EEVblog Electronics Community Forum
General => General Technical Chat => Topic started by: lmester on March 25, 2018, 01:16:02 am
-
Every web site will eventually need to switch to HTTPS.
Chrome is going to start flagging HTTP sites as "not secure" in July. Firefox currently gives a "This connection is not secure" warning for logins on HTTP sites.
I recently switched my home server over to HTTPS. For my home server I couldn't justify paying for a SSL/TLS certificate. Luckily you can now get a certificate for free! Check out https://letsencrypt.org/ (https://letsencrypt.org/)
If you're running a home web server there's now no reason not to upgrade to HTTPS. The certificate is free.
I wonder when EEVBlog will switch?
-
Welcome to ancient history, EEVBlog already supports HTTPS.
-
Welcome to ancient history, EEVBlog already supports HTTPS.
Thanks, Looks like EEVBlog chose not to use a 301 redirect to their HTTPS. They may want to add a 301 to fix it for people like me that bookmarked the site years ago. I just updated my EEVBlog bookmark.
-
It's only "free" in the sense that you've now given a third-party more control over whether your site is accessible. If they revoke your certificate for whatever reason, your visitors will suddenly start getting warnings.
There's nothing secret here. Stay insecure, stay free.
-
Welcome to ancient history, EEVBlog already supports HTTPS.
Thanks, Looks like EEVBlog chose not to use a 301 redirect to their HTTPS. They may want to add a 301 to fix it for people like me that bookmarked the site years ago. I just updated my EEVBlog bookmark.
That would remove user choice. Not everyone has the latest/greatest browsers running on current ix86 or ARM hardware, and forcing HTTPS *WILL* lock out users on legacy hardware that are incaplable of upgrading the OS to permit upgrading to a modern browser.
This has been extensively :horse: discussed last year:
https://www.eevblog.com/forum/news/server-ssl-upgrade/ (https://www.eevblog.com/forum/news/server-ssl-upgrade/)
https://www.eevblog.com/forum/chat/when-will-eevblog-use-https-by-default/ (https://www.eevblog.com/forum/chat/when-will-eevblog-use-https-by-default/)
https://www.eevblog.com/forum/chat/the-site-is-still-not-completely-tls-exclusive/ (https://www.eevblog.com/forum/chat/the-site-is-still-not-completely-tls-exclusive/)
and Gnif put a lot of work into making it work as seamlessly as possible for *ALL* users. Don't expect changes just because you are too lazy to update your stale bookmarks.
-
It's only "free" in the sense that you've now given a third-party more control over whether your site is accessible. If they revoke your certificate for whatever reason, your visitors will suddenly start getting warnings.
There's nothing secret here. Stay insecure, stay free.
You could argue that's offset by people being unable to inject, monitor or tamper with your site's data along the way.
-
I've been running LE for something over a year now, I think. They recently rolled out wildcard domain certs! If you run a lot of domains, give it a look. :)
Tim
-
Yeah, the server already uses LetsEncrypt certs, and the forum has a special module I wrote that corrects all links and forms based on if you view via HTTP or HTTPS to retain backwards compatibility. Just update your bookmarks if you want to use SSL.
-
Yeah, the server already uses LetsEncrypt certs, and the forum has a special module I wrote that corrects all links and forms based on if you view via HTTP or HTTPS to retain backwards compatibility. Just update your bookmarks if you want to use SSL.
I know someone who shut down their site because it wasn't realistic to do exactly this - and the dumbtarded software it ran inserted absolute links to itself all over the place. Not upgradable, not fixable. It had some 7000 articles and stories, being dependent on search results to drive traffic, and without that it was demonetized and shutting it down was the only realistic option. (Actually, the assets were sold to a competitor, who bought it to shut it down, but decided to leave the material around as a reference, as its own property. :)) The people who built that system weren't technical, and the site designer they hired had no idea about such technicalities. (It also had a million other stupid software issues, like occasionally running extremely complex cross-table queries against mysql, that couldn't be optimized; when this happened the whole site would stop and hang for a few seconds.) They couldn't really blame anyone for this, just all unfortunate, and not something the ideologues at google would think twice about killing off.
-
Yeah, the server already uses LetsEncrypt certs, and the forum has a special module I wrote that corrects all links and forms based on if you view via HTTP or HTTPS to retain backwards compatibility. Just update your bookmarks if you want to use SSL.
I know someone who shut down their site because it wasn't realistic to do exactly this - and the dumbtarded software it ran inserted absolute links to itself all over the place. Not upgradable, not fixable. It had some 7000 articles and stories, being dependent on search results to drive traffic, and without that it was demonetized and shutting it down was the only realistic option. (Actually, the assets were sold to a competitor, who bought it to shut it down, but decided to leave the material around as a reference, as its own property. :)) The people who built that system weren't technical, and the site designer they hired had no idea about such technicalities. (It also had a million other stupid software issues, like occasionally running extremely complex cross-table queries against mysql, that couldn't be optimized; when this happened the whole site would stop and hang for a few seconds.) They couldn't really blame anyone for this, just all unfortunate, and not something the ideologues at google would think twice about killing off.
There's very little that isn't fixable in software/ops.
In this case, running a reverse proxy that rewrote the outgoing html as needed would be a reasonable solution to the part of the problem where google has any influence. It may not have been worth the time and effort to the original site owner, but that's a half to two day task for someone experienced in ops.
Alternately, use a CDN that allows insecure connections to the origin and have the CDN serve traffic to googlebot over SSL. Less time, more money.
-
It's only "free" in the sense that you've now given a third-party more control over whether your site is accessible. If they revoke your certificate for whatever reason, your visitors will suddenly start getting warnings.
No more than the hosting provider has. So that's a non-issue. Unless you generate your own electricity, own the backbone lines of "the net" your access, your data, can be restricted.
There's nothing secret here. Stay insecure, stay free.
SSL was not created to make things secret. It was made to ensure identity verification. So no man in the middle to harvest everyone's usernames/passwords etc. by simply impersonating a site which DNS for instance expires (another dependency on "others").
Bottom line - if you want to be found on google, avoid nasty alerts in browsers etc. you switch to proper TLS/SSL.
-
Welcome to ancient history, EEVBlog already supports HTTPS.
Well ... I wasn't showing the lock but I changed the bookmark to https and there it was. Thanks!