Big Brother's latest warning

Beware: thou shalt offer a complete Https site without a single internal link to an unsafe Http site in order to benefit from our wonderful, free, opportunity to be included in our search results.

Charming!

I don’t think it applies to links from HTTPS to HTTP, at least, I can’t find an article that says that.

What this change is about that if a page loads over HTTPS, any and all subresources it uses (like CSS, javascript, images, video, audio, etc) must also be loaded over HTTPS. If a website includes a resource over HTTP chrome will first try to upgrade to HTTPS, and if that doesn’t work it will refuse to load the resource.

This is already happening for javascript and iframes now, but they are extending it all sub-resources.

2 Likes

Perhaps my wording was not precise so I added internal to the post to try and clear the point that all links to images, Css files, JavaScript, videos, etc must all be HTTPS and not HTTP.

I don’t see a problem with the measure to be honest. Nowadays it’s very easy to set up a domain with SSL. You can even get SSL certificates for free now, which is awesome.

So if you do that, why not do it on all resources? Otherwise it’s like putting high grade locks on all your doors and windows, but leaving the cellar window wide open.

Sure, I can see it would be annoying if you have a third-party resource that doesn’t support it, but then you should probably also wonder why they don’t support it [in 2019].

3 Likes

I was thinking of blogs that will be penalised even though they are not commercial and do not benefit from having HTTPS.

Why should a browser scream about the site not being safe when the blog only wants to state an opinion?

HTTPS is a good thing. I applaud Google for enforcing it being default. I’m not understanding why you have such a problem with HTTPS.

I was thinking of blogs that will be penalised even though they are not commercial and do not benefit from having HTTPS.

They also have no reason not to be.

You should read/watch this:

Basically, it removes the ability for man-in-the-middle attacks, which don’t necessarily have to hijack information from the user but can also give the user malicious links, hijack inputs, and do a lot of other things that aren’t nice. For almost no effort a blog can completely stop the chance of a man-in-the-middle attack from a malicious entity injecting ads, phishing scams, or whatever else.


I also find your choice of title ironic seeing that HTTPS is basically anti-Big Brother and surveillance…

1 Like

That requires actual maintenance. Could the browsers check the sites’ date and resist alarming the user for elder blogs?

Second thought: Site dates could easily be manipulated with little effort and other measures would probably noticeable slow down everything.


Never mind, regardless last modified date, server scripted sites would respond with current date. :slightly_smiling_face:

Depends :wink:

My personal blog is hosted on netlify, which manages the certificate for me, for free. There are other services that do this.

2 Likes

LetsEncrypt supplies a script that automatically renews the SSL Certificate.

The script has to be inserted into a particular directory on the server.

I have yet to insert the required script - just not enough hours in the day :frowning:

1 Like

I rest my case. :wink:

Thought of “long time no edit” sites. :thinking:

1 Like

If LetsEncrypt is too much, there are other ways of doing SSL. I setup CloudFlare SSL on my personal site about 3-4yrs ago and I haven’t touched that part since. It probably took 15 minutes to setup. I haven’t updated the site itself in 2-3.

1 Like

My host actually installed Let’sEncrypt and I had to do ZERO setup work. Webhostingbuzz. I guess some hosts will do all the legwork and others don’t.

I just had to send support an email asking for it.

2 Likes

I just installed LetsEncrypt on a server running the latest Ubuntu LTS and was very impressed at how smooth the experience has become.

It was just 3 steps and took literally 10 minutes.

  1. Install certbot and the corresponding Apache module
  2. Generate the cert
  3. Test renewal

The Certbot page has great docs, which you can adapt to your configuration:

3 Likes