EEVblog Electronics Community Forum

EEVblog => News/Suggestions/Help => Topic started by: EEVblog on March 31, 2017, 05:12:33 am

Title: SERVER SSL Upgrade
Post by: EEVblog on March 31, 2017, 05:12:33 am
gnif will be installing SSL support on the server shortly.
This is a thread to discuss issues and rejoice for those who have been asking for it.
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 05:32:36 am
Note: This does not mean the website will enforce SSL usage, there will still be things to verify/check update, etc. before we can do this.
Title: Re: SERVER SSL Upgrade
Post by: amspire on March 31, 2017, 05:45:33 am
Enabling SSL will result in many threads being marked on the browsers as insecure. To get the proper green SSL icon in your address bar, everything on the page has to be SSL. If there are links to non-ssl images, the page does not get the  green SSL icon, and if you left click on the greyed icon, it will say "This connection is not protected".

If you look into the details, it will say something like "This site has unprotected content".

If there is a link to an image on a remote site, the address bar SSL icon will be green as long as the remote image address is also SSL.

Probably impossible to get around this with old threads, and for new threads, to get the green SSL icon, you would have to insist on https:// links only.

Edit: many users have uploaded images, and then posted the image address into their post to get the full sized image. All of these addresses start with "http://www.eevblog.com/....", so they will force to SSL icon to grey. It may be possible to write a script to find these links, along with links to other posts, and turn them into relative addresses to make them SSL compatible.
Title: Re: SERVER SSL Upgrade
Post by: EEVblog on March 31, 2017, 06:07:16 am
Probably impossible to get around this with old threads, and for new threads, to get the green SSL icon, you would have to insist on https:// links only.

In that case it's impossible to police, nor should we even try.
It's a public forum, the content doesn't have to be protected, just that some poeple are paranoid about their login details etc.

Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 06:37:01 am
Enabling SSL will result in many threads being marked on the browsers as insecure. To get the proper green SSL icon in your address bar, everything on the page has to be SSL. If there are links to non-ssl images, the page does not get the  green SSL icon, and if you left click on the greyed icon, it will say "This connection is not protected".

If you look into the details, it will say something like "This site has unprotected content".

If there is a link to an image on a remote site, the address bar SSL icon will be green as long as the remote image address is also SSL.

Probably impossible to get around this with old threads, and for new threads, to get the green SSL icon, you would have to insist on https:// links only.

Edit: many users have uploaded images, and then posted the image address into their post to get the full sized image. All of these addresses start with "http://www.eevblog.com/....", so they will force to SSL icon to grey. It may be possible to write a script to find these links, along with links to other posts, and turn them into relative addresses to make them SSL compatible.

This is not entirely correct, links to other sites do not have to be https, only embedded content, such as links to youtube, which is handled by the forum dynamically so this is no issue. As for manual entries in the database we have four options:

1) Search and replace across the database to replace the links we can.
2) Use mod_pagespeed to rewrite the links
3) Tell cloudflare to rewrite the links.
4) Serve the header 'Uprade-Insecure-Requests' which makes the client browser rewrite them to https.

Normally a combination of 1 & 4 are the best.

We have had many ways to deal with this over the years, it is not a big issue. Also not many people know this, but a valid url can be "://somesite.com" (note the lack of http/https) and the browser will auto-select the correct protocol based on how the page was loaded.
Title: Re: SERVER SSL Upgrade
Post by: amspire on March 31, 2017, 06:47:57 am
Enabling SSL will result in many threads being marked on the browsers as insecure. To get the proper green SSL icon in your address bar, everything on the page has to be SSL. If there are links to non-ssl images, the page does not get the  green SSL icon, and if you left click on the greyed icon, it will say "This connection is not protected".

If you look into the details, it will say something like "This site has unprotected content".

If there is a link to an image on a remote site, the address bar SSL icon will be green as long as the remote image address is also SSL.

Probably impossible to get around this with old threads, and for new threads, to get the green SSL icon, you would have to insist on https:// links only.

Edit: many users have uploaded images, and then posted the image address into their post to get the full sized image. All of these addresses start with "http://www.eevblog.com/....", so they will force to SSL icon to grey. It may be possible to write a script to find these links, along with links to other posts, and turn them into relative addresses to make them SSL compatible.

This is not entirely correct, links to other sites do not have to be https, only embedded content, such as links to youtube, which is handled by the forum dynamically so this is no issue. ...
I was referring in particular to embedded images. Many images in the threads are hosted externally and many of these links will be http.

Links to other sites can be http, but the problem there is as long as you do not enforce SSL for the site, then even if you deliberately go to the forum using https, click on one old link to another thread and you are back to http.

Making the forum https-only as soon as possible will cure all the internal link problems. It will probably even cure the problem of the embedded http image links to images uploaded to the forum.
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 06:49:58 am
Again, serving the header 'Upgrade-Insecure-Requests' will make your browser redirect an insecure URL to https. We can also server side redirect traffic to https for when this occurs and the client's browser doesn't support the upgrade header (which all do these days)
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 08:04:29 am
We are aware of a broken URL issue (emoticons in posts), this is due to caching at CloudFlare, this will be resolved soon.
Title: Re: SERVER SSL Upgrade
Post by: grumpydoc on March 31, 2017, 08:14:21 am
Again, serving the header 'Upgrade-Insecure-Requests' will make your browser redirect an insecure URL to https. We can also server side redirect traffic to https for when this occurs and the client's browser doesn't support the upgrade header (which all do these days)
That assumes that you can replace "http://" with "https://" in a URL and get the same content.

On the server where I have installed SSL (with a letsencrypt certifiace) http and https yield completely different sites (in fact http:// is internal only and blocked at the firewall so it won't get you anything).

On the server I use to host my embedded images for forum posts that I have made I only have http configured so https will not get you anything.

I am sure that there will be a lot of other embedded image links where just switching to https will not work - I know that it will mean browser warnings but I would leave embedded URLs as they are.
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 08:17:52 am
Again, serving the header 'Upgrade-Insecure-Requests' will make your browser redirect an insecure URL to https. We can also server side redirect traffic to https for when this occurs and the client's browser doesn't support the upgrade header (which all do these days)
That assumes that you can replace "http://" with "https://" in a URL and get the same content.

On the server where I have installed SSL (with a letsencrypt certifiace) http and https yield completely different sites (in fact http:// is internal only and blocked at the firewall so it won't get you anything).

On the server I use to host my embedded images for forum posts that I have made I only have http configured so https will not get you anything.

I am sure that there will be a lot of other embedded image links where just switching to https will not work - I know that it will mean browser warnings but I would leave embedded URLs as they are.

URLs only get upgraded if the host the url is served from specifies the "Content-Security-Policy: upgrade-insecure-requests" header, which I assume you are not.

Blocking http at the firewall is a bad idea unless you have submitted your site to the HSTS lists for chome/edge/ff, etc., and even then you should not rely on it, a simple 301 redirect to https is the way to go if you want to ensure that people can get to your website.

Edit: And yes, there will be use cases where there is no option but to server the embedded content via HTTP instead of HTTPS, so yeah, we can't mess with this. It also prevents us from using HSTS, but because of the nature of this website, we don't care for it anyway.
Title: Re: SERVER SSL Upgrade
Post by: Ian.M on March 31, 2017, 08:25:21 am
Please note Google Translate does *NOT* work on https pages.   Forcing https, other than as a per-user preference will seriously disadvantage any users who use it due to poor comprehension of English.   
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 08:27:26 am
Please note Google Translate does *NOT* work on https pages.   Forcing https, other than as a per-user preference will seriously disadvantage any users who use it due to poor comprehension of English.
Works just fine for me:

https://translate.google.com.au/translate?sl=auto&tl=es&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fhostfission.com&edit-text=
Title: Re: SERVER SSL Upgrade
Post by: Ian.M on March 31, 2017, 08:34:03 am
Well that seems to be new.  I've frequently run into problems trying to translate secure pages on German or Russian technical forums when trying to find data for old obscure parts.
Title: Re: SERVER SSL Upgrade
Post by: Muttley Snickers on March 31, 2017, 08:50:30 am
Could somebody take a look at the jump to or hyper jump links in all of the boards just to verify whether the problem is my end as they do not display a drop down list anymore, I do remember the Metrology one being busted previously anyway but now it's all the rest as well, also just noticed that I cannot scroll with my mouse wheel on this reply page, that's a new issue and the problem could be my end as I haven't been using this PC much of late.

Many Thanks.   :)   
Title: Re: SERVER SSL Upgrade
Post by: EEVblog on March 31, 2017, 08:51:44 am
http is now redirecting me to https and the Chrome info box shows

(http://i.imgur.com/RfitxtD.png)
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 08:52:07 am
There are a few issues caused by the SSL setup, please be patient, I will update when things are done and working.
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 08:52:42 am
http is now redirecting me to https and the Chrome info box shows

(http://i.imgur.com/RfitxtD.png)

This is due to mixed content on the page, it is expected.
Title: Re: SERVER SSL Upgrade
Post by: grumpydoc on March 31, 2017, 08:54:06 am
URLs only get upgraded if the host the url is served from specifies the "Content-Security-Policy: upgrade-insecure-requests" header, which I assume you are not.
Surely putting upgrade-insecure-requests on eevblog pages would make the browser try to fetch any embedded link over https, not http - nothing to do with my server.

I need to read the documentation; I only had a glance but it seems to contradict itself on whether 3rd party links are affected.

PS: posting is getting a warning about an insecure channel.
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 08:56:01 am
URLs only get upgraded if the host the url is served from specifies the "Content-Security-Policy: upgrade-insecure-requests" header, which I assume you are not.
Surely putting upgrade-insecure-requests on eevblog pages would make the browser try to fetch any embedded link over https, not http - nothing to do with my server.

I need to read the documentation; I only had a glance but it seems to contradict itself on whether 3rd party links are affected.

Please see: https://www.w3.org/TR/upgrade-insecure-requests/#example-navigation (https://www.w3.org/TR/upgrade-insecure-requests/#example-navigation)
Quote
Megacorp, Inc. isn’t quite ready to deliver Strict Transport Security headers [RFC6797], but does want to keep users on secure pages when possible. Happily, this comes for free with upgrade-insecure-requests. That is, they’re already delivering pages with the following header:
Content-Security-Policy: upgrade-insecure-requests
This allows user agents to treat the following HTML code:

<a href="http://example.com/">Home</a>
as though it had been delivered as:

<a href="https://example.com/">Home</a>
Links to third-party sites will not be upgraded. That is, the following HTML code:

<a href="http://not-example.com/">Home</a>
won’t be upgraded.
Title: Re: SERVER SSL Upgrade
Post by: Muttley Snickers on March 31, 2017, 08:58:47 am
 :palm:

Thanking is also up the creek.   :o ::)

(https://www.eevblog.com/forum/news/server-ssl-upgrade/?action=dlattach;attach=304080;image)
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 09:01:02 am
There will be many issues, most known, I am working thought them, but constantly having to reply here to state it is a WIP is slowing things down, not to say I do not appreciate the help :).
Title: Re: SERVER SSL Upgrade
Post by: grumpydoc on March 31, 2017, 09:01:23 am
Please see: https://www.w3.org/TR/upgrade-insecure-requests/#example-navigation (https://www.w3.org/TR/upgrade-insecure-requests/#example-navigation)

Yes, but I'm struggling to see any difference between example 2 (which you quote) and example 1 which says

Quote
This automatically upgrades all insecure resource requests from their pages to secure variants, allowing a user agent to treat the following HTML code:

<img src="http://example.com/image.png">
<img src="http://not-example.com/image.png">

as though it had been delivered as:

<img src="https://example.com/image.png">
<img src="https://not-example.com/image.png">

PS: "Insert quote" is broken.
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 09:04:00 am
Please see: https://www.w3.org/TR/upgrade-insecure-requests/#example-navigation (https://www.w3.org/TR/upgrade-insecure-requests/#example-navigation)

Yes, but I'm struggling to see any difference between example 2 (which you quote) and example 1 which says

Quote
This automatically upgrades all insecure resource requests from their pages to secure variants, allowing a user agent to treat the following HTML code:

<img src="http://example.com/image.png">
<img src="http://not-example.com/image.png">

as though it had been delivered as:

<img src="https://example.com/image.png">
<img src="https://not-example.com/image.png">

The difference is links vs embedded resources, I had missed this and will need to be addressed.

Quote
PS: "Insert quote" is broken.
Yeah, tons is broken, please wait.
Title: Re: SERVER SSL Upgrade
Post by: grumpydoc on March 31, 2017, 09:10:38 am
The difference is links vs embedded resources, I had missed this and will need to be addressed.
:palm: Duh, I really should not have needed that pointing out but obvious now so thanks.

So a bit further down it confirms that this would be a problem for embedded images
Quote
User agents will upgrade requests, as described in §1.2.1 Non-navigational Upgrades, rewriting the URL as https://cdn.example.com/image.png. As the server doesn’t respond to secure requests, this results in a network error.

There is no fallback in this scenario: the user agent acts just as though the request had been intentionally made, and the request fails.
Title: Re: SERVER SSL Upgrade
Post by: FrankBuss on March 31, 2017, 09:16:59 am
https://www.eevblog.com/forum/ (https://www.eevblog.com/forum/) doesn't redirect to a SSL connection, as e.g. http://www.google.com (http://www.google.com) does.
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 09:34:47 am
https://www.eevblog.com/forum/ (https://www.eevblog.com/forum/) doesn't redirect to a SSL connection, as e.g. http://www.google.com (http://www.google.com) does.

Correct, please hold off on testing/reports until I state things are ready.
Title: Re: SERVER SSL Upgrade
Post by: hammy on March 31, 2017, 09:40:37 am
@gnif & Dave: Thank you!  :-+
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 10:07:30 am
For those wondering what the issue is, SMF is correctly generating the URLs for things with http or https as required, but there is some post filtering going on somewhere that is rewriting the https links to http, I am tracing the cause now.

Edit: It appears the cause is 'Pretty URLs'
Edit 2: Confirmed, Pretty URLs is caching the URL rewrites, but is not caching the scheme, so its randomizing the URL schemes based on who loaded it first, either via HTTP or HTTPS
Title: Re: SERVER SSL Upgrade
Post by: EEVblog on March 31, 2017, 10:52:54 am
Edit 2: Confirmed, Pretty URLs is caching the URL rewrites, but is not caching the scheme, so its randomizing the URL schemes based on who loaded it first, either via HTTP or HTTPS

Is that fixable?
Pretty URL's is an important plugin.
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 10:53:58 am
Yes, I am digging through it now, I have already patched several locations that were a problem, should get to the bottom of it soon.
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 11:02:57 am
I had to:

1) apply a patch to make it cache the replaced URLs based on the presence of SSL
2) Discover it doesn't use the forums base url, but its own separate setting which it stupidly doesn't expose in the admin area.

Code: [Select]
update smf_settings set value = '//www.eevblog.com/forum' where variable = 'pretty_root_url';
Still yet to go through and check everything over before I give the 'Its working, look for bugs' update :)
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 11:11:51 am
Ok, seems good across the board to me, both SSL and non SSL.

Sorry If I come across a bit rash with my replies to reports, I just stress out a bit when things don't go as planned, I certainly do appreciate the testing and feedback provided by the community.

Edit: Also, if Dave ever decides to turn off CloudFlare the website will continue to just work, we have valid end to end encryption now.
Edit2: We are not serving the upgrade-insecure header to keep embedded off site images working, but we are complying with client's asking to upgrade from insecure, this will keep us completely backwards compatible.
Edit3: Seems the simley faces are always being served from http regardless, I will look into this tomorrow, I have had enough for tonight :)
Title: Re: SERVER SSL Upgrade
Post by: PA0PBZ on March 31, 2017, 11:32:31 am
I spotted what I think is a side effect of the changes: When reading the unread or unreadreplies link when you click on a post and then use the back button it reloads the list and the post you just read is gone. This is a bit confusing because it makes tracking where you are more difficult.

(I don't read all posts on the unread page, just the ones that interest me, and then simply use the back button on the mouse to go back to the list. When everything was still http: it showed me the same list everytime.)

Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 11:35:28 am
I spotted what I think is a side effect of the changes: When reading the unread or unreadreplies link when you click on a post and then use the back button it reloads the list and the post you just read is gone. This is a bit confusing because it makes tracking where you are more difficult.

(I don't read all posts on the unread page, just the ones that interest me, and then simply use the back button on the mouse to go back to the list. When everything was still http: it showed me the same list everytime.)

My bet is you loaded that page via HTTP and when you hit back, it is going back to the HTTP page, which is then being upgraded to HTTPS. Did you perhaps go to the unread page via a bookmark? Btw I can not replicate the behavior you mention.
Title: Re: SERVER SSL Upgrade
Post by: PA0PBZ on March 31, 2017, 12:04:51 pm
Nope, HTTPS all the way. It's only IE, Chrome and Firefox are fine.
(Yes I have to use IE for some undisclosed reason, but I can use chrome for the forum)
Title: Re: SERVER SSL Upgrade
Post by: rrinker on March 31, 2017, 01:55:05 pm
 Maybe I'm not interpreting what you posted correctly, but it sounds like what you are doing is similar to how I read the forum. Click on a sections, read the messages that interest you, then back out and go on to the next section. However, I never use back to get all the way out, I click in the nav tree just above the messages, because as long as I've been here, no matter what browser I use, if I just use the back button, it still shows flags the section as having new posts. If I actually use the tree to select the top level, or even the high level category, then the section I just was in will show as having no new messages (unless someone actually snuck in and posted). That happens for me with Chrome, IE, Edge, or Safari. Sometimes I forget and use the back button (easy when there's a back button right on the mouse) but in that case I can either revisit the section and go back via the tree or refresh the page. This does not appear to have changed with HTTPS.

Title: Re: SERVER SSL Upgrade
Post by: PA0PBZ on March 31, 2017, 02:12:21 pm
I use the 'show unread posts since last visit' on the top of the page, that way I don't have to navigate the sections. If I click a post in that list and then go back with the (mouse) back button the post I just clicked is gone from the list, as if the list was generated again. This only in IE as I mentioned.
Title: Re: SERVER SSL Upgrade
Post by: rrinker on March 31, 2017, 02:37:57 pm
 That sort of sounds like it works as intended, but ONLY in IE - after all, if you've read the post, it no longer is unread and shouldn't appear on the list.  :-DD

Title: Re: SERVER SSL Upgrade
Post by: Monkeh on March 31, 2017, 08:07:40 pm
Paging Dr. gnif, notification links are missing their protocol: https://www.eevblog.com/forum/blog/notification-precated/ (https://www.eevblog.com/forum/blog/notification-precated/)
Title: Re: SERVER SSL Upgrade
Post by: gnif on March 31, 2017, 08:45:09 pm
Paging Dr. gnif, notification links are missing their protocol: https://www.eevblog.com/forum/blog/notification-precated/ (https://www.eevblog.com/forum/blog/notification-precated/)

This is a known issue, I do not have time at current to look for a solution, it is a minor breakage and not a high priority at the moment.
Title: Re: SERVER SSL Upgrade
Post by: texaspyro on March 31, 2017, 11:27:01 pm
Paging Dr. gnif, notification links are missing their protocol: https://www.eevblog.com/forum/blog/notification-precated/ (https://www.eevblog.com/forum/blog/notification-precated/)

This is a known issue, I do not have time at current to look for a solution, it is a minor breakage and not a high priority at the moment.

A lot of email systems don't recognize the link as a link without the http: and you have to cut it from the email, paste it into the browser address bar,  then edit it to include the http:  A royal pain if you have a lot of notifications to check out.

Good luck on the https upgrade...  I've been down that rabbit hole before and it's no fun to get all the issues sorted out.
Title: Re: SERVER SSL Upgrade
Post by: bitseeker on April 01, 2017, 02:52:57 am
Thanks for the SSL/TLS upgrade. If legislation in the US passes to allow ISPs to profit from our browsing activity, inject ads (or who knows what else) onto other sites' pages, etc., having end-to-end encryption will help.
Title: Re: SERVER SSL Upgrade
Post by: magetoo on April 01, 2017, 06:14:12 pm
Is the long-term plan to turn off HTTP and go HTTPS-only?  Asking because I'm noticing that everything except the initial page load (stylesheets, images) gets turned into HTTPS even when accessing the forum via HTTP.  Except for the emoticons.
Title: Re: SERVER SSL Upgrade
Post by: gnif on April 01, 2017, 06:15:03 pm
Is the long-term plan to turn off HTTP and go HTTPS-only?  Asking because I'm noticing that everything except the initial page load (stylesheets, images) gets turned into HTTPS even when accessing the forum via HTTP.  Except for the emoticons.

No, there is some inconsistency at the moment, but the plan is to fully support both.
Title: Re: SERVER SSL Upgrade
Post by: magetoo on April 01, 2017, 06:27:57 pm
No, there is some inconsistency at the moment, but the plan is to fully support both.

Good to know.  Some things seemed wonky (using HTTP going through a Squid proxy) but I'll hold off on complaining.
Title: Re: SERVER SSL Upgrade
Post by: gnif on April 03, 2017, 11:34:55 am
In what time I could find the last few days I threw together a mod for SMF that allows inserting post filter hooks, the website will now generate the correct URLs depending on if you visit using http or https.

The filter is a search and replace based on the forum URL, for example, if I post this:

https://www.eevblog.com/forum (https://www.eevblog.com/forum)

It will be automatically changed to http or https depending on how you load this page, this should keep everyone happy. This filter only applies to URLs starting with "www.eevblog.com/forum", everything else is ignored. If this causes any problems please post them here.
Title: Re: SERVER SSL Upgrade
Post by: Ian.M on April 03, 2017, 11:49:30 am
Many thanks.  I've just commented out the link rewriter in my Greasemokey script and I'll see how it goes.

Would it be possible to post a list of SSL/TLS protocols and encryption methods the server now accepts, so those of us with legacy browsers can check compatibility against possible browser upgrades *BEFORE* installing them?
Title: Re: SERVER SSL Upgrade
Post by: gnif on April 03, 2017, 01:03:42 pm
In what time I could find the last few days I threw together a mod for SMF that allows inserting post filter hooks, the website will now generate the correct URLs depending on if you visit using http or https.

The filter is a search and replace based on the forum URL, for example, if I post this:

https://www.eevblog.com/forum (https://www.eevblog.com/forum)

It will be automatically changed to http or https depending on how you load this page, this should keep everyone happy. This filter only applies to URLs starting with "www.eevblog.com/forum", everything else is ignored. If this causes any problems please post them here.

If you implement local customisations to modify the standard SMF software then at each upgrade you'll always have to test and or retrofit them. It is generally better to suck up the pain one time and move on with simpler future upgrades. Better to dump some of the legacy stuff and simplify.  Admittedly I don't really follow the http/https issues all that well.

Gnif: Even though I quoted you this isn't a criticism. Just a general observation. The quote was to carry the context.

They are not local customisations, I have written a proper package that integrates/installs/uninstalls and is tracked up the updater, there should be no issues.

That said, since it seems to be working I am going to disable the redirect if the browser states to upgrade requests, that way people can decide if they do or don't want SSL.
Title: Re: SERVER SSL Upgrade
Post by: gnif on April 03, 2017, 07:38:43 pm
No complaints so far, everything seems good.

I made a small change so that the login URL is always https (including the one on the top banner), but it will still work with http if you really must use http, just drop off the 's' in the url.

Edit: Just picked up a small issue, when posting it posts to HTTPS, but redirects you back to HTTP, I will investigate this later if I can.
Title: Re: SERVER SSL Upgrade
Post by: RayRay on April 03, 2017, 07:42:09 pm
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)
Title: Re: SERVER SSL Upgrade
Post by: gnif on April 03, 2017, 07:43:06 pm
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)

Because to do this means a server side redirect, which then forces everyone to use it... and not everyone can, or cares to.
The goal here is to allow you to bookmark it as HTTPS or HTTP depending on your preference.

I personally only care to use it HTTP simply for performance, things load faster.
Title: Re: SERVER SSL Upgrade
Post by: RayRay on April 03, 2017, 07:49:18 pm
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)
Because to do this means a server side redirect, which then forces everyone to use it... and not everyone can, or cares to.
The goal here is to allow you to bookmark it as HTTPS or HTTP depending on your preference.
Would that really be so bad? Pretty much all modern browsers support SSL nowadays. And I've never heard of any business/company blocking port 443 (as it's pretty much an essential) Now, apart from all that, SEO wise, EEVBlog would actually be ranked better on Google if https would be on by default, which is another thing to take into account.
Title: Re: SERVER SSL Upgrade
Post by: rrinker on April 03, 2017, 10:32:50 pm
 How much further up does it need to be ranked? Google for eevblog, the first TWO pages of results are all Dave related, the first two hits being the blog and the forum. Even searching for "that crazy aussie bloke", the first 2 hits are Dave-related!  :-DD :-DD

 I don't see much, if any, performance difference, but then I'm probably not too many hops away from the host being in the US, plus my connection is 150M+ down. Actually just tested now and I got 242 down, 12 up. I'm sure if I carefully measured page load times and whatnot there would be a difference, but that's like going to one step faster RAM in your computer, or the difference between an OC to 4.8GHz and one to 4.9GHz., a benchmark will see the speed difference but you'll never notice. Further away from the server, with more hops to traverse, yeah.
Title: Re: SERVER SSL Upgrade
Post by: bitseeker on April 04, 2017, 12:46:13 am
Even searching for "that crazy aussie bloke", the first 2 hits are Dave-related!  :-DD :-DD

LOL. I'd never have tried that for a search query.
Title: Re: SERVER SSL Upgrade
Post by: gnif on April 04, 2017, 12:53:24 am
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)
Because to do this means a server side redirect, which then forces everyone to use it... and not everyone can, or cares to.
The goal here is to allow you to bookmark it as HTTPS or HTTP depending on your preference.
Would that really be so bad? Pretty much all modern browsers support SSL nowadays. And I've never heard of any business/company blocking port 443 (as it's pretty much an essential) Now, apart from all that, SEO wise, EEVBlog would actually be ranked better on Google if https would be on by default, which is another thing to take into account.

This thread is not for this discussion, the decision has been made, and it is final, don't turn this thread into another argument on the merits of SSL. You didn't even have the option prior, don't complain about a free thing.
Title: Re: SERVER SSL Upgrade
Post by: RayRay on April 04, 2017, 01:13:00 am
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)
Because to do this means a server side redirect, which then forces everyone to use it... and not everyone can, or cares to.
The goal here is to allow you to bookmark it as HTTPS or HTTP depending on your preference.
Would that really be so bad? Pretty much all modern browsers support SSL nowadays. And I've never heard of any business/company blocking port 443 (as it's pretty much an essential) Now, apart from all that, SEO wise, EEVBlog would actually be ranked better on Google if https would be on by default, which is another thing to take into account.

This thread is not for this discussion, the decision has been made, and it is final, don't turn this thread into another argument on the merits of SSL. You didn't even have the option prior, don't complain about a free thing.
I might be taking a risk here (as you're in a power position) but I'm gonna stick to my principles and say what I have to say anyway.
I was just asking a simple question (and was making some observations), and you're making it sound like I'm the bad guy for doing so, and quite frankly, I don't like it! i think you could've definitely been nicer in your response. It's not like I was hardcore complaining about it not being on by default. Also, if you're gonna make it an optional thing, at least put it on the spotlight!
How bout some kind of big, clickable link on the top of the forums saying something like "Click here to load the forum in SSL mode"?
Not everyone follows the news section FYI.
Title: Re: SERVER SSL Upgrade
Post by: gnif on April 04, 2017, 01:23:01 am
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)
Because to do this means a server side redirect, which then forces everyone to use it... and not everyone can, or cares to.
The goal here is to allow you to bookmark it as HTTPS or HTTP depending on your preference.
Would that really be so bad? Pretty much all modern browsers support SSL nowadays. And I've never heard of any business/company blocking port 443 (as it's pretty much an essential) Now, apart from all that, SEO wise, EEVBlog would actually be ranked better on Google if https would be on by default, which is another thing to take into account.

This thread is not for this discussion, the decision has been made, and it is final, don't turn this thread into another argument on the merits of SSL. You didn't even have the option prior, don't complain about a free thing.
I might be taking a risk here (as you're in a power position) but I'm gonna stick to my principles and say what I have to say anyway.
I was just asking a simple question (and was making some observations), and you're making it sound like I'm the bad guy for doing so, and quite frankly, I don't like it! i think you could've definitely been nicer in your response. It's not like I was hardcore complaining about it not being on by default. Also, if you're gonna make it an optional thing, at least put it on the spotlight!
How bout some kind of big, clickable link on the top of the forums saying something like "Click here to load the forum in SSL mode"?
Not everyone follows the news section FYI.

Dude, it was not a personal attack on you, it was a clear statement for the general public because this has been discussed to death :horse:, there has been two other threads discussing this, one of which devolved into a bitter complaint about how we should enforce and implement HSTS and various other things. The other thread was about how people don't want it, and then here people are saying they want the option... If Dave wants to put it in the spotlight, start a thread and ask him, it is not my place to rule on this.

As far as I am concerned, support both groups as best as possible while retaining full backwards compatibility is the best option here.

Reasons for SSL:

Reasons for not using SSL:

Everyone assumes that SSL is the way to defeat tracking, alteration, etc... It is not, it just helps a bit. If a third party is determined enough to track you or alter the content there are numerous avenues of attack they can take, one of which is completely undetectable for thousands upon thousands of websites. it's called CloudFlare.

I have seen people reset their passwords on this website since SSL was enabled, and fair enough... but how does that person know the server that is decrypting the SSL session has not been compromised? How do they know the admin of the server is competent enough to even notice if the server has had it's SSL private key stolen? And how do they know the owner/admin of that site is not just using it as a front to mine account details? And how do you know that the website that uses your password handles it correctly and stores it in a one way salted hash? Ultimately it comes down to blind trust in a random you don't even know from a bar of soap.

If you think it's not that common, look at Sony... SSL was in use there but it was pointless as they stored all their data in plain text and allowed the theft of an enormous amount of data that they had been entrusted with. How did SSL help here? Would HSTS have prevented this? In short no. I bet the attacker felt good knowing that the information they were stealing was being stolen in a secure way, don't want to risk a theft of a theft.
Title: Re: SERVER SSL Upgrade
Post by: gnif on April 04, 2017, 03:40:50 am
Update: The post redirect issue has been fixed, all corner cases are now covered, if you load this site with HTTPS it should remain on HTTPS :).
Title: Re: SERVER SSL Upgrade
Post by: Monkeh on April 04, 2017, 02:22:26 pm
This is just a quick test post as I seem to be having issues viewing some Youtube embeds..

https://youtu.be/w4dYWhkSbTU (https://youtu.be/w4dYWhkSbTU)

https://www.youtube.com/watch?v=w4dYWhkSbTU (https://www.youtube.com/watch?v=w4dYWhkSbTU)

E: Yes, there we go. youtu.be embeds don't seem to work over HTTPS.
Title: Re: SERVER SSL Upgrade
Post by: bktemp on April 04, 2017, 02:41:32 pm
It seems some browsers block non secure content:
https://www.eevblog.com/forum/chat/test-post-yt-links/ (https://www.eevblog.com/forum/chat/test-post-yt-links/)
I have the same problem with Firefox. I can't see any youtu.be link, there is just an empty space instead of the video preview/link.
Title: Re: SERVER SSL Upgrade
Post by: gnif on April 04, 2017, 03:34:03 pm
It seems some browsers block non secure content:
https://www.eevblog.com/forum/chat/test-post-yt-links/ (https://www.eevblog.com/forum/chat/test-post-yt-links/)
I have the same problem with Firefox. I can't see any youtu.be link, there is just an empty space instead of the video preview/link.

Thanks! I will throw in a fix for this when I get a chance.

Edit: Fixed
Title: Re: SERVER SSL Upgrade
Post by: Monkeh on April 04, 2017, 03:59:31 pm
No, thank you! :)
Title: Re: SERVER SSL Upgrade
Post by: MLXXXp on April 17, 2017, 02:43:46 pm
When I go to https://www.eevblog.com/ then select Forum from the menu bar, it takes me to http://www.eevblog.com/forum/

Shouldn't the Forum link be to https://www.eevblog.com/forum/ ?

The same appears to be true for the Wiki and Shop links.


Title: Re: SERVER SSL Upgrade
Post by: gnif on April 17, 2017, 03:04:20 pm
When I go to https://www.eevblog.com/ then select Forum from the menu bar, it takes me to http://www.eevblog.com/forum/

Shouldn't the Forum link be to https://www.eevblog.com/forum/ ?

The same appears to be true for the Wiki and Shop links.

You would think, but that would need some additional changes to the install of wordpress that runs the forum, efforts have only been spent on the forums at this time.
Title: Re: SERVER SSL Upgrade
Post by: gnif on April 17, 2017, 11:03:09 pm
You would think, but that would need some additional changes to the install of wordpress that runs the forum, efforts have only been spent on the forums at this time.

There is some subtle point in there that is lost on me. I suspect it is embedded in the use of forums.

No subtle point at all, the link from the website to the forum generated by word press, I have not bothered to look at this yet due to time constraints.
Title: Re: SERVER SSL Upgrade
Post by: gmb42 on July 07, 2017, 11:58:50 am
Chrome is showing mixed content loading, the advertising image for Opal Kelly is referenced via http:

Code: [Select]
Mixed Content: The page at '[url]https://www.eevblog.com/forum/buysellwanted/'[/url] was loaded over HTTPS, but requested an insecure image 'http://www.eevblog.com/images/comm/OpalKellyFPGA720x90.png'. This content should also be served over HTTPS.
FWIW there's also an error with mathjax:

Code: [Select]
cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML,Safe:32 WARNING: cdn.mathjax.org has been retired. Check [url]https://www.mathjax.org/cdn-shutting-down/[/url] for migration tips.