Author Topic: SERVER SSL Upgrade  (Read 30272 times)

0 Members and 1 Guest are viewing this topic.

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #50 on: April 03, 2017, 07:43:06 pm »
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)

Because to do this means a server side redirect, which then forces everyone to use it... and not everyone can, or cares to.
The goal here is to allow you to bookmark it as HTTPS or HTTP depending on your preference.

I personally only care to use it HTTP simply for performance, things load faster.
« Last Edit: April 03, 2017, 07:46:54 pm by gnif »
 

Offline RayRay

  • Frequent Contributor
  • **
  • Posts: 297
Re: SERVER SSL Upgrade
« Reply #51 on: April 03, 2017, 07:49:18 pm »
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)
Because to do this means a server side redirect, which then forces everyone to use it... and not everyone can, or cares to.
The goal here is to allow you to bookmark it as HTTPS or HTTP depending on your preference.
Would that really be so bad? Pretty much all modern browsers support SSL nowadays. And I've never heard of any business/company blocking port 443 (as it's pretty much an essential) Now, apart from all that, SEO wise, EEVBlog would actually be ranked better on Google if https would be on by default, which is another thing to take into account.
 

Offline rrinker

  • Super Contributor
  • ***
  • Posts: 2046
  • Country: us
Re: SERVER SSL Upgrade
« Reply #52 on: April 03, 2017, 10:32:50 pm »
 How much further up does it need to be ranked? Google for eevblog, the first TWO pages of results are all Dave related, the first two hits being the blog and the forum. Even searching for "that crazy aussie bloke", the first 2 hits are Dave-related!  :-DD :-DD

 I don't see much, if any, performance difference, but then I'm probably not too many hops away from the host being in the US, plus my connection is 150M+ down. Actually just tested now and I got 242 down, 12 up. I'm sure if I carefully measured page load times and whatnot there would be a difference, but that's like going to one step faster RAM in your computer, or the difference between an OC to 4.8GHz and one to 4.9GHz., a benchmark will see the speed difference but you'll never notice. Further away from the server, with more hops to traverse, yeah.
 

Offline bitseeker

  • Super Contributor
  • ***
  • Posts: 9057
  • Country: us
  • Lots of engineer-tweakable parts inside!
Re: SERVER SSL Upgrade
« Reply #53 on: April 04, 2017, 12:46:13 am »
Even searching for "that crazy aussie bloke", the first 2 hits are Dave-related!  :-DD :-DD

LOL. I'd never have tried that for a search query.
TEA is the way. | TEA Time channel
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #54 on: April 04, 2017, 12:53:24 am »
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)
Because to do this means a server side redirect, which then forces everyone to use it... and not everyone can, or cares to.
The goal here is to allow you to bookmark it as HTTPS or HTTP depending on your preference.
Would that really be so bad? Pretty much all modern browsers support SSL nowadays. And I've never heard of any business/company blocking port 443 (as it's pretty much an essential) Now, apart from all that, SEO wise, EEVBlog would actually be ranked better on Google if https would be on by default, which is another thing to take into account.

This thread is not for this discussion, the decision has been made, and it is final, don't turn this thread into another argument on the merits of SSL. You didn't even have the option prior, don't complain about a free thing.
 

Offline RayRay

  • Frequent Contributor
  • **
  • Posts: 297
Re: SERVER SSL Upgrade
« Reply #55 on: April 04, 2017, 01:13:00 am »
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)
Because to do this means a server side redirect, which then forces everyone to use it... and not everyone can, or cares to.
The goal here is to allow you to bookmark it as HTTPS or HTTP depending on your preference.
Would that really be so bad? Pretty much all modern browsers support SSL nowadays. And I've never heard of any business/company blocking port 443 (as it's pretty much an essential) Now, apart from all that, SEO wise, EEVBlog would actually be ranked better on Google if https would be on by default, which is another thing to take into account.

This thread is not for this discussion, the decision has been made, and it is final, don't turn this thread into another argument on the merits of SSL. You didn't even have the option prior, don't complain about a free thing.
I might be taking a risk here (as you're in a power position) but I'm gonna stick to my principles and say what I have to say anyway.
I was just asking a simple question (and was making some observations), and you're making it sound like I'm the bad guy for doing so, and quite frankly, I don't like it! i think you could've definitely been nicer in your response. It's not like I was hardcore complaining about it not being on by default. Also, if you're gonna make it an optional thing, at least put it on the spotlight!
How bout some kind of big, clickable link on the top of the forums saying something like "Click here to load the forum in SSL mode"?
Not everyone follows the news section FYI.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #56 on: April 04, 2017, 01:23:01 am »
But why is SSL not used by default? When loading the forum, it just loads it in plain-text (without automatically redirecting to https)
Because to do this means a server side redirect, which then forces everyone to use it... and not everyone can, or cares to.
The goal here is to allow you to bookmark it as HTTPS or HTTP depending on your preference.
Would that really be so bad? Pretty much all modern browsers support SSL nowadays. And I've never heard of any business/company blocking port 443 (as it's pretty much an essential) Now, apart from all that, SEO wise, EEVBlog would actually be ranked better on Google if https would be on by default, which is another thing to take into account.

This thread is not for this discussion, the decision has been made, and it is final, don't turn this thread into another argument on the merits of SSL. You didn't even have the option prior, don't complain about a free thing.
I might be taking a risk here (as you're in a power position) but I'm gonna stick to my principles and say what I have to say anyway.
I was just asking a simple question (and was making some observations), and you're making it sound like I'm the bad guy for doing so, and quite frankly, I don't like it! i think you could've definitely been nicer in your response. It's not like I was hardcore complaining about it not being on by default. Also, if you're gonna make it an optional thing, at least put it on the spotlight!
How bout some kind of big, clickable link on the top of the forums saying something like "Click here to load the forum in SSL mode"?
Not everyone follows the news section FYI.

Dude, it was not a personal attack on you, it was a clear statement for the general public because this has been discussed to death :horse:, there has been two other threads discussing this, one of which devolved into a bitter complaint about how we should enforce and implement HSTS and various other things. The other thread was about how people don't want it, and then here people are saying they want the option... If Dave wants to put it in the spotlight, start a thread and ask him, it is not my place to rule on this.

As far as I am concerned, support both groups as best as possible while retaining full backwards compatibility is the best option here.

Reasons for SSL:
  • Security, obviously, but this is not a huge worry with the content of this website
  • Prevent content alteration by third parties such as governments
  • Prevent your ISP from being able to track your browser habits so easily (they can still do it anyway)

Reasons for not using SSL:
  • Old browsers that do not support SNI or modern encryption schemes that people insist on using
  • Hardware devices, scripts, etc that people have built that tie into the website may not support ssl
  • Performance, SSL slows things down considerably
  • There is no sensitive information here to protect, if there is you shouldn't be posting it on a public forum in the first place

Everyone assumes that SSL is the way to defeat tracking, alteration, etc... It is not, it just helps a bit. If a third party is determined enough to track you or alter the content there are numerous avenues of attack they can take, one of which is completely undetectable for thousands upon thousands of websites. it's called CloudFlare.

I have seen people reset their passwords on this website since SSL was enabled, and fair enough... but how does that person know the server that is decrypting the SSL session has not been compromised? How do they know the admin of the server is competent enough to even notice if the server has had it's SSL private key stolen? And how do they know the owner/admin of that site is not just using it as a front to mine account details? And how do you know that the website that uses your password handles it correctly and stores it in a one way salted hash? Ultimately it comes down to blind trust in a random you don't even know from a bar of soap.

If you think it's not that common, look at Sony... SSL was in use there but it was pointless as they stored all their data in plain text and allowed the theft of an enormous amount of data that they had been entrusted with. How did SSL help here? Would HSTS have prevented this? In short no. I bet the attacker felt good knowing that the information they were stealing was being stolen in a secure way, don't want to risk a theft of a theft.
« Last Edit: April 04, 2017, 03:39:53 am by gnif »
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #57 on: April 04, 2017, 03:40:50 am »
Update: The post redirect issue has been fixed, all corner cases are now covered, if you load this site with HTTPS it should remain on HTTPS :).
 
The following users thanked this post: bitwelder

Offline Monkeh

  • Super Contributor
  • ***
  • Posts: 7990
  • Country: gb
Re: SERVER SSL Upgrade
« Reply #58 on: April 04, 2017, 02:22:26 pm »
This is just a quick test post as I seem to be having issues viewing some Youtube embeds..

https://youtu.be/w4dYWhkSbTU



E: Yes, there we go. youtu.be embeds don't seem to work over HTTPS.
 

Offline bktemp

  • Super Contributor
  • ***
  • Posts: 1616
  • Country: de
Re: SERVER SSL Upgrade
« Reply #59 on: April 04, 2017, 02:41:32 pm »
It seems some browsers block non secure content:
https://www.eevblog.com/forum/chat/test-post-yt-links/
I have the same problem with Firefox. I can't see any youtu.be link, there is just an empty space instead of the video preview/link.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #60 on: April 04, 2017, 03:34:03 pm »
It seems some browsers block non secure content:
https://www.eevblog.com/forum/chat/test-post-yt-links/
I have the same problem with Firefox. I can't see any youtu.be link, there is just an empty space instead of the video preview/link.

Thanks! I will throw in a fix for this when I get a chance.

Edit: Fixed
« Last Edit: April 04, 2017, 03:44:21 pm by gnif »
 

Offline Monkeh

  • Super Contributor
  • ***
  • Posts: 7990
  • Country: gb
Re: SERVER SSL Upgrade
« Reply #61 on: April 04, 2017, 03:59:31 pm »
No, thank you! :)
 

Offline MLXXXp

  • Frequent Contributor
  • **
  • Posts: 322
  • Country: ca
Re: SERVER SSL Upgrade
« Reply #62 on: April 17, 2017, 02:43:46 pm »
When I go to https://www.eevblog.com/ then select Forum from the menu bar, it takes me to http://www.eevblog.com/forum/

Shouldn't the Forum link be to https://www.eevblog.com/forum/ ?

The same appears to be true for the Wiki and Shop links.


 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #63 on: April 17, 2017, 03:04:20 pm »
When I go to https://www.eevblog.com/ then select Forum from the menu bar, it takes me to http://www.eevblog.com/forum/

Shouldn't the Forum link be to https://www.eevblog.com/forum/ ?

The same appears to be true for the Wiki and Shop links.

You would think, but that would need some additional changes to the install of wordpress that runs the forum, efforts have only been spent on the forums at this time.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: SERVER SSL Upgrade
« Reply #64 on: April 17, 2017, 11:03:09 pm »
You would think, but that would need some additional changes to the install of wordpress that runs the forum, efforts have only been spent on the forums at this time.

There is some subtle point in there that is lost on me. I suspect it is embedded in the use of forums.

No subtle point at all, the link from the website to the forum generated by word press, I have not bothered to look at this yet due to time constraints.
 

Offline gmb42

  • Frequent Contributor
  • **
  • Posts: 294
  • Country: gb
Re: SERVER SSL Upgrade
« Reply #65 on: July 07, 2017, 11:58:50 am »
Chrome is showing mixed content loading, the advertising image for Opal Kelly is referenced via http:

Code: [Select]
Mixed Content: The page at '[url]https://www.eevblog.com/forum/buysellwanted/'[/url] was loaded over HTTPS, but requested an insecure image 'http://www.eevblog.com/images/comm/OpalKellyFPGA720x90.png'. This content should also be served over HTTPS.
FWIW there's also an error with mathjax:

Code: [Select]
cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML,Safe:32 WARNING: cdn.mathjax.org has been retired. Check [url]https://www.mathjax.org/cdn-shutting-down/[/url] for migration tips.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf