Using HTTPS results in TLS warning

[client9]

TLS Cert is incorrect.

In Chrome:

Your connection is not private

Attackers might be trying to steal your information from choosealicense.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
  Automatically report details of possible security incidents to Google. Privacy policy
Back to safetyHide advanced
This server could not prove that it is choosealicense.com; its security certificate is from www.github.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to choosealicense.com (unsafe)

and www is the same

Your connection is not private

Attackers might be trying to steal your information from www.choosealicense.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
  Automatically report details of possible security incidents to Google. Privacy policy
Back to safetyHide advanced
This server could not prove that it is www.choosealicense.com; its security certificate is from www.github.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to www.choosealicense.com (unsafe)

[strugee]

@client9 thanks for filing this issue, but I don't think it'll be fixed soon. choosealicense.com is hosted on GitHub Pages. This is a known problem with GitHub Pages and GitHub hasn't seemed interested in fixing it. (Also, technically it's somewhat difficult.)

tl;dr: they know, and don't care. :(

[OmgImAlexis]

@strugee would it be possible for choosealicense.com to use Cloudflare as a proxy between their universal SSL and Github's SSL?
https://blog.keanulee.com/2014/10/11/setting-up-ssl-on-github-pages.html
https://sheharyar.me/blog/free-ssl-for-github-pages-with-custom-domains/

[strugee]

I haven't looked at the links, but I know what you're talking about.

Since GitHub already uses Cloudflare for GitHub Pages I doubt they'll throw another Cloudflare instance in front of it, which would be a hacky solution. Instead I think they'll probably just file an internal ticket about it, which is nice (because then eventually it's fixed for everyone) but also sucks (because then we have to wait).

Maybe. I'm just guessing; I don't really know and I don't speak for GitHub.

[benbalter]

Instead I think they'll probably just file an internal ticket about it

This is that ticket. 😄

This is a known problem with GitHub Pages and GitHub hasn't seemed interested in fixing it.

GitHub Pages (which hosts this site) does not currently support HTTPS. It's one of our most consistent feature requests, but as you noted, it's a non-negligible technical challenge, especially around custom domains.

[strugee]

@benbalter out of curiosity, what's preventing you guys from doing this for non-custom domains? CloudFlare already supports TLS termination, so why can't you just deploy TLS on your origin servers and issue redirects? Obviously custom domains are way harder - but why is *.github.io an issue? Scalability? Mixed content?

Just wondering. Thanks for being responsive :)

[benbalter]

what's preventing you guys from doing this for non-custom domains?

Making it a great experience for users with all levels of technical and security knowledge. Mixed content is a big part. There's also a question of where the encryptions is stripped (FWIW, we don't use CloudFlare). And that's just for github.io. When you start thinking about custom domains and cert material, things get complicated fast. We want to do it right.

[strugee]

@benbalter oh, I thought you used CloudFlare as your CDN. Guess you have your own then (nice!). Thanks for the response!