appimage.org not working in some browsers

[probonopd]

1. Default Firefox browser shipped with Ubuntu 14.04: Does not open https://appimage.org/ nor gives any error message. Simply does nothing at all

2. Chromium 50.0.2644.0 custom (64-bit) gives ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY with no human-understandable explanation:

Before the switch to non-GitHub hosting all was working.

[probonopd]

• https://www.jeffgeerling.com/blog/2016/fixing-errspdyinadequatetransportsecurity-ssl-error-chrome suggests it may have to do with the __ssl_ciphers configuration__
• https://community.letsencrypt.org/t/fixing-ssl-error-in-older-browsers-chrome-50-firefox-45/29116 suggests this may be a Let's Encrypt issue and gives a working workaround
• Background information: https://tools.ietf.org/html/rfc7540#section-9.2.2

[probonopd]

Also, changing something in gh-releases is not immediately reflected on https://appimage.org/ which makes it harder than before to see the result of a change. How often is it synced?

[TheAssassin]

@probonopd I already told you it pulls every 5 minutes, so your changes are deployed within 2-3 minutes in average. Real time synchronizations are on the way when I get back to finishing https://github.com/TheAssassin/docker-deploy.

Regarding the errors you have had with your browser, you never really showed me a real error message which I could use as a starting point for debugging. Basically, your old browsers do try to use an older cipher to secure the HTTP2 connection, which isn't possible. As the Let's Encrypt forum suggests, this is mostly due to using an outdated browser with HTTP2 pages. The problem is not necessarily on the server, but some lacking HTTP2 support in those browsers. Now, I'll have to look into whether the ciphers suggested there are anything usable (they might be too old and insecure). I hadn't had changed any SSL/TLS ciphers because NGINX usually picks sane defaults. I'd suggest you to update your browsers, as the newer one we tried worked fine for you, but will look into changing the ciphers or deactivating HTTP2 (sacrificing the speed improvements it brought).

[probonopd]

@TheAssassin it is important that the site is reachable with the default browser shipped with the oldest still-supported Ubuntu LTS. Otherwise we need to roll back to http, as we have no private information on the homepage anyways.

[TheAssassin]

Otherwise we need to roll back to http, as we have no private information on the homepage anyways.

Using SSL doesn't have anything to do with "non-private information". There is a zillion reasons not to use HTTP any more, beginning with possibilities to inject malicious data without SSL, or the collection of metadata.

HTTP is not encrypted and is vulnerable to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information, and modify webpages to inject malware or advertisements. HTTPS is designed to withstand such attacks and is considered secure against them (with the exception of older, deprecated versions of SSL). -- https://en.wikipedia.org/wiki/HTTPS#Difference_from_HTTP

But I agree, I am looking for a solution already. I'll turn off HTTP2 for now, that should fix the issues for now.

[probonopd]

Seems to have done the trick. Thanks!