search

codeforgermany / click_that_hood

A game where users must identify a city's neighborhoods as fast as possible
http://click-that-hood.com
MIT License
451 stars 638 forks source link

Visiting click-that-hood.com throws a strong warning regarding an invalid SSL certificate #55

Open mwichary opened 11 years ago

mwichary commented 11 years ago

When you visit https://click-that-hood.com:

You attempted to reach click-that-hood.com, but instead you actually reached a server identifying itself as *.heroku.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of click-that-hood.com. You should not proceed, especially if you have never seen this warning before for this site.

We don’t really advertise HTTPS, but some people somehow use it anyway.

yesezra commented 11 years ago

I believe the only way to solve this problem would be to purchase a SSL certificate and enable SSL on Heroku (which IIRC costs $36/mo).

@dthompson, any thoughts?

mwichary commented 11 years ago

Not worth it, then. :·)

specious commented 3 years ago

It looks like the SSL certificate was valid when the site was hosted on Heroku.

$ http -v https://click-that-hood.com
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: click-that-hood.com
User-Agent: HTTPie/2.5.0

http: error: SSLError: HTTPSConnectionPool(host='click-that-hood.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError("hostname 'click-that-hood.com' doesn't match '*.herokuapp.com'"))) while doing a GET request to URL: https://click-that-hood.com/

It looks like now it's hosted on an Amazon EC2 instance. Successful visitors are probably loading it with plain HTTP at the moment.

specious commented 3 years ago

Let's Encrypt might be able to supply a free SSL certificate.

fnogatz commented 3 years ago

Yeah, the publicly available instance at http://click-that-hood.com/ is currently still hosted by Code for America. We will move to another machine of Code for Germany and update the DNS record once we upgrade the depencies and make Click that Hood reliably running on recent versions of node.js.

The internet has changed quite a lot in the recent 8 years. With Letsencrypt, SSL certificates are available today free of charge, so we can easily adopt one for click-that-hood.com.