Serving website through HTTPS

[einsteinsfool]

It would be cool if coup.thebrown.net was served over HTTPS. HTTPS is not only about privacy. It's also about security. Scripts can be injected in HTTP websites. So someone can mine cryptocurrency in my browser or display porn ads.

Adding HSTS too would be perfect. It's a header that says that all pages should only be displayed over HTTPS. So even if someone goes to http://coup.thebrown.net they will be presented with HTTPS version. And it's better than just redirecting to HTTPS equivalent as no unencrypted data is sended.

[octachrome]

This is pretty easy to do now we have https://letsencrypt.org/. I will take a look some time.

[einsteinsfool]

Yeah. And since march Let's Encrypt supports wildcards.

[octachrome]

I have enabled HTTPS. Give it a try and let me know if you have any issues. If all goes well I'll add HSTS and HTTP redirects.

[octachrome]

I just realised when you switch to HTTPS, it forgets your ranking info, because I use local storage to store your user id, and local storage is per-domain, including the scheme. I will need to create an HTTP redirector page which copies your user id into local storage with the HTTPS scheme so that people don't lose their ranking when switching.

[einsteinsfool]

Thanks! Good catch with the ranking. I use addons that clear cookies and local storage so I wouldn't notice.

I did notice that HTTPS works in Chromium 67 but not in Firefox 62. Even when I launched Firefox in safe mode (without addons) it was still redirecting me to HTTP. Can you check that yourself? If it works for you I'll ask some friends to check and try to reset my about:config options. But they shouldn't have breaked that.

[JackieNiebling]

I've tried with Firefox 61.0.1 (64-bit) and it works fine with HTTPS

[octachrome]

I can reproduce the problem, but I don't understand it. I wonder if it is related to the fact that there are two domains with the same cert: https://treason.thebrown.net works in Firefox, but https://coup.thebrown.net downgrades to HTTP. It's not a server redirect, it seems to be the browser that decides to do this, maybe after having problems validating the cert.

[octachrome]

I was messing around with dev tools, trying to see what was happening, and now suddenly it started working, and I can't reproduce any more.

[JackieNiebling]

I couldn't access the http site on Chrome on my tablet, but https worked somehow.

[octachrome]

@einsteinsfool Are you still seeing the problem? Which URL are you using? Does clearing the browser cache help?

[einsteinsfool]

As for you, it started working yesterday and I also couldn't reproduce the bug in Firefox. So now it's working both in Firefox (on Linux and Android) and Chromium for both URLs. So I guess it's fixed and there's only HSTS left. Rating for both domains is A. :-) https://www.ssllabs.com/ssltest/analyze.html?d=coup.thebrown.net https://www.ssllabs.com/ssltest/analyze.html?d=treason.thebrown.net But there's no HTTPS for thebrown.net. In case you didn't do it intentionally.

[octachrome]

thebrown.net is hosted on a different system, and I have not configured it with HTTPS.

I am not sure that HSTS is viable, since I will need to use an HTTP page to update local storage and then redirect the user to HTTPS.

The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead. [1]

In order to restore their saved user information, users must be able to load the HTTP site. It sounds like HSTS will break that.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

[einsteinsfool]

Indeed, it would break. I assumed no HTTP is necessary. Perhaps someday normal accounts could be implemented and then users could transfer their scores from local storage. And then no HTTP will be necessary. Thanks for providing HTTPS for those who don't mind losing scores.