HTTPS Or HTTP... The War Begins

I find that Jaxels media pages, they break even chrome, getting the red x... most pages are green bar (perfect), some have like a partial security, ie. chrome has the little yellow thing over the lock, saying its secure, with unsecure elements only.

Firefox doesn't show any broken lock even on media pages, and usually just shows https, or adds a blue bar... I think the blue is whilst I am on a temp certificate, awaiting the other one to be verified... don't know.

And safari either shows the lock in the top right, or just doesn't show it for non-secure pages, but doesn't give any warnings as such.

No nothing really that jumps out at a person other than chrome and its big red x and red line through totally violent pages, which seems limited to media embedding only.
 
AdamD said:
Doesn't sound right to me, either, I wondered why VBulletin now uses https on their forum.
Click to expand...

Actually they converted their whole site to Https
It's a little annoying using their site now. Google Chrome always gives me a pop-up asking me if I want to leave their pages... On every page I click within their site.
 
TheVisitors said:
Actually they converted their whole site to Https
It's a little annoying using their site now. Google Chrome always gives me a pop-up asking me if I want to leave their pages... On every page I click within their site.
Click to expand...

Capture.webp
 
TheVisitors said:
Actually they converted their whole site to Https
It's a little annoying using their site now. Google Chrome always gives me a pop-up asking me if I want to leave their pages... On every page I click within their site.
Click to expand...

I'm not sure what's worse, them enabling httpS site wide, of the recruitment of Paul M. :P
 
I'm sorry but that thread doesn't make much sense, you can get DDoSed whether you use HTTPS or not.
HTTPS will only protect you and your users when logging from an unsecured location such as public Wifi.
 
Kier said:
Modern CPUs can do SSL encryption in hardware, so there should be little to no performance penalty, but there is a major issue with enabling SSL for an entire forum, and it's related to user-generated content.

If you serve a page with HTTPS, but allow media or image embedding from your users, these resources will almost always come from an HTTP source. This compromises the security of the page, as it allows remote client-side script to run, and therefore most browsers will inform users that the page is attempting to load insecure content and have them confirm their understanding before allowing the HTTP content to load. This can be seriously obstructive to user experience, and may frighten visitors who do not understand why they are receiving the warning.
Click to expand...

What about a proxy?
All external resources URLs could be rewriten to proxy.php?REAL_URL which in turn proxies the real resource. Surely that would increase the load on the server by having to fetch all the external content and serve it with it's own bandwidth but it's one evil or the other. And that could easily be done inside the IMG tag
 
Rigel Kentaurus said:
What about a proxy?
All external resources URLs could be rewriten to proxy.php?REAL_URL which in turn proxies the real resource. Surely that would increase the load on the server by having to fetch all the external content and serve it with it's own bandwidth but it's one evil or the other. And that could easily be done inside the IMG tag
Click to expand...
Yes, you certainly could do that, but why would you? What benefit does SSL actually provide in these instances?
 
Kier said:
Yes, you certainly could do that, but why would you? What benefit does SSL actually provide in these instances?
Click to expand...
I am not Pro-SSL, in fact, I would only have the login with SSL. But if someone *really* wanted to move his whole site to https and also wants to get rid of the browser's warnings when you load non-https content in a https page that is one way to go.
 
Rigel Kentaurus said:
if someone *really* wanted to move his whole site to https and also wants to get rid of the browser's warnings when you load non-https content in a https page that is one way to go.
Click to expand...
To me, that defeats the point of SSL entirely.

When someone visits an HTTPS page, they see the lock icon and expect you to have certified the content as bona fide. If you have loaded un-inspected third party content via a proxy in order to remove SSL warnings, you break that trust, as you can not assure your visitors that everything they see on that page is safe and provided by you.
 
Kier said:
To me, that defeats the point of SSL entirely.

When someone visits an HTTPS page, they see the lock icon and expect you to have certified the content as bona fide. If you have loaded un-inspected third party content via a proxy in order to remove SSL warnings, you break that trust, as you can not assure your visitors that everything they see on that page is safe and provided by you.
Click to expand...
I only care about SSL for the encryption, so sniffers on the network cannot get ahold of the username and password (or hash)
The rest I think is being too purist about the concept, though I understand and agree with you
 
Seems even Google is now shifting to SSL: https://encrypted.google.com/ under beta...

It seems Google have encountered the same issues, that none of us here obviously know about yet, that occurred to me and my users, let alone many other websites:

http://www.google.com/support/webse...age=guide.cs&guide=1224171&answer=173733&rd=1

With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience.
Click to expand...

Form data just has nothing to do with it any more... people are intercepting pages between the server and the browser and injecting malicious content... HTTPS, as was stated to myself by server techs, seems to be the only way to stop them doing this.

Now Google are also shifting to HTTPS suddenly, and have outlined why themselves, suddenly I no longer feel so crazy for having to shift my forum to HTTPS on the advice of leading server techs.
 
Anthony Parsons said:
Seems even Google is now shifting to SSL: https://encrypted.google.com/ under beta...

It seems Google have encountered the same issues, that none of us here obviously know about yet, that occurred to me and my users, let alone many other websites:

http://www.google.com/support/webse...age=guide.cs&guide=1224171&answer=173733&rd=1

Form data just has nothing to do with it any more... people are intercepting pages between the server and the browser and injecting malicious content... HTTPS, as was stated to myself by server techs, seems to be the only way to stop them doing this.

Now Google are also shifting to HTTPS suddenly, and have outlined why themselves, suddenly I no longer feel so crazy for having to shift my forum to HTTPS on the advice of leading server techs.
Click to expand...
They've been offering this for a long time, it isn't remotely new at all.
 

Similar threads

greenchicken
KnownHost
Replies
2
Views
692
Gene Steinberg
Gene Steinberg
MySiteGuy
Xenforo Proxy Service
Replies
15
Views
3K
MySiteGuy
MySiteGuy
bzcomputers
Not a bug Valid Gmail addresses are currently blocked in they have three or more periods in the username part of the email address
Replies
7
Views
905
Digital Jedi
Digital Jedi
Abraham54
  • Question Question
The main thread was blocked for 324 ms
Replies
6
Views
1K
Abraham54
Abraham54
X
getThreadFromUrl fails on https url, but the request is via http
Replies
0
Views
301
Xon
X
Top Bottom