Author Topic: Migration to HTTPS  (Read 393 times)

Den

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1080
  • Selina is my Superstar
    • View Profile
    • Amuseum
Migration to HTTPS
« on: March 14, 2017, 04:37:42 PM »
To enhance security, as regards to logins and passwords, this forum may migrate to HTTPS, TLS, or other.

Status: certificate acquired. site also works in http and https. Feel free to opine in this topic.

The original impetus was pushed by Google:
Quote
Nonsecure Collection of Passwords will trigger warnings in Chrome 56 for http://shenafu.com/

To: owner of http://shenafu.com/

Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.

The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, and so you can take action to help protect users’ data. The list is not exhaustive.

Here’s how to fix this problem:

Use HTTPS pages to collect sensitive information

To prevent the “Not Secure” notification from appearing when Chrome users visit your site, move collection of password and credit card input fields to pages served using the HTTPS protocol.

This means users visiting non HTTPS sites will see "Not Secure" in the address bar. https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn

However converting to new URI prefix is not just changing the address. It's a complex process of acquiring SSL certificates and heavy modification to forum code and database to make sure all links are directed properly. It may also have issues with image sources not from other HTTPS sites.

Furthermore is the opinion that the HTTPS itself segregates the internet. Which makes HTTPS less backward compatible. And do most of the web need to be encrypted? Such as this tiny site in the remote recesses of the internet.

Moreover is the delay as the security certs are verified. That means every page will have a second or more of delay before the page is rendered to the user's browser. Which I find very annoying because it can't be prevented or diminished no matter how powerful your computer is.

So this a multi-pronged quandary. One, is it worth the hassle for this tiny site that all traffic be encrypted? For that matter, is it feasible to force millions of webmasters to comply to this authoritarian edict? Two, do we all agree that segregating the internet should be future? Could there be better, passive solutions than converting billions of links to HTTPS?
« Last Edit: March 14, 2017, 06:59:41 PM by Den »
Support me on Patreon

I saw. I conquered. I came.

Den

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1080
  • Selina is my Superstar
    • View Profile
    • Amuseum
Re: Migration to HTTPS
« Reply #1 on: March 14, 2017, 05:42:31 PM »
Fortunately my webhost has some simple solutions to assist me to transition to SSL. My webhost gives me the option to use Let's Encrypt, which has been touted by many as a good way to get free certs. I can also easily "force SSL connections to your domain and subdomains".

However I'm still uncertain of the ramifications to this forum and the rest of the pages on this domain and subdomains. How badly would things get messed up, and how much effort to fix them? How many files do I have to manually update to make sure they work with the HTTPS URI?

Update (2017/03/14):
I simply acquired the certs from the webhost, which automatically enables https: to the entire domain. Forums and whole domain seem work in both HTTP and HTTPS without me doing anything. But some pages may still give insecure warnings due to mixed content. Not yet ready to force SSL connections on the domain. Probably test with subdomains first.
« Last Edit: March 15, 2017, 01:59:09 AM by Den »

Den

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1080
  • Selina is my Superstar
    • View Profile
    • Amuseum
Re: Migration to HTTPS
« Reply #2 on: March 16, 2017, 11:17:13 AM »
I agree with Tim-Berners Lee that the conception of a separate URI from HTTP to HTTPS was a short-term solution that ripples into long-term mistake. It causes inconvenience for both users and webmasters.

The content for either URI are identical.  The content files on the server are one and the same, and three is no difference in what the user sees and experiences in browser.  So how does that warrant a different protocol and address? Other protocols like FTP and Telnet etc. do provide markedly different purpose, so they should require their own protocol.

The difference between http:// and https:// is not just one letter. The user has to type 8 additional, unnecessary characters at the beginning of every address in order to deserve security and privacy. The webmasters must include extraneous configurations to their servers to differentiate the two addresses (including opening additional ports), even though there is no practical difference to the content being served to users. So why must we burden both users and webmasters this way?