neveragain.tech doesn't have working HTTPS

[KellerFuchs]

The repo links to https://neveragain.tech, but the DNS records point to pages.github.com, and the server doesn't have a certificate valid for neveragain.tech.

[jomo]

Cloudflare would be a possible way to get working https for free on github pages.

[KellerFuchs]

@jomo On principle, I'm not sure using a service known to make life hard for users of privacy-preserving technology (esp. Tor users) would be very nice there :-(

[npdoty]

Unfortunately, GitHub pages doesn't support HTTPS for custom domains. https://help.github.com/articles/securing-your-github-pages-site-with-https/

Could we host this off of GitHub pages? It seems particularly concerning since one of the pledges is:

to implement security and privacy best practices, in particular, for end-to-end encryption to be the default wherever possible.

[jwineman]

Shameless plug (I work for Cloudflare) but our Free plan has SSL and you could configure the github page to be the Cloudflare origin following the instructions here: https://blog.cloudflare.com/secure-and-fast-github-pages-with-cloudflare/

[jomo]

@jwineman am I missing something? How does that solve the issue with Tor users pointed out by @KellerFuchs?

[npdoty]

See related issue (from 2014) for GitHub Pages and HTTPS support: https://github.com/isaacs/github/issues/156

[jwineman]

@jomo - Sorry, I should have elaborated more. The previous comment wasn't meant to address @KellerFuchs's TOR comments, only to give more detailed instructions around how to configure SSL for github pages on Cloudflare.

Without trying to derail the thread I'll just reiterate that we don't block TOR and we treat TOR IP addresses like any other IP address. In addition we have a challenge bypass specification proposal out which would allow bypassing challenge pages using signed tokens that guarantee anonymity to the user.

[jomo]

GitLab pages does support TLS.

[junosuarez]

Could I suggest changing the link in the repository description to point to the non-https URL until http is implemented? The site links to this repo, which is served on GitHub over HTTPS, which verifies authenticity. The usability concern of having a broken link in the mean time should be weighed against other concerns which HTTPS addresses.

Or, the site could be served from a GitHub pages subdomain with HTTPS rather than the custom domain name.

[KellerFuchs]

@jsdnxx Yeah, that's why I reported this in the first place :3

[jacobmischka]

I would personally vouch for netlify, their free plan is equivalent to github pages, but it supports SSL certificates on custom domains, and a few other niceties. They also offer their third tier for free to open source projects.

I've switched all of my github pages sites to netlify and have been very happy so far.

[FiloSottile]

You can (and probably should for a static website) completely whitelist Tor on Cloudflare.

https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor-

Please don't hesitate to contact me or @jwineman for questions or help setting it up.

[remram44]

For a static website you have no reason to enable ANY of CloudFlare's security/captcha features. It's what I do. Just let it terminate TLS and cache.

Also you can whitelist TOR, if for some reason you want to enable security features (why would you? you don't have anything to protect)

[tdfischer]

(why would you? you don't have anything to protect)

Whitelisting Tor (not TOR) is not meant to protect the site. It is meant to protect people at risk who might read this page while under the surveillance of a State that seeks to persecute and harm dissidents.

[remram44]

I wrote "why would you [enable security features]".

[FiloSottile]

They have had support for HTTPS when using github.io subdomains for a bit, but still nothing for custom domains like neveragain.tech

[jwineman]

yeah deleted the comment when I realized it didnt fix the issue.

[konklone]

One downside of using CloudFlare with GHP is that it wouldn't be encrypted all the way back to the origin. Specifically, it'd be in plain text between whatever CloudFlare point of presence the user is near, and somewhere on GitHub's CDN (Fastly).

You could pay a few bucks for a service like surge.sh, which does direct HTTPS termination for $13/month: https://surge.sh/pricing

[FiloSottile]

Minor correction: it would not be plain text, as you can use the default "Full SSL" mode, which is HTTPS to the origin. It would however be unauthenticated, as you can't use "Strict SSL" because GitHub only has certificates for github.io.

[Ethanb00]

FWIW, BitDefender is now flagging the site. I get a "Caution is Advised" warning.

[aschrijver]

It seems like the HTTPS issues are resolved, so the references in README and description can be changed back to show that (best-practice, http is not-done anymore :slightly_smiling_face: )

[remram44]

See announcement: https://blog.github.com/2018-05-01-github-pages-custom-domains-https/

[remram44]

PR #2587 updates the links!

[aschrijver]

thanks @remram44 :+1:

after merging the PR last but not least there is the repository description to adjust..