Forum still uses HTTP rather than HTTPS #1118
Replies: 17 comments
-
Posted at 2021-11-10 by @gfwilliams Hi, Thanks - yes, the issue is actually that I don't host the forum myself (it uses https://microcosm.app/) so it's not quite so easy to change the certificates. I'll have to get in touch with the developers. Web browsers aren't going to start actively blocking HTTP are they? All the sign-in is handled by Auth0 (which is HTTPS) so using bare HTTP isn't a huge security risk. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2021-11-10 by Andreas_Rozek I can't predict when people will no longer be able to use HTTP. What I am observing is that Google Chrome is raising the bar continuously, e.g., by introducing concepts like "Content Security Policies" or disallowing self-signed certificates etc. If you start with the preparations to migrate to HTTPS soon enough you won't have to worry about the time it will take and will instead be prepared for the final switch. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2021-11-11 by @gfwilliams Thanks, yes, that's true. However I'm also a little concerned about the current search performance of the forum - it may be Google pushing HTTP results down the list, but it could be something else about this forum. I am wondering about swapping to something else at some point which I host - specifically if we at least have the option of more of a Stack Overflow Q&A so the actual helpful posts don't get buried amongst 'me too' type replies |
Beta Was this translation helpful? Give feedback.
-
Posted at 2021-11-11 by ingoiotESPruino please do not consider a discourse(.org) type forum - this awful style gets overused lately |
Beta Was this translation helpful? Give feedback.
-
Posted at 2021-11-23 by @gfwilliams I'm with you on that - I hate those too :) |
Beta Was this translation helpful? Give feedback.
-
Posted at 2021-12-14 by hasmar04 I've personally not had any problems with discourse from a user's perspective. Just wondering what your experiences have been? |
Beta Was this translation helpful? Give feedback.
-
Posted at 2021-12-15 by lluisrovira Hello, I'm not a experienced devOps but you can use cloudflare as DNS server, then you don't need to configure any certificate. You could use their proxy and configure a rule to connect to your server using http. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2021-12-17 by Danielo515 I really feel uncomfortable using a forum that works on HTTP, please migrate to HTTPS as soon as possible. As @lluisrovira already mentioned there are some alternatives. Even if auth is handled using auth0 (which I never noticed, and I guess most users didn't either) using HTTP nowadays will scare out most users. Regards |
Beta Was this translation helpful? Give feedback.
-
Posted at 2021-12-17 by ChrisS Cloudflare has its privacy issues, too. I would rather prefer a solution without a third party being involved. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2022-09-20 by KTibow hmmmmAttachments: |
Beta Was this translation helpful? Give feedback.
-
Posted at 2022-09-21 by @gfwilliams Oh great - how did you get this? You literally just went to http://forum.espruino.com/ ? |
Beta Was this translation helpful? Give feedback.
-
Posted at 2022-09-21 by parasquid You get it when you go to https://forum.espruino.com/conversations/369818/ (note the https) According to the cert, it's only valid for *.microcosm.app domain (and this is forum.espruino.com) |
Beta Was this translation helpful? Give feedback.
-
Posted at 2022-09-23 by @gfwilliams Right - but you have to have explicitly changed it to https? Because normally it uses http. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2022-09-23 by parasquid Yeah, but some browsers will automatically change to https. For example, https://support.mozilla.org/en-US/kb/https-only-mode-firefox-android by default will use https only (but you can change in settings) https://support.mozilla.org/en-US/kb/https-only-prefs some people also enable this and haven't set an exception for the forum. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2022-09-26 by @gfwilliams Ok, I see what I can do to get this sorted... |
Beta Was this translation helpful? Give feedback.
-
Posted at 2022-09-28 by @gfwilliams I think I've sorted this now. I now serve everything through my server which then proxies it over, so we should have a valid HTTPS certificate I think. It should also auto-redirect to HTTPS from HTTP now ... DNS may take a little while to update though |
Beta Was this translation helpful? Give feedback.
-
Posted at 2022-10-09 by parasquid Looks great for me! :) I can see the Let's Encrypt cert and chain as valid. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2021-11-09 by Andreas_Rozek
Hello Gordon,
I just noticed that the forum still uses HTTP rather than HTTPS - which may make it difficult to use modern browsers in the near future.
Since
espruino.com
already uses HTTPS, it should not be difficult to get a certificate (just addforum.espruino.com
as an "alternative subject name".What remains may a configuration change of port 80 to 443 and to load certificate and private key in your forum software.
From then on, you should not have to care about browser security restrictions for quite a while, I'd guess.
With greetings from Germany,
Andreas Rozek
Beta Was this translation helpful? Give feedback.
All reactions