search

MithrilJS / mithril.js

A JavaScript Framework for Building Brilliant Applications
https://mithril.js.org
MIT License
13.99k stars 926 forks source link

Invalid certificate error at https://mithriljs.org #1539

Closed IBwWG closed 7 years ago

IBwWG commented 7 years ago

Description:

Attempting to connect via HTTPS to the main mithril site gives an error.

Steps to Reproduce:

Go to https://mithriljs.org/

Expected:

see the site

Actual:

mithriljs.org uses an invalid security certificate. The certificate is only valid for the following names: .github.com, github.com, .github.io Error code: SSL_ERROR_BAD_CERT_DOMAIN

pygy commented 7 years ago

The official home page is https://mithril.js.org, but it exhibits the same issue. This is due to the fact that these are just forwarding requests to GitHub pages, which are served with the GH certificate.

I think the project would need dedicate hosting to serve an appropriate cert.

RiverSongFox commented 7 years ago

Another option might be using a CDN that serves site contents with HTTPS; for instance, CloudFlare.

orbitbot commented 7 years ago

Github recently started enforcing TLS on Github Pages, so I would assume there should be some kind of working configuration to support custom domains already (but couldn't find one with a quick google). Some DNS providers have a "github forward" setting for domains, but I can't recall what exactly it did. IIRC that worked with TLS, but at the time there wasn't a reliable way to force https connections which would have been the only issue to me at the time.

pygy commented 7 years ago

AFAIK, since you're forwardng to GH, you run into a similar issue for the Cloudflare => GitHub link that still must be in clear, while you give the users the illusion that data integrity is guaranteed...

Is there a way to setup GitHub pages with a custom domain and a CloudFlare proxy with guaranteed end-to-end encryption?

Edit, I missed @orbitbot's reply, apparently it might be possible...

orbitbot commented 7 years ago

Actually, working through a site setup right now, it seems that GH cannot enforce TLS with a custom domain. I was not able to avoid the certificate issue with A records, and unfortunately don't have access to a DNS provider that would support ALIAS or ANAME configs right now. Might still be possible with the latter approaches, but I can't confirm.

DanielRuf commented 7 years ago

I do not have any issues adding a domain name to Cloudflare, adding the two A-records and enforcing TLS using HSTS.

https://www.ssllabs.com/ssltest/analyze.html?d=websectools.com&hideResults=on&latest

And preloading does also work ;-)

https://hstspreload.org/?domain=websectools.com

So you need at least a proy for the TLS certificate and HSTS. But it works without any issues.

Some resources: https://blog.keanulee.com/2014/10/11/setting-up-ssl-on-github-pages.html https://sheharyar.me/blog/free-ssl-for-github-pages-with-custom-domains/

A working HSTS setting (and possibly HPKP if you want more security and also CAA) should be enough for this.

pygy commented 7 years ago

Quoting the first post:

Drawbacks

It’s important to note that this setup is not fully secure - the connection between CloudFlare and GitHub pages is not secured. Since GitHub doesn’t have a SSL certificate for your domain, Full SSL is not possible with a custom domain. However, this setup does provide some protection your users (e.g. from the hacker on the same unsecured Wi-Fi network), and it allows your site to behave as if it has SSL (e.g. for web crawlers, APIs).

You will be baked, and then there will be cake...

tivac commented 7 years ago

CloudFlare should support talking to a *.github.io domain over HTTPS though, right? Those have valid HTTPS certs, see https://tivac.github.io/

pygy commented 7 years ago

IIRC you can't map https://project.com to https://user.github.io/project through Cloudflare. That was my conclusion maybe two years ago when I looked into the problem, but I may be wrong.

DanielRuf commented 7 years ago

Is it really an issue if the connection between GitHub and Cloudflare is not fully secured? Fact is, the bad certificate warning is gone after this and the website is also available over https. For better security and full transport encryption use own hosting and git pull from the repo using webhooks.

dead-claudia commented 7 years ago

Closing, since this issue has not been updated in over a month, and typically, issues inactive for that long do not usually produce any action. If you feel something in Mithril needs added or changed, please file a new issue.

IBwWG commented 7 years ago

Well, if someone ever does want to take this up again, @pygy I just happened across an article that may address mapping apex domains through Cloudflare: https://www.toptal.com/github/unlimited-scale-web-hosting-github-pages-cloudflare#find-wise-software-architect-experts

tivac commented 7 years ago

This is fixed, turns out it was a simple config change necessary on the js.org side, https://github.com/js-org/dns.js.org/pull/1150