rewrite the links
3) Tell cloudflare to rewrite the links.
4) Serve the header 'Uprade-Insecure-Requests' which makes the client browser rewrite them to https.

Normally a combination of 1 & 4 are the best.

We have had many ways to deal with this over the years, it is not a big issue. Also not many people know this, but a valid url can be "://somesite.com" (note the lack of http/https) and the browser will auto-select the correct protocol based on how the page was loaded.
« Last Edit: March 31, 2017, 06:38:54 am by gnif »
 

Offline amspire

  • Super Contributor
  • ***
  • Posts: 3802
  • Country: au
Re: SERVER SSL Upgrade
« Reply #5 on: March 31, 2017, 06:47:57 am »
Enabling SSL will result in many threads being marked on the browsers as insecure. To get the proper green SSL icon in your address bar, everything on the page has to be SSL. If there are links to non-ssl images, the page does not get the  green SSL icon, and if you left click on the greyed icon, it will say "This connection is not protected".

If you look into the details, it will say something like "This site has unprotected content".

If there is a link to an image on a remote site, the address bar SSL icon will be green as long as the remote image address is also SSL.

Probably impossible to get around this with old threads, and for new threads, to get the green SSL icon, you would have to insist on https:// links only.

Edit: many users have uploaded images, and then posted the image address into their post to get the full sized image. All of these addresses start with "http://www.eevblog.com/....", so they will force to SSL icon to grey. It may be possible to write a script to find these links, along with links to other posts, and turn them into relative addresses to make them SSL compatible.

This is not entirely correct, links to other sites do not have to be https, only embedded content, such as links to youtube, which is handled by the forum dynamically so this is no issue. ...
I was referring in particular to embedded images. Many images in the threads are hosted externally and many of these links will be http.

Links to other sites can be http, but the problem there is as long as you do not enforce SSL for the site, then even if you deliberately go to the forum using https, click on one old link to another thread and you are back to http.

Making the forum https-only as soon as possible will cure all the internal link problems. It will probably even cure the problem of the embedded http image links to images uploaded to the forum.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #6 on: March 31, 2017, 06:49:58 am »
Again, serving the header 'Upgrade-Insecure-Requests' will make your browser redirect an insecure URL to https. We can also server side redirect traffic to https for when this occurs and the client's browser doesn't support the upgrade header (which all do these days)
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #7 on: March 31, 2017, 08:04:29 am »
We are aware of a broken URL issue (emoticons in posts), this is due to caching at CloudFlare, this will be resolved soon.
 

Offline grumpydoc

  • Super Contributor
  • ***
  • Posts: 2905
  • Country: gb
Re: SERVER SSL Upgrade
« Reply #8 on: March 31, 2017, 08:14:21 am »
Again, serving the header 'Upgrade-Insecure-Requests' will make your browser redirect an insecure URL to https. We can also server side redirect traffic to https for when this occurs and the client's browser doesn't support the upgrade header (which all do these days)
That assumes that you can replace "http://" with "https://" in a URL and get the same content.

On the server where I have installed SSL (with a letsencrypt certifiace) http and https yield completely different sites (in fact http:// is internal only and blocked at the firewall so it won't get you anything).

On the server I use to host my embedded images for forum posts that I have made I only have http configured so https will not get you anything.

I am sure that there will be a lot of other embedded image links where just switching to https will not work - I know that it will mean browser warnings but I would leave embedded URLs as they are.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #9 on: March 31, 2017, 08:17:52 am »
Again, serving the header 'Upgrade-Insecure-Requests' will make your browser redirect an insecure URL to https. We can also server side redirect traffic to https for when this occurs and the client's browser doesn't support the upgrade header (which all do these days)
That assumes that you can replace "http://" with "https://" in a URL and get the same content.

On the server where I have installed SSL (with a letsencrypt certifiace) http and https yield completely different sites (in fact http:// is internal only and blocked at the firewall so it won't get you anything).

On the server I use to host my embedded images for forum posts that I have made I only have http configured so https will not get you anything.

I am sure that there will be a lot of other embedded image links where just switching to https will not work - I know that it will mean browser warnings but I would leave embedded URLs as they are.

URLs only get upgraded if the host the url is served from specifies the "Content-Security-Policy: upgrade-insecure-requests" header, which I assume you are not.

Blocking http at the firewall is a bad idea unless you have submitted your site to the HSTS lists for chome/edge/ff, etc., and even then you should not rely on it, a simple 301 redirect to https is the way to go if you want to ensure that people can get to your website.

Edit: And yes, there will be use cases where there is no option but to server the embedded content via HTTP instead of HTTPS, so yeah, we can't mess with this. It also prevents us from using HSTS, but because of the nature of this website, we don't care for it anyway.
« Last Edit: March 31, 2017, 08:22:45 am by gnif »
 

Online Ian.M

  • Super Contributor
  • ***
  • Posts: 12807
Re: SERVER SSL Upgrade
« Reply #10 on: March 31, 2017, 08:25:21 am »
Please note Google Translate does *NOT* work on https pages.   Forcing https, other than as a per-user preference will seriously disadvantage any users who use it due to poor comprehension of English.   
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #11 on: March 31, 2017, 08:27:26 am »
Please note Google Translate does *NOT* work on https pages.   Forcing https, other than as a per-user preference will seriously disadvantage any users who use it due to poor comprehension of English.
Works just fine for me:

https://translate.google.com.au/translate?sl=auto&tl=es&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fhostfission.com&edit-text=
 

Online Ian.M

  • Super Contributor
  • ***
  • Posts: 12807
Re: SERVER SSL Upgrade
« Reply #12 on: March 31, 2017, 08:34:03 am »
Well that seems to be new.  I've frequently run into problems trying to translate secure pages on German or Russian technical forums when trying to find data for old obscure parts.
 

Offline Muttley Snickers

  • Supporter
  • ****
  • Posts: 2333
  • Country: au
  • Cursed: 679 times
Re: SERVER SSL Upgrade
« Reply #13 on: March 31, 2017, 08:50:30 am »
Could somebody take a look at the jump to or hyper jump links in all of the boards just to verify whether the problem is my end as they do not display a drop down list anymore, I do remember the Metrology one being busted previously anyway but now it's all the rest as well, also just noticed that I cannot scroll with my mouse wheel on this reply page, that's a new issue and the problem could be my end as I haven't been using this PC much of late.

Many Thanks.   :)   
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: SERVER SSL Upgrade
« Reply #14 on: March 31, 2017, 08:51:44 am »
http is now redirecting me to https and the Chrome info box shows

 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #15 on: March 31, 2017, 08:52:07 am »
There are a few issues caused by the SSL setup, please be patient, I will update when things are done and working.
 
The following users thanked this post: SeanB

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #16 on: March 31, 2017, 08:52:42 am »
http is now redirecting me to https and the Chrome info box shows



This is due to mixed content on the page, it is expected.
 

Offline grumpydoc

  • Super Contributor
  • ***
  • Posts: 2905
  • Country: gb
Re: SERVER SSL Upgrade
« Reply #17 on: March 31, 2017, 08:54:06 am »
URLs only get upgraded if the host the url is served from specifies the "Content-Security-Policy: upgrade-insecure-requests" header, which I assume you are not.
Surely putting upgrade-insecure-requests on eevblog pages would make the browser try to fetch any embedded link over https, not http - nothing to do with my server.

I need to read the documentation; I only had a glance but it seems to contradict itself on whether 3rd party links are affected.

PS: posting is getting a warning about an insecure channel.
« Last Edit: March 31, 2017, 08:55:38 am by grumpydoc »
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #18 on: March 31, 2017, 08:56:01 am »
URLs only get upgraded if the host the url is served from specifies the "Content-Security-Policy: upgrade-insecure-requests" header, which I assume you are not.
Surely putting upgrade-insecure-requests on eevblog pages would make the browser try to fetch any embedded link over https, not http - nothing to do with my server.

I need to read the documentation; I only had a glance but it seems to contradict itself on whether 3rd party links are affected.

Please see: https://www.w3.org/TR/upgrade-insecure-requests/#example-navigation
Quote
Megacorp, Inc. isn’t quite ready to deliver Strict Transport Security headers [RFC6797], but does want to keep users on secure pages when possible. Happily, this comes for free with upgrade-insecure-requests. That is, they’re already delivering pages with the following header:
Content-Security-Policy: upgrade-insecure-requests
This allows user agents to treat the following HTML code:

<a href="http://example.com/">Home</a>
as though it had been delivered as:

<a href="https://example.com/">Home</a>
Links to third-party sites will not be upgraded. That is, the following HTML code:

<a href="http://not-example.com/">Home</a>
won’t be upgraded.
« Last Edit: March 31, 2017, 08:57:47 am by gnif »
 

Offline Muttley Snickers

  • Supporter
  • ****
  • Posts: 2333
  • Country: au
  • Cursed: 679 times
Re: SERVER SSL Upgrade
« Reply #19 on: March 31, 2017, 08:58:47 am »
 :palm:

Thanking is also up the creek.   :o ::)

 
The following users thanked this post: cowana, gnif, MatthewEveritt

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #20 on: March 31, 2017, 09:01:02 am »
There will be many issues, most known, I am working thought them, but constantly having to reply here to state it is a WIP is slowing things down, not to say I do not appreciate the help :).
 

Offline grumpydoc

  • Super Contributor
  • ***
  • Posts: 2905
  • Country: gb
Re: SERVER SSL Upgrade
« Reply #21 on: March 31, 2017, 09:01:23 am »
Please see: https://www.w3.org/TR/upgrade-insecure-requests/#example-navigation

Yes, but I'm struggling to see any difference between example 2 (which you quote) and example 1 which says

Quote
This automatically upgrades all insecure resource requests from their pages to secure variants, allowing a user agent to treat the following HTML code:

<img src="http://example.com/image.png">
<img src="http://not-example.com/image.png">

as though it had been delivered as:

<img src="https://example.com/image.png">
<img src="https://not-example.com/image.png">

PS: "Insert quote" is broken.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #22 on: March 31, 2017, 09:04:00 am »
Please see: https://www.w3.org/TR/upgrade-insecure-requests/#example-navigation

Yes, but I'm struggling to see any difference between example 2 (which you quote) and example 1 which says

Quote
This automatically upgrades all insecure resource requests from their pages to secure variants, allowing a user agent to treat the following HTML code:

<img src="http://example.com/image.png">
<img src="http://not-example.com/image.png">

as though it had been delivered as:

<img src="https://example.com/image.png">
<img src="https://not-example.com/image.png">

The difference is links vs embedded resources, I had missed this and will need to be addressed.

Quote
PS: "Insert quote" is broken.
Yeah, tons is broken, please wait.
 

Offline grumpydoc

  • Super Contributor
  • ***
  • Posts: 2905
  • Country: gb
Re: SERVER SSL Upgrade
« Reply #23 on: March 31, 2017, 09:10:38 am »
The difference is links vs embedded resources, I had missed this and will need to be addressed.
:palm: Duh, I really should not have needed that pointing out but obvious now so thanks.

So a bit further down it confirms that this would be a problem for embedded images
Quote
User agents will upgrade requests, as described in §1.2.1 Non-navigational Upgrades, rewriting the URL as https://cdn.example.com/image.png. As the server doesn’t respond to secure requests, this results in a network error.

There is no fallback in this scenario: the user agent acts just as though the request had been intentionally made, and the request fails.
 

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2365
  • Country: de
    • Frank Buss
Re: SERVER SSL Upgrade
« Reply #24 on: March 31, 2017, 09:16:59 am »
https://www.eevblog.com/forum/ doesn't redirect to a SSL connection, as e.g. http://www.google.com does.
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf