Site moving to HTTPS

Status
This old topic is closed. If you want to reopen this topic, contact a moderator using the "Report Post" button.
Switches things on and off again
Joined 2000
Paid Member
All (about a half million) existing externally hosted images were tested, if they worked when switched to HTTPS they were rewritten. If they didn't work over HTTPS they are now passed through a HTTPS proxy, and if they didn't work at all, they were marked dead (may be some false positives).
 
Official Court Jester
Joined 2003
Paid Member
FF just popping exclamation sign , while Chrome showing this

(with or without Kaspersky active)
 

Attachments

  • privacy error.jpg
    privacy error.jpg
    61.7 KB · Views: 290

PRR

Member
Joined 2003
Paid Member

"The owner of The Analog Dept. has configured their website improperly. ...
The Analog Dept. uses an invalid security certificate.
The certificate is only valid for the following names: *.securedata.net, securedata.net
Error code: SSL_ERROR_BAD_CERT_DOMAIN
"

Certificate details: Common Name (CN): *.securedata.net

Manually connecting without the "s" works fine, of course {as AKN reports below}, because no cert is involved.

I'm wondering if Jason's script checked https links only for "a return" without checking the associated cert for full validity?
 
Last edited:
Switches things on and off again
Joined 2000
Paid Member
Hi Steve. In Chrome you can go to "view->developer->javascript console" to see why it doesn't load. The error is: "Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID".

You can see a full breakdown of the error here (just plug your image URL into whynopadlock.com):

Test Results: [url]www.theanalogdept.com - Why No Padlock?[/url]

"Your SSL certificate does not match your domain name!

Protected Domains:
*.securedata.net
securedata.net
"

So that's the problem. Your domain name is theanalogdept.com but your SSL certificate is for securedata.net.

Additionally, there are some other non fatal issues (old protocol, and not forcing HTTPS).

diyaudio.com is going through a "soft" transition phase over the next few days, where we work out various things. Once we're settled in, we will be "upgrading" our security to best practise, which means:

* Using the upgrade-insecure-requests directive to force all HTTP content to be tried as HTTPS
* Using the block-all-mixed-content directive to ensure no mixed content warnings appear (ie: no HTTP content will be loaded no matter what)
* Using HSTS to ensure only the HTTPS version of diyAudio can be loaded (this is considered "normal" and is required to ensure protection from MITM attacks)
* Using 301 (permanent) redirects from HTTP to HTTPS instead of 302 (temporary)
 
Switches things on and off again
Joined 2000
Paid Member
If you could post a link to an HTTPS Audio Asylum page with one of your HTTP images on it, I'd be curious to see how they handle it. They will either be proxying it via a HTTP to HTTPS proxy (as we are), or just letting the browser throw a mixed content warning (which isn't good, and something we aren't going to be doing).
 
Just a sketch - Vinyl Engine

Fwiw I'm using Firefox latest version. When I click on the links I posted above I do see similar warning messages as posted above. However when I actually visit those sites and view the links there, there are no such warnings. I suspect that the warning messages are being generated here and not anywhere else.

For instance if you visit this site:
The Analog Dept.
you will not see any warnings.

-Steve
 
If you could post a link to an HTTPS Audio Asylum page with one of your HTTP images on it, I'd be curious to see how they handle it. They will either be proxying it via a HTTP to HTTPS proxy (as we are), or just letting the browser throw a mixed content warning (which isn't good, and something we aren't going to be doing).

Listening at The Analog Dept. - user510 - Vinyl Asylum
 
Switches things on and off again
Joined 2000
Paid Member
That page throws 2 mixed content warnings (one warning, for your JPG and one fatal, for an external script). This page won't get a padlock symbol, due to this.

Now, why your image is fatal on diyAudio and not a warning, I'm not sure just now. It's possibly because of the highslide script which is loading the image via a script, which is a worse category of issue. But you can be sure of one thing - the situation won't get better over time as browsers ratchet security ever tighter.

Actually I think the problem is on AA, the HTTP version is being loaded. The SSL version isn't, so the cert isn't being checked. On diyAudio, the HTTPS version is attempted, and since the cert is invalid, it's failing. The solution is to get a valid cert, which is free these days: Let's Encrypt - Free SSL/TLS Certificates.

However don't let people tell you "oh Let's Encrypt is so easy for everyone"... yes, for most it's easy. For some setups like diyAudio's, it was a PITA to get working. There are plenty of keyboard jockeys with a Wordpress site that think they know everything. :)

Long story short - it's the future, and we need to move on, and you need to get a valid cert. Maybe try using Cloudflare (free) for your DNS, use their caching services (free) to take load off your server and give you a SSL proxy (free), and you won't have to do a thing. They even have a SSL proxy mode where they ignore the cert validity of the origin (your site) which would work great for you without any changes at all.
 

Attachments

  • Insecure_content_blocked_and_Listening_at_The_Analog_Dept__-_user510_-_Vinyl_Asylum.png
    Insecure_content_blocked_and_Listening_at_The_Analog_Dept__-_user510_-_Vinyl_Asylum.png
    613.8 KB · Views: 256
  • Mixed content warning but not blocked.png
    Mixed content warning but not blocked.png
    665.2 KB · Views: 251
Last edited:
That page throws 2 mixed content warnings (one warning, for your JPG and one fatal, for an external script). This page won't get a padlock symbol, due to this.

Now, why your image is fatal on diyAudio and not a warning, I'm not sure just now. It's possibly because of the highslide script which is loading the image via a script, which is a worse category of issue. But you can be sure of one thing - the situation won't get better over time as browsers ratchet security ever tighter.

Actually I think the problem is on AA, the HTTP version is being loaded. The SSL version isn't, so the cert isn't being checked. On diyAudio, the HTTPS version is attempted, and since the cert is invalid, it's failing. The solution is to get a valid cert, which is free these days: Let's Encrypt - Free SSL/TLS Certificates.

However don't let people tell you "oh Let's Encrypt is so easy for everyone"... yes, for most it's easy. For some setups like diyAudio's, it was a PITA to get working. There are plenty of keyboard jockeys with a Wordpress site that think they know everything. :)

Long story short - it's the future, and we need to move on, and you need to get a valid cert. Maybe try using Cloudflare (free) for your DNS, use their caching services (free) to take load off your server and give you a SSL proxy (free), and you won't have to do a thing. They even have a SSL proxy mode where they ignore the cert validity of the origin (your site) which would work great for you without any changes at all.

I just had a chat with tech support at my web host. They inform me that in order to get an SSL working I'll need a dedicated IP addy and that will be at additional cost.

I agree re: "It's the future". In the mean time I suppose my images just won't load on this forum. Everywhere else, so far, they do.

I'll do something to modernize.
-Steve
 
Switches things on and off again
Joined 2000
Paid Member
I suspect you don't need to do anything - just sign up for Cloudflare, have them manage your DNS, and activate their SSL and caching. Zero expense. Buy you a beer if you can't do it.

Simple Secure Socket Layer (SSL)/TLS Encryption | Cloudflare

Flexible SSL
Flexible SSL encrypts traffic from Cloudflare to end users of your website, but not from Cloudflare to your origin server. This is the easiest way to enable HTTPS because it doesn’t require installing an SSL certificate on your origin. While not as secure as the other options, Flexible SSL does protect your visitors from a large class of threats including public WiFi snooping and ad injection over HTTP.

Opportunistic Encryption
Opportunistic Encryption provides HTTP-only domains that can't upgrade to HTTPS, due to mixed content or other legacy issues, the benefits of encryption and web optimization features only available using TLS without changing a single line of code.

However as I know all too well "one size doesn't fit all", so YMMV :) I'll still buy you that beer though!
 
Last edited:
Status
This old topic is closed. If you want to reopen this topic, contact a moderator using the "Report Post" button.