This may be a topic for General, or some other forum, but this is where my time is spent so I will ask here first.
Most any other forum I visit, and I think this one used to, have the typical "https" secure site stuff noted, but Diyaudio says "NOT SECURE" in the same place? Just wondering if it is on DiyA's end, or something on mine?
Might just be me but it seems like I have only noticed this in recent times...I do note that when going to the DIYA Store, it does in fact note "SECURE"
Russellc
Most any other forum I visit, and I think this one used to, have the typical "https" secure site stuff noted, but Diyaudio says "NOT SECURE" in the same place? Just wondering if it is on DiyA's end, or something on mine?
Might just be me but it seems like I have only noticed this in recent times...I do note that when going to the DIYA Store, it does in fact note "SECURE"
Russellc
> only noticed this in recent times...
Browsers have understood https for some years. But only in the past year+ have they been flagging https connections "good", http "insecure".
As I understand it, DIYA has not changed in years, has not converted to https. So the "recent" change is your browser, not DIYA.
This and many other long-standing issues are motivating DIYA to a Major Change, with new forum software on essentially full https (there is always an issue with outside images). Another thread in this section has some notes on progress; it is a major project and should not be rushed.
Browsers have understood https for some years. But only in the past year+ have they been flagging https connections "good", http "insecure".
As I understand it, DIYA has not changed in years, has not converted to https. So the "recent" change is your browser, not DIYA.
This and many other long-standing issues are motivating DIYA to a Major Change, with new forum software on essentially full https (there is always an issue with outside images). Another thread in this section has some notes on progress; it is a major project and should not be rushed.
As of Chrome version 68, every single HTTP website is now marked as "not secure". All HTTPS are currently marked as "secure". Nothing has changed at diyAudio, and since we are not storing any important information like credit cards or banking details you can rest assured that everything is the same as it ever has been, and the level of your security is unchanged.
What Chrome is doing is forcing everyone to wake up to the reality that HTTPS should be the default. It's a worthy effort and I fully support it, as without some prodding difficult change doesn't happen. Same goes with GDPR (and the annoying popup system I had to make to get your re-consent to our mailing lists). Sometimes technology must be dragged kicking and screaming into the modern age, in this case the reality that the web has changed, hackers are now omnipresent, and anyone storing valuable data and transmitting it over HTTP is asking for trouble.
In a few more months HTTPS will not be marked at all - it will be considered the default standard, and I assume HTTP will get big nasty red markings. Additionally any data entry into an HTTP page will pop up a warning. That is scheduled for Chrome version 70 in October. We plan to be on HTTPS, on XenForo, before then.
Switching a large website to HTTPS isn't as easy as getting a Let's Encrypt certificate and switching from HTTP to HTTPS, and the more complex your stack and legacy bits the more complex the job of switching becomes. It took Stack Overflow 4 years, you can read about it here:
Nick Craver - HTTPS on Stack Overflow: The End of a Long Road
I actually have everything ready on the current server to enable HTTPS, that was all done 6 months ago, but the project stopped once I realized how many gotchas the switch could entail. At the moment dealing with all the growth in the store and forum is a matter of just putting one foot in front of the other and getting on with it. I am hoping to start on the XenForo migration in about a week's time. Maybe I'll just ram through the HTTPS switch as a priority before then though.
What Chrome is doing is forcing everyone to wake up to the reality that HTTPS should be the default. It's a worthy effort and I fully support it, as without some prodding difficult change doesn't happen. Same goes with GDPR (and the annoying popup system I had to make to get your re-consent to our mailing lists). Sometimes technology must be dragged kicking and screaming into the modern age, in this case the reality that the web has changed, hackers are now omnipresent, and anyone storing valuable data and transmitting it over HTTP is asking for trouble.
In a few more months HTTPS will not be marked at all - it will be considered the default standard, and I assume HTTP will get big nasty red markings. Additionally any data entry into an HTTP page will pop up a warning. That is scheduled for Chrome version 70 in October. We plan to be on HTTPS, on XenForo, before then.
Switching a large website to HTTPS isn't as easy as getting a Let's Encrypt certificate and switching from HTTP to HTTPS, and the more complex your stack and legacy bits the more complex the job of switching becomes. It took Stack Overflow 4 years, you can read about it here:
Nick Craver - HTTPS on Stack Overflow: The End of a Long Road
I actually have everything ready on the current server to enable HTTPS, that was all done 6 months ago, but the project stopped once I realized how many gotchas the switch could entail. At the moment dealing with all the growth in the store and forum is a matter of just putting one foot in front of the other and getting on with it. I am hoping to start on the XenForo migration in about a week's time. Maybe I'll just ram through the HTTPS switch as a priority before then though.
Last edited:
FYI, I have done more research and it looks like there are a number of tools now to help websites with insecure user submitted content deal with some of the issues that would be a big pain. There isn't any point to waiting till we move to XF, and it might even make the switch to XF more complicated so I think it's best to deal with this now and get things running smoothly before that transition. As such, work will start on this, this week.
The basic plan to handle insecure user content is to test every single URL ever posted, check if it works on HTTPS, if it does then change the URL to HTTPS. If it doesn't, then the requests will need to be proxied via a HTTPS conversion proxy, such as Image cache & resize proxy or finally a self-hosted proxy.
The basic plan to handle insecure user content is to test every single URL ever posted, check if it works on HTTPS, if it does then change the URL to HTTPS. If it doesn't, then the requests will need to be proxied via a HTTPS conversion proxy, such as Image cache & resize proxy or finally a self-hosted proxy.
Progress has been steady on the conversion. The main job was converting all insecure content (ie: insecure hotlinked images posted by members) to secure content. A secure page can't include insecure content, which is a problem for any site like ours that references user provided content which may be insecure (90% of it was insecure). This created 4 classes of images:
After the cleanup:
The astonishing "link rot" of dead images is really sad, and the only way in the future to fix that is to prefer image uploads to the forum directly instead of allowing remote images to be hotlinked into posts themselves. We're all aware that the diyAudio image uploading facility is terrible, so there won't be any push yet to enforce local image upload that would make anyone's live's difficult, but we will review things once we move to XenForo and have lovely, easy, drag-and-drop image upload straight into your post.
Everything is now ready to switch over to HTTPS, but I'm having this weekend off for some snowboarding, so we'll make the switch to HTTPS next Tuesday.
- HTTPS images that could be left untouched
- HTTP images that when tested over HTTPS worked, and so the HTTP image URL could be updated to HTTPS
- HTTP images that were tested as dead over both HTTP (and HTTPS)
- HTTP images that do not work over HTTPS and need to be proxied through a 3rd party HTTP-to-HTTPS service once we move to HTTPS (we are leveraging images.weserv.nl until further notice)
- Posts with HTTP images (dead or alive): 140,000
- Posts with HTTPS images (dead or alive): 16,0000
After the cleanup:
- Posts with valid HTTPS images (either were HTTP and could be converted to HTTPS (80%), or were HTTPS to begin with (20%)): 88,664
- Posts with dead images: 51,833
- Posts with HTTP images that have no HTTPS accessible version, can't be served on a secure webpage, and are now proxied through images.weserv.nl: 18,559
The astonishing "link rot" of dead images is really sad, and the only way in the future to fix that is to prefer image uploads to the forum directly instead of allowing remote images to be hotlinked into posts themselves. We're all aware that the diyAudio image uploading facility is terrible, so there won't be any push yet to enforce local image upload that would make anyone's live's difficult, but we will review things once we move to XenForo and have lovely, easy, drag-and-drop image upload straight into your post.
Everything is now ready to switch over to HTTPS, but I'm having this weekend off for some snowboarding, so we'll make the switch to HTTPS next Tuesday.
Last edited:
Thank you for all the tech work you do, Jason.
Go snowboarding. (SNOW boarding?? It's hot as heck here!)
Disagree.
Of the several image upload boxes I face on several forums, this is no better or worse than others. It takes essentially the same actions to work any of them.
The "from URL" is a terrific feature. If I find an image elsewhere, and suspect it may "rot", or is wrong-size, I can put a copy on DIYAudio and it will persist after the auction closes, the website dies, etc; and it will display conveniently here.
There are very real problems with any such thing. Most people can't find files on their own machines. Newer GUIs are not helping (they hide paths and extensions). The rise of teeny devices does make 2nd-window interfaces awkward.
Against this: on one other forum we are constantly necro-threaded by requests for missing images, even unto 2004. Or when hosted at FotoBucket and they killed many accounts. Or when PostImg had to move from org to cc. That happens here also, but the fact that a non-small proportion of DIYAudio images are internally hosted makes it less frequent. And it DOES make sense. I'm not saying "enforce". Maybe peer pressure.
Go snowboarding. (SNOW boarding?? It's hot as heck here!)
Disagree.
Of the several image upload boxes I face on several forums, this is no better or worse than others. It takes essentially the same actions to work any of them.
The "from URL" is a terrific feature. If I find an image elsewhere, and suspect it may "rot", or is wrong-size, I can put a copy on DIYAudio and it will persist after the auction closes, the website dies, etc; and it will display conveniently here.
There are very real problems with any such thing. Most people can't find files on their own machines. Newer GUIs are not helping (they hide paths and extensions). The rise of teeny devices does make 2nd-window interfaces awkward.
Against this: on one other forum we are constantly necro-threaded by requests for missing images, even unto 2004. Or when hosted at FotoBucket and they killed many accounts. Or when PostImg had to move from org to cc. That happens here also, but the fact that a non-small proportion of DIYAudio images are internally hosted makes it less frequent. And it DOES make sense. I'm not saying "enforce". Maybe peer pressure.
Last edited:
I do love a counterpoint! Thank you.
1. "From URL" just puts the image in an IMG tag, it doesn't host it on diyAudio, and so, it will rot. That's where the 50,000 posts with dead images comes from. Additionally, if it's HTTP, it won't work once we move to HTTPS, unless it is proxied via a secure image proxy (which is possible).
2. We'll have to agree to disagree on diyAudio's image upload sucking. 3 clicks and a popup window is 2 clicks and 1 popup window too many, in my book.
3. To complete the picture, 406,000 posts with attachments, and 170,000 posts with image tags in the posts themselves (some of them being diyAudio images).
4. Yes, better to educate rather than dictate!
Bottom line - we'll have an awesome image uploading system soon.
1. "From URL" just puts the image in an IMG tag, it doesn't host it on diyAudio, and so, it will rot. That's where the 50,000 posts with dead images comes from. Additionally, if it's HTTP, it won't work once we move to HTTPS, unless it is proxied via a secure image proxy (which is possible).
2. We'll have to agree to disagree on diyAudio's image upload sucking. 3 clicks and a popup window is 2 clicks and 1 popup window too many, in my book.
3. To complete the picture, 406,000 posts with attachments, and 170,000 posts with image tags in the posts themselves (some of them being diyAudio images).
4. Yes, better to educate rather than dictate!
Bottom line - we'll have an awesome image uploading system soon.
> "From URL" just puts the image in an IMG tag, it doesn't host it on diyAudio, and so, it will rot.
???
I have attached an image (topo-map) "from URL". I entered https://upload.wikimedia.org/wikipe...2/TibetanPlateau.jpg/270px-TibetanPlateau.jpg
The posted image seems to be http://www.diyaudio.com/forums/attachment.php?attachmentid=701912&d=1536261648
i.e. hosted-on and stored-by the DIYAudio server-farm.
Am I being fooled? Is the apparent forum attachment a redirect out to Wikipedia?
???
I have attached an image (topo-map) "from URL". I entered https://upload.wikimedia.org/wikipe...2/TibetanPlateau.jpg/270px-TibetanPlateau.jpg
The posted image seems to be http://www.diyaudio.com/forums/attachment.php?attachmentid=701912&d=1536261648
i.e. hosted-on and stored-by the DIYAudio server-farm.
Am I being fooled? Is the apparent forum attachment a redirect out to Wikipedia?
Attachments
Last edited:
Sorry I thought you were talking about the quick image add button (in the editor). You are absolutely correct. Believe it or not due to seeing that same popup for 20 years and only ever using the "find files" option, I'd developed a blind spot and forgot that the functionality was even there. I'm not sure I've used that once myself. Web usage blind spots can be amazing. Well, in that case, it's even easier than I thought to add external content, so there's almost no excuse to use the IMG tag for anything of value.
Are you using Chrome? If yes, Google has made some changes to Chrome starting with either version 67 or 68 to flag any website that is not https as "not secure" to start raising awareness related to security on the web.
After posting, I realized we might be looking at different things and added the picture of where I was stuffing an image URL.
While it opens problems of Copyright, it does keep images WITH their posts until DIYAudio crumbles. (Or until you are sent a take-down and feel you must comply.)
It is not secure, because this website has no SSL certificate for HTTPS, which has to be installed on the server. years certificate cost 14 USD. I work as web developer and designer MILAN MEDIA • Web designer for Wordpress web sites so if the guys would like to help, they can get in touch with me 
> certificate cost 14 USD.
In nearby threads, Jason has explained much of the HTTPS process. As you probably know, it is not "just $14". All links internal and external must be looked at, and this old place has millions of links. He's been working on it for a while, but as a mostly-volunteer operation, he can't just throw man-hours at it.
Since we do NOT have bank-info stuff here, it has not been a high priority, until recent browser changes started highlighting non-HTTPS sites.
In nearby threads, Jason has explained much of the HTTPS process. As you probably know, it is not "just $14". All links internal and external must be looked at, and this old place has millions of links. He's been working on it for a while, but as a mostly-volunteer operation, he can't just throw man-hours at it.
Since we do NOT have bank-info stuff here, it has not been a high priority, until recent browser changes started highlighting non-HTTPS sites.
It is simple - links can be updated automatically. The parameter will be something like replace http:// with https://
HTTPS should be a high priority even you are not treating payment details. It is important for google and seo, for getting new members here and some people won't trust to website marked as "not secure" while competitors will have site 'secured'.
Also CDN can do part of fixing: automatic redirection 301 from http to https.
Last edited:
- Status
- This old topic is closed. If you want to reopen this topic, contact a moderator using the "Report Post" button.