http: logins are so 1990 :)

Found a bug in R'n'D? Report it here!

Moderators: Flumminator, Zomis

Post Reply
filbo
Posts: 647
Joined: Fri Jun 20, 2014 10:06 am

http: logins are so 1990 :)

Post by filbo »

rnd-fo.png
rnd-fo.png (38.75 KiB) Viewed 4615 times
I see https:// works as well -- maybe you should shut down http:// or at least
put a big "hey, maybe you shouldn't use this, click here for the secure version"
link on the http login page?

Meanwhile, editing my bookmark... :)
User avatar
Holger
Site Admin
Posts: 4073
Joined: Fri Jun 18, 2004 4:13 pm
Location: Germany
Contact:

Re: http: logins are so 1990 :)

Post by Holger »

You are absolutely right, again. :-D

But instead of adding a big warning sign, I should rather redirect all HTTP URLs to their respective HTTPS counterparts. (Currently this is only done for one single URL -- http://artsoft.org/ , which gets redirected to https://www.artsoft.org/ .)

The reason it does not yet work that way for *all* URLs is simply that artsoft.org has HTTPS support only for a few months, using free SSL certificates from the "Let's Encrypt" project. Before permanently switching everything to HTTPS, I want to see how well automatic certificate renewal works, as the certificates always expire after three months and then need renewal. The first renewal worked well a few weeks ago; if it continues to work flawlessly, I think I can safely redirect everything to HTTPS.

There's one problem though, and it's a problem with the forum, for which I'm unsure if there is a good solution: When using HTTPS, there are quite number of "mixed content" warnings (due to external HTTP links to images and other stuff). Of course it's better than plain HTTP, but it's a bit nasty... :-/
filbo
Posts: 647
Joined: Fri Jun 20, 2014 10:06 am

Re: http: logins are so 1990 :)

Post by filbo »

Hmmm, yeah, that's a problem.

Are those links emitted by the forum software itself, or inline images etc. referred to by
user-supplied link? If the software itself, I would think you could find or provide https
equivalents (but might be a bit much messy surgery on the code)...
User avatar
Holger
Site Admin
Posts: 4073
Joined: Fri Jun 18, 2004 4:13 pm
Location: Germany
Contact:

Re: http: logins are so 1990 :)

Post by Holger »

No, internal forum content (including stuff uploaded by users) is linked to https just fine. It's all about links to external resources provided by users; see this page for an obvious example: viewtopic.php?f=5&t=2271

But in most cases it's the non-obvious ones, like this: viewtopic.php?f=5&t=2270

So you only need one single user's external avatar image to trigger the "mixed content" warning... :(
filbo
Posts: 647
Joined: Fri Jun 20, 2014 10:06 am

Re: http: logins are so 1990 :)

Post by filbo »

hmmm, I guess I would say, go HTTPS and send a broadcast PM to users whose avatars etc. are http:, showing them how their comments are uglified and how they should fix it...

Won't do any good for users who aren't active any more, but mostly their comment won't be looked at, so overall effect should be adequate.
Post Reply