Move caniuse.com to HTTPS #885
Comments
|
Hi @konklone, thanks for the information and suggestion. I am indeed considering this for the site, just need some time and research to look into it properly. SSLMate looks like a good choice, thanks too for suggesting that. One thing I should note is that that API's actually an unofficial one, I generally prefer people to use the NPM package to access the data. But that's something I should probably talk to the HTML5Rocks people with. Thanks, I'll update this issue once I've made progress on moving to HTTPS. |
|
Why not just use CloudFlare? They can power the DNS, CDN caching and SSL for visitors. The free plan is plenty and I'm sure they're willing to help out if you need anything else. |
|
Actually if you try to access the site with HTTPS it throws me the error "ssl_error_rx_record_too_long" in Firefox. So certainly there is something wrong. |
|
And please no don't use Cloudflare. At least not the "Flexible SSL" version which is MITM-SSL. |
|
I have also seen WoSign recommended a lot. Another issue with HTTP is documented in Codinghorror's Welcome to The Internet of Compromised things. |
|
+1000 I guess https://letsencrypt.org/ would be proper |
|
+1 for Let's Encrypt. Fits an open source project in my opinion. |
|
Yeah Let's Encrypt is nice. |
|
Let's Encrypt is now Public Beta: https://letsencrypt.org/2015/12/03/entering-public-beta.html One could use this: https://github.com/diafygi/gethttpsforfree |
|
For a static site, one simple (and excellent!) option would be netlify.com. Free SSL, free cdn (for OS projects), push to build, push to deploy, and a host of other goodies. I'm not affiliated, just a happy user. |
|
If I can help somehow with getting the site moved to HTTPS please let me know. But Let’s Encrypt is designed to make it all as easy as possible, and in my experience so far with using Let’s Encrypt to move a number of different sites to HTTPS, it pretty much “just works” and takes very little time. |
|
ping :-) caniuse.com is a great reference, but it's very awkward to link to HTTP pages for information about browser security features like http://caniuse.com/#feat=stricttransportsecurity I can't find any simple clues about how caniuse.com is hosted, but if there is something external contributors can do to get you to switch to HTTPS (particularly Let's Encrypt), I'd be happy to pitch in. |
|
IT IS DONE! Using Let's Encrypt as per almost everyone's suggestion. Enjoy everybody! |
|
Awesome, but you should improve your config. Last time I checked (when I could still connect) you used TLS 1.0 and some not-so-good cipher. Have a look at the Mozilla generator for a good config. |
|
Yeah, looking at that SSL Report (https://www.ssllabs.com/ssltest/analyze.html?d=caniuse.com) the config should definitely improved, as SSL 3 is still enabled and the POODLE attack is possible, among other things. Sorry for being greedy, Fyrd 0:-) EDIT: I see, you already commented: #3343 (comment) |
|
Sure, I'll look into this. Also apparently setting it to https by default resulted in major lag and downtime once more traffic hit the site so I guess I'll need to do a bit more investigating before I can turn that back on. |
|
It would help to know the implementation - in general HTTPS shouldn't introduce significant lag alone. How are you hosting/terminating? |
|
Also you could enable HTTP/2, which makes HTTPS faster than HTTP. |
|
@Fyrd https://mozilla.github.io/server-side-tls/ssl-config-generator/ may be helpful, even if you use the Intermediate or Old preset. |
|
But rather use the "modern" one… |
|
Might be a good idea to open this issue again, since you've had to disable it by default. |
I'd like caniuse, as a central resource to the web community, to consider moving the site to HTTPS.
The content on caniuse itself isn't very sensitive, but when viewed at large scale, all web traffic should be considered sensitive and potentially correlated with other websites in unpredictable ways. As or more importantly, ISPs like Verizon and Comcast are now routinely injecting tracking material into their customers' traffic -- using HTTPS protects visitors to caniuse from being manipulated this way.
The web community is in the middle of a big push to get the web moved over to HTTPS. Groups at the W3C, IETF, and Internet Architecture Board (IETF's sister org) have all declared that it's the web's future.
Part of getting this to happen is getting web developers to see it by the websites they visit, and to expect it of themselves. caniuse can lead by example.
One thing I didn't realize was that caniuse has an API, which means that it can inhibit sites depending caniuse from themselves moving. In #63 (comment), @mikewest said:
As @mikewest noted in that thread, StartSSL provides free certificates, and I've written a guide to using them. However, nowadays I recommend SSLMate for easy, CLI-driven certificate issuance, though it is $16/year.
The text was updated successfully, but these errors were encountered: