There is no reason you would need to go through a proxy, unless you need a proxy for the majority of the internet, which is now over 80% HTTPS. We have been one of the last horses through the gate. Let's Encrypt Stats - Let's Encrypt - Free SSL/TLS Certificates
All (about a half million) existing externally hosted images were tested, if they worked when switched to HTTPS they were rewritten. If they didn't work over HTTPS they are now passed through a HTTPS proxy, and if they didn't work at all, they were marked dead (may be some false positives).
Steve can you post a link to an example post / image that isn't working, thanks.
https://www.theanalogdept.com/images/spp6_pics/TD124%20customer/27520/E50%20sn%2048083/DSC_2781.jpg
post # 2701 on the Restoring and Improving A Thorens TD124 MKII thread
This would be one of them.
-Steve
Last edited:
"The owner of The Analog Dept. has configured their website improperly. ...
The Analog Dept. uses an invalid security certificate.
The certificate is only valid for the following names: *.securedata.net, securedata.net
Error code: SSL_ERROR_BAD_CERT_DOMAIN "
Certificate details: Common Name (CN): *.securedata.net
Manually connecting without the "s" works fine, of course {as AKN reports below}, because no cert is involved.
I'm wondering if Jason's script checked https links only for "a return" without checking the associated cert for full validity?
Last edited:
Hi Steve. In Chrome you can go to "view->developer->javascript console" to see why it doesn't load. The error is: "Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID".
You can see a full breakdown of the error here (just plug your image URL into whynopadlock.com):
Test Results: [url]www.theanalogdept.com - Why No Padlock?[/url]
"Your SSL certificate does not match your domain name!
Protected Domains:
*.securedata.net
securedata.net
"
So that's the problem. Your domain name is theanalogdept.com but your SSL certificate is for securedata.net.
Additionally, there are some other non fatal issues (old protocol, and not forcing HTTPS).
diyaudio.com is going through a "soft" transition phase over the next few days, where we work out various things. Once we're settled in, we will be "upgrading" our security to best practise, which means:
* Using the upgrade-insecure-requests directive to force all HTTP content to be tried as HTTPS
* Using the block-all-mixed-content directive to ensure no mixed content warnings appear (ie: no HTTP content will be loaded no matter what)
* Using HSTS to ensure only the HTTPS version of diyAudio can be loaded (this is considered "normal" and is required to ensure protection from MITM attacks)
* Using 301 (permanent) redirects from HTTP to HTTPS instead of 302 (temporary)
You can see a full breakdown of the error here (just plug your image URL into whynopadlock.com):
Test Results: [url]www.theanalogdept.com - Why No Padlock?[/url]
"Your SSL certificate does not match your domain name!
Protected Domains:
*.securedata.net
securedata.net
"
So that's the problem. Your domain name is theanalogdept.com but your SSL certificate is for securedata.net.
Additionally, there are some other non fatal issues (old protocol, and not forcing HTTPS).
diyaudio.com is going through a "soft" transition phase over the next few days, where we work out various things. Once we're settled in, we will be "upgrading" our security to best practise, which means:
* Using the upgrade-insecure-requests directive to force all HTTP content to be tried as HTTPS
* Using the block-all-mixed-content directive to ensure no mixed content warnings appear (ie: no HTTP content will be loaded no matter what)
* Using HSTS to ensure only the HTTPS version of diyAudio can be loaded (this is considered "normal" and is required to ensure protection from MITM attacks)
* Using 301 (permanent) redirects from HTTP to HTTPS instead of 302 (temporary)
If you could post a link to an HTTPS Audio Asylum page with one of your HTTP images on it, I'd be curious to see how they handle it. They will either be proxying it via a HTTP to HTTPS proxy (as we are), or just letting the browser throw a mixed content warning (which isn't good, and something we aren't going to be doing).
Just a sketch - Vinyl Engine
Fwiw I'm using Firefox latest version. When I click on the links I posted above I do see similar warning messages as posted above. However when I actually visit those sites and view the links there, there are no such warnings. I suspect that the warning messages are being generated here and not anywhere else.
For instance if you visit this site:
The Analog Dept.
you will not see any warnings.
-Steve
Fwiw I'm using Firefox latest version. When I click on the links I posted above I do see similar warning messages as posted above. However when I actually visit those sites and view the links there, there are no such warnings. I suspect that the warning messages are being generated here and not anywhere else.
For instance if you visit this site:
The Analog Dept.
you will not see any warnings.
-Steve
If you could post a link to an HTTPS Audio Asylum page with one of your HTTP images on it, I'd be curious to see how they handle it. They will either be proxying it via a HTTP to HTTPS proxy (as we are), or just letting the browser throw a mixed content warning (which isn't good, and something we aren't going to be doing).
Listening at The Analog Dept. - user510 - Vinyl Asylum
That page throws 2 mixed content warnings (one warning, for your JPG and one fatal, for an external script). This page won't get a padlock symbol, due to this.
Now, why your image is fatal on diyAudio and not a warning, I'm not sure just now. It's possibly because of the highslide script which is loading the image via a script, which is a worse category of issue. But you can be sure of one thing - the situation won't get better over time as browsers ratchet security ever tighter.
Actually I think the problem is on AA, the HTTP version is being loaded. The SSL version isn't, so the cert isn't being checked. On diyAudio, the HTTPS version is attempted, and since the cert is invalid, it's failing. The solution is to get a valid cert, which is free these days: Let's Encrypt - Free SSL/TLS Certificates.
However don't let people tell you "oh Let's Encrypt is so easy for everyone"... yes, for most it's easy. For some setups like diyAudio's, it was a PITA to get working. There are plenty of keyboard jockeys with a Wordpress site that think they know everything.
Long story short - it's the future, and we need to move on, and you need to get a valid cert. Maybe try using Cloudflare (free) for your DNS, use their caching services (free) to take load off your server and give you a SSL proxy (free), and you won't have to do a thing. They even have a SSL proxy mode where they ignore the cert validity of the origin (your site) which would work great for you without any changes at all.
Now, why your image is fatal on diyAudio and not a warning, I'm not sure just now. It's possibly because of the highslide script which is loading the image via a script, which is a worse category of issue. But you can be sure of one thing - the situation won't get better over time as browsers ratchet security ever tighter.
Actually I think the problem is on AA, the HTTP version is being loaded. The SSL version isn't, so the cert isn't being checked. On diyAudio, the HTTPS version is attempted, and since the cert is invalid, it's failing. The solution is to get a valid cert, which is free these days: Let's Encrypt - Free SSL/TLS Certificates.
However don't let people tell you "oh Let's Encrypt is so easy for everyone"... yes, for most it's easy. For some setups like diyAudio's, it was a PITA to get working. There are plenty of keyboard jockeys with a Wordpress site that think they know everything.
Long story short - it's the future, and we need to move on, and you need to get a valid cert. Maybe try using Cloudflare (free) for your DNS, use their caching services (free) to take load off your server and give you a SSL proxy (free), and you won't have to do a thing. They even have a SSL proxy mode where they ignore the cert validity of the origin (your site) which would work great for you without any changes at all.
Attachments
Last edited:
Working fine again on tapatalk
Great. I just fixed that.
Member
Joined 2009
Paid Member
did something change? - didn't even notice ! using Safari all looks good.
Sadly, in Chrome, we don't even get a green padlock anymore. It's just a grey on grey padlock symbol. HTTPS is now considered "normal" and HTTPS is considered "abnormal".
That page throws 2 mixed content warnings (one warning, for your JPG and one fatal, for an external script). This page won't get a padlock symbol, due to this.
Now, why your image is fatal on diyAudio and not a warning, I'm not sure just now. It's possibly because of the highslide script which is loading the image via a script, which is a worse category of issue. But you can be sure of one thing - the situation won't get better over time as browsers ratchet security ever tighter.
Actually I think the problem is on AA, the HTTP version is being loaded. The SSL version isn't, so the cert isn't being checked. On diyAudio, the HTTPS version is attempted, and since the cert is invalid, it's failing. The solution is to get a valid cert, which is free these days: Let's Encrypt - Free SSL/TLS Certificates.
However don't let people tell you "oh Let's Encrypt is so easy for everyone"... yes, for most it's easy. For some setups like diyAudio's, it was a PITA to get working. There are plenty of keyboard jockeys with a Wordpress site that think they know everything.
Long story short - it's the future, and we need to move on, and you need to get a valid cert. Maybe try using Cloudflare (free) for your DNS, use their caching services (free) to take load off your server and give you a SSL proxy (free), and you won't have to do a thing. They even have a SSL proxy mode where they ignore the cert validity of the origin (your site) which would work great for you without any changes at all.
I just had a chat with tech support at my web host. They inform me that in order to get an SSL working I'll need a dedicated IP addy and that will be at additional cost.
I agree re: "It's the future". In the mean time I suppose my images just won't load on this forum. Everywhere else, so far, they do.
I'll do something to modernize.
-Steve
I suspect you don't need to do anything - just sign up for Cloudflare, have them manage your DNS, and activate their SSL and caching. Zero expense. Buy you a beer if you can't do it.
Simple Secure Socket Layer (SSL)/TLS Encryption | Cloudflare
However as I know all too well "one size doesn't fit all", so YMMV
I'll still buy you that beer though!
Simple Secure Socket Layer (SSL)/TLS Encryption | Cloudflare
Flexible SSL
Flexible SSL encrypts traffic from Cloudflare to end users of your website, but not from Cloudflare to your origin server. This is the easiest way to enable HTTPS because it doesn’t require installing an SSL certificate on your origin. While not as secure as the other options, Flexible SSL does protect your visitors from a large class of threats including public WiFi snooping and ad injection over HTTP.
Opportunistic Encryption
Opportunistic Encryption provides HTTP-only domains that can't upgrade to HTTPS, due to mixed content or other legacy issues, the benefits of encryption and web optimization features only available using TLS without changing a single line of code.
However as I know all too well "one size doesn't fit all", so YMMV
Last edited:
- Home
- Site
- Site Announcements
- Site moving to HTTPS