Forum still uses HTTP rather than HTTPS

[espruino-discuss2]

Posted at 2021-11-09 by Andreas_Rozek

Hello Gordon,

I just noticed that the forum still uses HTTP rather than HTTPS - which may make it difficult to use modern browsers in the near future.

Since espruino.com already uses HTTPS, it should not be difficult to get a certificate (just add forum.espruino.com as an "alternative subject name".

What remains may a configuration change of port 80 to 443 and to load certificate and private key in your forum software.

From then on, you should not have to care about browser security restrictions for quite a while, I'd guess.

With greetings from Germany,

Andreas Rozek

[gfwilliams]

Posted at 2021-11-10 by @gfwilliams

Hi,

Thanks - yes, the issue is actually that I don't host the forum myself (it uses https://microcosm.app/) so it's not quite so easy to change the certificates. I'll have to get in touch with the developers.

Web browsers aren't going to start actively blocking HTTP are they? All the sign-in is handled by Auth0 (which is HTTPS) so using bare HTTP isn't a huge security risk.

[espruino-discuss2]

Posted at 2021-11-10 by Andreas_Rozek

I can't predict when people will no longer be able to use HTTP. What I am observing is that Google Chrome is raising the bar continuously, e.g., by introducing concepts like "Content Security Policies" or disallowing self-signed certificates etc.

If you start with the preparations to migrate to HTTPS soon enough you won't have to worry about the time it will take and will instead be prepared for the final switch.

[gfwilliams]

Posted at 2021-11-11 by @gfwilliams

Thanks, yes, that's true.

However I'm also a little concerned about the current search performance of the forum - it may be Google pushing HTTP results down the list, but it could be something else about this forum. I am wondering about swapping to something else at some point which I host - specifically if we at least have the option of more of a Stack Overflow Q&A so the actual helpful posts don't get buried amongst 'me too' type replies

[espruino-discuss2]

Posted at 2021-11-11 by ingoiotESPruino

please do not consider a discourse(.org) type forum - this awful style gets overused lately

[gfwilliams]

Posted at 2021-11-23 by @gfwilliams

I'm with you on that - I hate those too :)

[espruino-discuss2]

Posted at 2021-12-14 by hasmar04

I've personally not had any problems with discourse from a user's perspective. Just wondering what your experiences have been?

[espruino-discuss2]

Posted at 2021-12-15 by lluisrovira

Hello,

I'm not a experienced devOps but you can use cloudflare as DNS server, then you don't need to configure any certificate. You could use their proxy and configure a rule to connect to your server using http.

[espruino-discuss2]

Posted at 2021-12-17 by Danielo515

I really feel uncomfortable using a forum that works on HTTP, please migrate to HTTPS as soon as possible. As @lluisrovira already mentioned there are some alternatives. Even if auth is handled using auth0 (which I never noticed, and I guess most users didn't either) using HTTP nowadays will scare out most users.
I don't want people sniffing on my post threads or on my private messages.

Regards

[espruino-discuss2]

Posted at 2021-12-17 by ChrisS

Cloudflare has its privacy issues, too. I would rather prefer a solution without a third party being involved.

[espruino-discuss2]

Posted at 2022-09-20 by KTibow

hmmmm

Attachments:

• Screenshot from 2022-09-20 16-59-08.png

[gfwilliams]

Posted at 2022-09-21 by @gfwilliams

Oh great - how did you get this? You literally just went to http://forum.espruino.com/ ?

[espruino-discuss2]

Posted at 2022-09-21 by parasquid

You get it when you go to https://forum.espruino.com/conversations/369818/ (note the https)

According to the cert, it's only valid for *.microcosm.app domain (and this is forum.espruino.com)

[gfwilliams]

Posted at 2022-09-23 by @gfwilliams

Right - but you have to have explicitly changed it to https? Because normally it uses http.

[espruino-discuss2]

Posted at 2022-09-23 by parasquid

Yeah, but some browsers will automatically change to https.

For example, https://support.mozilla.org/en-US/kb/https-only-mode-firefox-android by default will use https only (but you can change in settings)

https://support.mozilla.org/en-US/kb/https-only-prefs some people also enable this and haven't set an exception for the forum.

[gfwilliams]

Posted at 2022-09-26 by @gfwilliams

Ok, I see what I can do to get this sorted...

[gfwilliams]

Posted at 2022-09-28 by @gfwilliams

I think I've sorted this now. I now serve everything through my server which then proxies it over, so we should have a valid HTTPS certificate I think. It should also auto-redirect to HTTPS from HTTP now

... DNS may take a little while to update though

[espruino-discuss2]

Posted at 2022-10-09 by parasquid

Looks great for me! :) I can see the Let's Encrypt cert and chain as valid.