New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using HTTPS results in TLS warning #299

Closed
client9 opened this Issue Oct 20, 2015 · 7 comments

Comments

Projects
None yet
4 participants
@client9

client9 commented Oct 20, 2015

TLS Cert is incorrect.

In Chrome:

Your connection is not private

Attackers might be trying to steal your information from choosealicense.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
  Automatically report details of possible security incidents to Google. Privacy policy
Back to safetyHide advanced
This server could not prove that it is choosealicense.com; its security certificate is from www.github.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to choosealicense.com (unsafe)

and www is the same


Your connection is not private

Attackers might be trying to steal your information from www.choosealicense.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
  Automatically report details of possible security incidents to Google. Privacy policy
Back to safetyHide advanced
This server could not prove that it is www.choosealicense.com; its security certificate is from www.github.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to www.choosealicense.com (unsafe)
@strugee

This comment has been minimized.

strugee commented Oct 24, 2015

@client9 thanks for filing this issue, but I don't think it'll be fixed soon. choosealicense.com is hosted on GitHub Pages. This is a known problem with GitHub Pages and GitHub hasn't seemed interested in fixing it. (Also, technically it's somewhat difficult.)

tl;dr: they know, and don't care. :(

@OmgImAlexis

This comment has been minimized.

Contributor

OmgImAlexis commented Oct 25, 2015

@strugee would it be possible for choosealicense.com to use Cloudflare as a proxy between their universal SSL and Github's SSL?
https://blog.keanulee.com/2014/10/11/setting-up-ssl-on-github-pages.html
https://sheharyar.me/blog/free-ssl-for-github-pages-with-custom-domains/

@strugee

This comment has been minimized.

strugee commented Oct 26, 2015

I haven't looked at the links, but I know what you're talking about.

Since GitHub already uses Cloudflare for GitHub Pages I doubt they'll throw another Cloudflare instance in front of it, which would be a hacky solution. Instead I think they'll probably just file an internal ticket about it, which is nice (because then eventually it's fixed for everyone) but also sucks (because then we have to wait).

Maybe. I'm just guessing; I don't really know and I don't speak for GitHub.

@benbalter

This comment has been minimized.

Contributor

benbalter commented Nov 2, 2015

Instead I think they'll probably just file an internal ticket about it

This is that ticket. 😄

This is a known problem with GitHub Pages and GitHub hasn't seemed interested in fixing it.

GitHub Pages (which hosts this site) does not currently support HTTPS. It's one of our most consistent feature requests, but as you noted, it's a non-negligible technical challenge, especially around custom domains.

@strugee

This comment has been minimized.

strugee commented Nov 19, 2015

@benbalter out of curiosity, what's preventing you guys from doing this for non-custom domains? CloudFlare already supports TLS termination, so why can't you just deploy TLS on your origin servers and issue redirects? Obviously custom domains are way harder - but why is *.github.io an issue? Scalability? Mixed content?

Just wondering. Thanks for being responsive :)

@benbalter

This comment has been minimized.

Contributor

benbalter commented Nov 19, 2015

what's preventing you guys from doing this for non-custom domains?

Making it a great experience for users with all levels of technical and security knowledge. Mixed content is a big part. There's also a question of where the encryptions is stripped (FWIW, we don't use CloudFlare). And that's just for github.io. When you start thinking about custom domains and cert material, things get complicated fast. We want to do it right.

@benbalter benbalter closed this Nov 19, 2015

@strugee

This comment has been minimized.

strugee commented Nov 19, 2015

@benbalter oh, I thought you used CloudFlare as your CDN. Guess you have your own then (nice!). Thanks for the response!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment