Migrate to https-only

[FroMage]

No description provided.

[FroMage]

Depends on #335

[FroMage]

Now depends on eclipse-archived/ceylon-web-ide-backend#89

[lucaswerkmeister]

Web IDE now supports HTTPS, main website still gives the now unnecessary 403.

[quintesse]

@lucaswerkmeister yes, isn't that issue #389?

[lucaswerkmeister]

well yes, I consider that one to be a duplicate of this issue. (I guess it’s a bit more specific since this issue wants HTTPS-only, i. e. redirect all non-https accesses to HTTPS.)

(And on that topic… even Herd, which is already HTTPS-only, doesn’t send HSTS headers. It should totally do that.)

[quintesse]

HSTS headers? So many things I don't know

[lucaswerkmeister]

HTTP Strict Transport Security. You send a header, like

Strict-Transport-Security:"max-age=31536000; includeSubDomains"

which tells the user agent (i. e., browser) to

• for the next 31536000 seconds (1 year), only access this domain via HTTPS – any HTTP URL is rewritten to HTTPS – and
• this also applies to subdomains.

The effect is similar to a regular redirect, but it’s more secure – once you’ve seen an HSTS header, your browser does the redirect automatically, and you can’t be MITM’ed before the secure connection is established. (HSTS does some other things as well, like disabling “add exception” if there’s an SSL error, but that’s not as relevant.)

The next level is HPKP, HTTP Public Key Pinning. You put a max-age into it, plus a hash of your certificate. (The RFC conveniently gives you an openssl command that spits out the hash for your certificate file.) Until the max-age expires, connections to your domain may only be made with if that certificate appears in the chain. (You usually pin your own certificate, but you could also just pin your CA.) Even if an attacker can get a certificate for your domain – there are lots of trusted CAs these days, lots of potential failure points – it’s no good if the user has an HPKP record that isn’t too old yet.

[quintesse]

Cool thanks :)

[quintesse]

Btw, both issues that were identified as blockers for this issue have been closed, so I guess this can now move forward.

[FroMage]

Done.

[lucaswerkmeister]

With HSTS and everything! Thanks, man!

[tombentley]

I'm told that "Firefox has blocked parts of this page that are not secure".

[lucaswerkmeister]

fonts.googleapis.com and disqus.com, apparently. Both support HTTPS, so we just need to find the URLs…

[lucaswerkmeister]

Weird:

$ git clean -fdx && grep -rF $'disqus.com\nfonts.googleapis.com'
_ext/mydisqus.rb:              dsq.src = "//#{site.disqus}.disqus.com/embed.js";
_ext/mydisqus.rb:            <noscript>Please enable JavaScript to view the <a href="//disqus.com/?ref_noscript=#{site.disqus}">comments powered by Disqus.</a></noscript>
_ext/mydisqus.rb:              s.src = "//disqus.com/forums/#{site.disqus}/count.js";
_layouts/base.html.haml:    %link{ :href=>'//fonts.googleapis.com/css?family=Source+Sans+Pro|PT+Sans|PT+Sans:700|Inconsolata|Inconsolata:700|Arvo', :rel=>'stylesheet', :type=>'text/css' }
blog/2016-04-20-ceylon-on-mobile.md:                   https://fonts.googleapis.com

No http: links in here – they’re all either protocol-relative or https:.

[lucaswerkmeister]

I’m not seeing those errors in the console anymore. @tombentley do you still get them? Perhaps it was caching or something

[tombentley]

Nope, they're gone for me too now.