When did HTTPS stop working? Please fix :)

Discussion in 'Site Suggestions, Announcements and Guidelines' started by hmscott, Apr 2, 2017.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,329
    Messages:
    12,506
    Likes Received:
    14,485
    Trophy Points:
    931
    Last edited: Apr 3, 2017
  2. Charles P. Jefferies

    Charles P. Jefferies TG Lead Moderator Super Moderator

    Reputations:
    14,186
    Messages:
    35,894
    Likes Received:
    1,793
    Trophy Points:
    581
    We've never had HTTPS enabled, to my knowledge.

    Charles
     
    jaug1337 and hmscott like this.
  3. Ionising_Radiation

    Ionising_Radiation ?v = ve*ln(m0/m1)

    Reputations:
    424
    Messages:
    1,889
    Likes Received:
    1,745
    Trophy Points:
    181
    Would be a good idea to enable it, I've been thinking about asking about that, for a while.
     
    hmscott likes this.
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,329
    Messages:
    12,506
    Likes Received:
    14,485
    Trophy Points:
    931
    Will NBR please turn on https? Thank you :)
     
    Vasudev likes this.
  5. Charles P. Jefferies

    Charles P. Jefferies TG Lead Moderator Super Moderator

    Reputations:
    14,186
    Messages:
    35,894
    Likes Received:
    1,793
    Trophy Points:
    581
    It will be enabled at some point this year, it's on our radar of to-do items.

    Charles
     
    hmscott, ALLurGroceries and downloads like this.
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,329
    Messages:
    12,506
    Likes Received:
    14,485
    Trophy Points:
    931
    What with the dissolution of our online privacy, the sooner the better :)

    Can NBR please get the login portion on https soon? That way people can't snoop our clear text (without https) login passwords on wifi and other openly snoopable networks.

    Thank you Charles! :)
     
    Last edited: Apr 3, 2017
    Vasudev likes this.
  7. Stooj

    Stooj Notebook Evangelist

    Reputations:
    114
    Messages:
    627
    Likes Received:
    471
    Trophy Points:
    76
    +1 for getting HTTPS going asap. You can use LetsEncrypt to get a valid Cert for free so there's really no excuse to be sending over cleartext any more. Particularly with the current climate of database leaks and the number of shared passwords people tend to use. You'll also start getting login warnings with current browsers which might scare new users away.

    I'm happy to help on any technical aspects if you need as I'm quite familiar with it (depending on your web server). Worst case scenario (ie compatibility issues) it's quite easy to shove it all through an NGINX reverse-proxy and encrypt everything at the door.
     
  8. jaug1337

    jaug1337 de_dust2

    Reputations:
    2,039
    Messages:
    4,722
    Likes Received:
    794
    Trophy Points:
    181
    Stop using HTTPS Everywhere and start using Smart HTTPS. Enforced HTTPS isn't necessary.

    SOURCE

    Just my 0.02
     
    hmscott likes this.
  9. Stooj

    Stooj Notebook Evangelist

    Reputations:
    114
    Messages:
    627
    Likes Received:
    471
    Trophy Points:
    76
    Those plugins have nothing to do with it.

    If the destination site doesn't use HTTPS to begin with then any plugin is only a half-measure. Eventually, there's an unencrypted stream. Doesn't matter if it's HTTPS-Everywhere, or Tor.

    Fact is, this is a site that requires an initial login and a persistent cookie for recurring login. Without the server itself using HTTPS, that can be snooped at some point in the chain.
     
    Ionising_Radiation and hmscott like this.
  10. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,329
    Messages:
    12,506
    Likes Received:
    14,485
    Trophy Points:
    931
    I support EFF, and as part of that I suggest people look at HTTP Everywhere, while there on the EFF site they might look around and learn more as well :)

    How to Deploy HTTPS Correctly
    "HTTPS provides the baseline of safety for web application users, and there is no performance- or cost-based reason to stick with HTTP. Web application providers undermine their business models when, by continuing to use HTTP, they enable a wide range of attackers anywhere on the internet to compromise users' information."

    Getting back to Smart vs Everywhere https, as long as the tool is working, if it's suboptimal in the ms range a user won't notice it...

    It looks like since that 2015 post about Smart https there is a newer "revived" version of "Smart https":
    https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/

    "Note: Smart HTTPS (revived) is a revised version of Smart HTTPS addon and, is written with the new WebExtensions API. This new version has better performance and robustness comparing to the old Smart HTTPS which was written with addon-sdk API. If you have Firefox (version 51 and above), please consider using this addon.

    Smart HTTPS is a Firefox addon that helps you always use the secure HTTPS protocol, if supported by the server. It automatically changes HTTP protocol to the secure HTTPS, and if loading encounters error, reverts it back to the HTTP protocol."

    Opera version:
    https://addons.opera.com/en/extensions/details/smart-https/?display=en

    Equal time for HTTPS Everywhere :)
    https://www.eff.org/https-everywhere

    HTTPS Everywhere FAQ
    HTTPS Everywhere Rulesets


    "HTTPS Everywhere is produced as a collaboration between The Tor Project and the Electronic Frontier Foundation.

    Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use.

    For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.

    The HTTPS Everywhere extension fixes these problems by using clever technology to rewrite requests to these sites to HTTPS.

    Information about how to access the project's Git repository and get involved in development is here."
     
    Last edited: Jun 14, 2017
    Starlight5 and jaug1337 like this.
Loading...

Share This Page