New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Force HTTPS on diesel.rs website #1073

Closed
MicroJoe opened this Issue Aug 5, 2017 · 7 comments

Comments

Projects
None yet
4 participants
@MicroJoe

MicroJoe commented Aug 5, 2017

Because why not, in 2017? I had to manually enter the "s" into the URL to see that the site supports it but by default I arrived on http version using Qwant search engine. Also the website is easy to remember but when I enter it in browser address bar it will send me to the http version.

I have tried to search for any similar issue but only stumbled upon #808. #800 may be related to that too.

Related help page: https://help.github.com/articles/securing-your-github-pages-site-with-https/

Addentum: all links in README redirect to http pages, this is sad.

@Eijebong

This comment has been minimized.

Member

Eijebong commented Aug 5, 2017

I think the problem is that github pages don't allow you to force https if you're using a custom domain (which of course we are).

@killercup

This comment has been minimized.

Member

killercup commented Aug 5, 2017

@killercup

This comment has been minimized.

Member

killercup commented Aug 5, 2017

Just had a look and we are using

Opportunistic Encryption

Opportunistic Encryption allows browsers to benefit from the improved performance of HTTP/2 and SPDY by letting them know that your site is available over an encrypted connection. Browsers will continue to show "http" in the address bar, not "https".

but not

Always use HTTPS

Redirect all requests with scheme "http" to "https". This applies to all http requests to the zone.

@sgrif

This comment has been minimized.

Member

sgrif commented Aug 5, 2017

I don't really have a strong feeling for or against forcing it, but we should make sure everything on the domain actually works with HTTPS first.

@killercup

This comment has been minimized.

Member

killercup commented Aug 5, 2017

@sgrif the only external resources are code.jquery.com and Google Fonts, both are already using HTTPS.

The intra-site links seem to assume HTTP, i.e., https://diesel.rs links to http://diesel.rs/guides/. Not sure why. Also, there's a typo in the "canonicical" meta tag here.

tl;dr I think we can just enable "Always use HTTPS".

@sgrif

This comment has been minimized.

Member

sgrif commented Aug 5, 2017

👍 from me then.

@sgrif

This comment has been minimized.

Member

sgrif commented Dec 16, 2017

I've been making it a point to ensure as little assumes protocol as possible. So if you're using https, you should stay in https. However, right now our SSL support is implemented by basically having Cloudflare do a giant MITM attack on us. Until we have "proper" SSL support (which is unlikely to happen until github pages supports it for custom domains), I don't think it makes much sense to force its usage.

@sgrif sgrif closed this Dec 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment