Forum still uses HTTP rather than HTTPS

Posted on
  • Hello Gordon,

    I just noticed that the forum still uses HTTP rather than HTTPS - which may make it difficult to use modern browsers in the near future.

    Since espruino.com already uses HTTPS, it should not be difficult to get a certificate (just add forum.espruino.com as an "alternative subject name".

    What remains may a configuration change of port 80 to 443 and to load certificate and private key in your forum software.

    From then on, you should not have to care about browser security restrictions for quite a while, I'd guess.

    With greetings from Germany,

    Andreas Rozek

  • Hi,

    Thanks - yes, the issue is actually that I don't host the forum myself (it uses https://microcosm.app/) so it's not quite so easy to change the certificates. I'll have to get in touch with the developers.

    Web browsers aren't going to start actively blocking HTTP are they? All the sign-in is handled by Auth0 (which is HTTPS) so using bare HTTP isn't a huge security risk.

  • I can't predict when people will no longer be able to use HTTP. What I am observing is that Google Chrome is raising the bar continuously, e.g., by introducing concepts like "Content Security Policies" or disallowing self-signed certificates etc.

    If you start with the preparations to migrate to HTTPS soon enough you won't have to worry about the time it will take and will instead be prepared for the final switch.

  • Thanks, yes, that's true.

    However I'm also a little concerned about the current search performance of the forum - it may be Google pushing HTTP results down the list, but it could be something else about this forum. I am wondering about swapping to something else at some point which I host - specifically if we at least have the option of more of a Stack Overflow Q&A so the actual helpful posts don't get buried amongst 'me too' type replies

  • please do not consider a discourse(.org) type forum - this awful style gets overused lately

  • I'm with you on that - I hate those too :)

  • I've personally not had any problems with discourse from a user's perspective. Just wondering what your experiences have been?

  • Hello,

    I'm not a experienced devOps but you can use cloudflare as DNS server, then you don't need to configure any certificate. You could use their proxy and configure a rule to connect to your server using http.

  • I really feel uncomfortable using a forum that works on HTTP, please migrate to HTTPS as soon as possible. As @lluisrovira already mentioned there are some alternatives. Even if auth is handled using auth0 (which I never noticed, and I guess most users didn't either) using HTTP nowadays will scare out most users.
    I don't want people sniffing on my post threads or on my private messages.

    Regards

  • Cloudflare has its privacy issues, too. I would rather prefer a solution without a third party being involved.

  • hmmmm


    1 Attachment

    • Screenshot from 2022-09-20 16-59-08.png
  • Oh great - how did you get this? You literally just went to http://forum.espruino.com/ ?

  • You get it when you go to https://forum.espruino.com/conversations­/369818/ (note the https)

    According to the cert, it's only valid for *.microcosm.app domain (and this is forum.espruino.com)

  • Right - but you have to have explicitly changed it to https? Because normally it uses http.

  • Yeah, but some browsers will automatically change to https.

    For example, https://support.mozilla.org/en-US/kb/htt­ps-only-mode-firefox-android by default will use https only (but you can change in settings)

    https://support.mozilla.org/en-US/kb/htt­ps-only-prefs some people also enable this and haven't set an exception for the forum.

  • Ok, I see what I can do to get this sorted...

  • I think I've sorted this now. I now serve everything through my server which then proxies it over, so we should have a valid HTTPS certificate I think. It should also auto-redirect to HTTPS from HTTP now

    ... DNS may take a little while to update though

  • Looks great for me! :) I can see the Let's Encrypt cert and chain as valid.

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Forum still uses HTTP rather than HTTPS

Posted by Avatar for Andreas_Rozek @Andreas_Rozek

Actions