Help Test SSL Everywhere July 2, 2013 9:54 AM Subscribe
We're working on making browsing all sites via SSL available to members. We need some help spotting bugs.
This new feature will add a checkbox to site preferences to "Use SSL everywhere?". Once checked and saved, you'll browse all metafilter.com sites via SSL. (Keep in mind you'll need to do this for each browser you use.) SSL is a security protocol that encrypts the traffic between your browser and the MetaFilter servers. For example, SSL can help keep people from eavesdropping on your MetaFilter traffic if you're on a public wifi network.
We've been testing secure browsing internally for a while and it's working fairly well. There are a few caveats:
As far as future plans go, once we get the bugs worked out of this feature it will be available for members and will be off by default like it is now. We consider it a benefit of membership and something you can enable if you want to use it.
This new feature will add a checkbox to site preferences to "Use SSL everywhere?". Once checked and saved, you'll browse all metafilter.com sites via SSL. (Keep in mind you'll need to do this for each browser you use.) SSL is a security protocol that encrypts the traffic between your browser and the MetaFilter servers. For example, SSL can help keep people from eavesdropping on your MetaFilter traffic if you're on a public wifi network.
We've been testing secure browsing internally for a while and it's working fairly well. There are a few caveats:
- Many 3rd party systems we use on the site do not offer a secure (or completely secure) version of their service. For example, the only profile widget that works with a secure connection is the new Twitter widget. So switching to SSL Everywhere means you won't see the other profile widgets on profile pages.
- The inline YouTube player loads securely but streams insecure content once you click play.
- Many Greasemonkey scripts and MetaFilter-specific browser add-ons will not work with SSL Everywhere. Many simply aren't expecting the new protocol. If you enable SSL Everywhere, expect any browser add-ons you're using to break. (Potentially script authors will be able to modify their scripts to work with this feature.)
- We still have many non-secure page redirects happening. So if you click on an internal MetaFilter link such as a username, it might be an insecure request that is then routed to the secure version of the page. That means your MetaFilter cookies could be intercepted on a public network. We're working on changing these links across the site.
As far as future plans go, once we get the bugs worked out of this feature it will be available for members and will be off by default like it is now. We consider it a benefit of membership and something you can enable if you want to use it.
Yeah, links in comments or from the wider Web would include an insecure redirect. I'll take a look at Secure cookies. That's a great idea—I think we can get that working.
posted by pb (staff) at 10:07 AM on July 2, 2013
posted by pb (staff) at 10:07 AM on July 2, 2013
Very nice. What prompted this change?
posted by boo_radley at 10:07 AM on July 2, 2013
posted by boo_radley at 10:07 AM on July 2, 2013
What prompted this change?
Not so much a change as an addition. We've had a steady stream of requests for this feature for a long, long time. And there was an uptick in those requests in 2010 when Firesheep came out.
We've been laying the groundwork for this for a long time, but didn't feel like our previous servers could handle the extra processing. We're in a better server place now and the demand is still there.
posted by pb (staff) at 10:10 AM on July 2, 2013 [1 favorite]
Not so much a change as an addition. We've had a steady stream of requests for this feature for a long, long time. And there was an uptick in those requests in 2010 when Firesheep came out.
We've been laying the groundwork for this for a long time, but didn't feel like our previous servers could handle the extra processing. We're in a better server place now and the demand is still there.
posted by pb (staff) at 10:10 AM on July 2, 2013 [1 favorite]
I would love to help test out this feature - sign me up!
posted by antonymous at 10:12 AM on July 2, 2013
posted by antonymous at 10:12 AM on July 2, 2013
This is a great idea and I'm glad to see it happening. I just went through this at work; it's always more of a hassle than you'd want it to be. Thanks for putting in the effort.
posted by brennen at 10:13 AM on July 2, 2013
posted by brennen at 10:13 AM on July 2, 2013
The checkbox is there on people's profile page settings with a note that it's experimental, so people can go check the checkbox and start clicking around and let us know if you run into problems.
posted by jessamyn (staff) at 10:15 AM on July 2, 2013
posted by jessamyn (staff) at 10:15 AM on July 2, 2013
Looks like https://www.metafilter.com/activity/76014/comments/ask/ is including some non-https resource for me.
posted by brennen at 10:15 AM on July 2, 2013
posted by brennen at 10:15 AM on July 2, 2013
Chrome 27.0.1453.110 on Debian Wheezy, though I expect it doesn't make too much difference for this one.
posted by brennen at 10:16 AM on July 2, 2013
posted by brennen at 10:16 AM on July 2, 2013
pb: " We've been laying the groundwork for this for a long time, but didn't feel like our previous servers could handle the extra processing. We're in a better server place now and the demand is still there."
My layperson's impression of SSL on other sites is that it makes pages a bit slower to load. Do you have an idea of whether this change will affect load times?
posted by zarq at 10:17 AM on July 2, 2013
My layperson's impression of SSL on other sites is that it makes pages a bit slower to load. Do you have an idea of whether this change will affect load times?
posted by zarq at 10:17 AM on July 2, 2013
Oh, interesting. I'm not seeing a delay on small pages. Going to try to load some epic megathreads to see what happens.
posted by zarq at 10:18 AM on July 2, 2013
posted by zarq at 10:18 AM on July 2, 2013
Even epic megathreads are actually loading faster with SSL on. It must be because Greasemonkey is off.
posted by zarq at 10:22 AM on July 2, 2013
posted by zarq at 10:22 AM on July 2, 2013
thanks brennen, fixed that up.
zarq, I haven't noticed a big delay while testing it but it does require some extra processing all around. So it could have an impact.
posted by pb (staff) at 10:22 AM on July 2, 2013
zarq, I haven't noticed a big delay while testing it but it does require some extra processing all around. So it could have an impact.
posted by pb (staff) at 10:22 AM on July 2, 2013
Thank you so much for doing this!
YouTube vids make insecure requests when they play in the popup-thing, but I'm fairly sure that's beyound your control.
faq.metafilter.com is loading http://geo.yahoo.com/p?s=792600324&t=1372785467359
music is attempting to load http://d217i264rvtnq0.cloudfront.net/styles/mefi/jplayer.mefi010712b-min.css - because it's CSS, chrome blocks this.
STS next? :)
posted by gregjones at 10:24 AM on July 2, 2013
YouTube vids make insecure requests when they play in the popup-thing, but I'm fairly sure that's beyound your control.
faq.metafilter.com is loading http://geo.yahoo.com/p?s=792600324&t=1372785467359
music is attempting to load http://d217i264rvtnq0.cloudfront.net/styles/mefi/jplayer.mefi010712b-min.css - because it's CSS, chrome blocks this.
STS next? :)
posted by gregjones at 10:24 AM on July 2, 2013
faq.metafilter.com is loading...
Yep, the FAQ is loading an embedded movie from Flickr. They serve insecure content even if you use secure URLs in the request. We can't control that.
We can fix up the Music stylesheet.
posted by pb (staff) at 10:26 AM on July 2, 2013
Yep, the FAQ is loading an embedded movie from Flickr. They serve insecure content even if you use secure URLs in the request. We can't control that.
We can fix up the Music stylesheet.
posted by pb (staff) at 10:26 AM on July 2, 2013
Can I ask which SSL certificate product you're using? Never seen one with EV and UCC before.
posted by Deathalicious at 10:29 AM on July 2, 2013
posted by Deathalicious at 10:29 AM on July 2, 2013
Music should be set.
posted by pb (staff) at 10:30 AM on July 2, 2013 [1 favorite]
posted by pb (staff) at 10:30 AM on July 2, 2013 [1 favorite]
Can I ask which SSL certificate product you're using?
mathowie is the keeper of the certificates. IIRC it's a Comodo multi-domain certificate.
posted by pb (staff) at 10:39 AM on July 2, 2013
mathowie is the keeper of the certificates. IIRC it's a Comodo multi-domain certificate.
posted by pb (staff) at 10:39 AM on July 2, 2013
Yeah, the EV multi-domain at Comodo is what we're using. It costs a buttload (they charge per subdomain, total cert cost about $3k for two years on all our subdomains) and it is up in November of this year, so we might just downgrade to an easier-to-manage simple wildcard domain SSL cert (which is under $300 for two years, if I remember correctly).
posted by mathowie (staff) at 10:51 AM on July 2, 2013
posted by mathowie (staff) at 10:51 AM on July 2, 2013
YouTube vids make insecure requests when they play in the popup-thing, but I'm fairly sure that's beyound your control.
Yeah, we can't control that. But if you select SSL Everywhere we do switch the inline player to their enhanced privacy embed. YouTube set up a separate (not-so-subtle) domain,
posted by pb (staff) at 11:03 AM on July 2, 2013
Yeah, we can't control that. But if you select SSL Everywhere we do switch the inline player to their enhanced privacy embed. YouTube set up a separate (not-so-subtle) domain,
youtube-noocookie.com
that serves the same content. So even though you're getting insecure content (and it frustratingly breaks the SSL lock) you won't be sending your YouTube cookies in the clear.posted by pb (staff) at 11:03 AM on July 2, 2013
Let's have a bake sale to raise money to buy the best certificate ever! I have money. Who has brownies?
posted by cjorgensen at 11:17 AM on July 2, 2013
posted by cjorgensen at 11:17 AM on July 2, 2013
Can the NSA still read what I write?
posted by desjardins at 11:23 AM on July 2, 2013 [1 favorite]
posted by desjardins at 11:23 AM on July 2, 2013 [1 favorite]
bestof.metafilter.com serves unsecure content but maybe it isn't relevant?
posted by Foci for Analysis at 11:27 AM on July 2, 2013
posted by Foci for Analysis at 11:27 AM on July 2, 2013
Same with
https://www.metafilter.com/about.mefi
https://metatalk.metafilter.com/22698/81-Does-the-Dog-Die
posted by Foci for Analysis at 11:29 AM on July 2, 2013
https://www.metafilter.com/about.mefi
https://metatalk.metafilter.com/22698/81-Does-the-Dog-Die
posted by Foci for Analysis at 11:29 AM on July 2, 2013
Yeah, anytime there are images or videos inline from a different domain there's going to be some insecure content.
The Best Of blog has a lot of images from Flickr. We need to update our internal system for including images and that should take care of them going forward. But yeah, the SSL lock is going to break for some pages on the site that have embedded content from different services.
posted by pb (staff) at 11:31 AM on July 2, 2013
The Best Of blog has a lot of images from Flickr. We need to update our internal system for including images and that should take care of them going forward. But yeah, the SSL lock is going to break for some pages on the site that have embedded content from different services.
posted by pb (staff) at 11:31 AM on July 2, 2013
I turned it on and things seem to be working fine.
Thanks so much for implementing this. It's a great idea and I really appreciate it.
posted by Aizkolari at 11:53 AM on July 2, 2013
Thanks so much for implementing this. It's a great idea and I really appreciate it.
posted by Aizkolari at 11:53 AM on July 2, 2013
pb: "Many Greasemonkey scripts and MetaFilter-specific browser add-ons will not work with SSL Everywhere. Many simply aren't expecting the new protocol. If you enable SSL Everywhere, expect any browser add-ons you're using to break."
Yeah, sadly this means this is a no go for me. I would encourage script maintainers to speak up when they update!
posted by Chrysostom at 12:01 PM on July 2, 2013 [1 favorite]
Yeah, sadly this means this is a no go for me. I would encourage script maintainers to speak up when they update!
posted by Chrysostom at 12:01 PM on July 2, 2013 [1 favorite]
Chrysostom: "I would encourage script maintainers to speak up when they update!"
Part of the conversation could be telling those maintainers what extensions and scripts break under the change.
posted by boo_radley at 12:19 PM on July 2, 2013
Part of the conversation could be telling those maintainers what extensions and scripts break under the change.
posted by boo_radley at 12:19 PM on July 2, 2013
Here's another wrinkle for the test: we're now adding a secure flag to cookies when they're set. (As grouse suggested upthread.) This will help with those insecure redirects.
If you already have SSL Everywhere enabled, you'll need to re-save your preferences or log out and back in. That will set the secure cookies.
posted by pb (staff) at 12:22 PM on July 2, 2013
If you already have SSL Everywhere enabled, you'll need to re-save your preferences or log out and back in. That will set the secure cookies.
posted by pb (staff) at 12:22 PM on July 2, 2013
I'd like to use this, but I use a lot of greasemonkey scripts. Until the authors of the scripts are able to update them, is there a way to edit them myself so that they will work? I tried adding:
but it didn't work. Ideas?
Kubuntu 13.04 / Chromium Version 28.0.1500.52 Ubuntu 13.04 (28.0.1500.52-0ubuntu1.13.04.3)
posted by double block and bleed at 12:22 PM on July 2, 2013
// @include https://*.metafilter.com/*
// @include https://metafilter.com/*
but it didn't work. Ideas?
Kubuntu 13.04 / Chromium Version 28.0.1500.52 Ubuntu 13.04 (28.0.1500.52-0ubuntu1.13.04.3)
posted by double block and bleed at 12:22 PM on July 2, 2013
...is there a way to edit them myself so that they will work?
It's really tough to make a blanket suggestion about getting Greasemonkey scripts to work. It's really going to depend on what each script does. Many probably have code that will need to be updated. It's not just about setting a rule at the top of the file to get it to work.
posted by pb (staff) at 12:25 PM on July 2, 2013
It's really tough to make a blanket suggestion about getting Greasemonkey scripts to work. It's really going to depend on what each script does. Many probably have code that will need to be updated. It's not just about setting a rule at the top of the file to get it to work.
posted by pb (staff) at 12:25 PM on July 2, 2013
That's what I figured. Never hurts to ask.
posted by double block and bleed at 12:26 PM on July 2, 2013
posted by double block and bleed at 12:26 PM on July 2, 2013
Can you try:
and see if that works?
posted by yerfatma at 1:19 PM on July 2, 2013
// @include //*.metafilter.com/*
// @include //metafilter.com/*
and see if that works?
posted by yerfatma at 1:19 PM on July 2, 2013
Awesome!
Mefi gets a B on the SSL Labs verifier. Specifically the BEAST attack is a definite must-fix and Forward Secrecy would be super nice too. Something like:
You can ignore the "RC4" hit on that page, there's no real answer on how to fix that right now.
posted by Skorgu at 1:24 PM on July 2, 2013 [7 favorites]
Mefi gets a B on the SSL Labs verifier. Specifically the BEAST attack is a definite must-fix and Forward Secrecy would be super nice too. Something like:
SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4:HIGH:!aNULL:!MD5:-LOW:-SSLv2:-EXPin the appropriate place in your VirtualHost should fix both. (I haven't tested that on apache2 but I've run the equivalent config on lighttpd and nginx without issue, obviously plz to test in dev environment first).
You can ignore the "RC4" hit on that page, there's no real answer on how to fix that right now.
posted by Skorgu at 1:24 PM on July 2, 2013 [7 favorites]
"Site information: you have never visited this site before today"
Ha!
posted by arcticseal at 3:27 PM on July 2, 2013
Ha!
posted by arcticseal at 3:27 PM on July 2, 2013
I looked into your proposed changes Skorgu. We're currently using Perfect Forward Secrecy (PFS). That's already in place. However, mitigating against the BEAST attack means we would have to give that up. Your SSLCipherSuite string forces browsers to use the less ephemeral RSA for key exchange. That gives Mefi an A on that test, but we would no longer support PFS.
This could be an Apache problem, I'm not sure. I'm leaning toward updating, but wondered if you have any more info about enabling forward secrecy while also limiting the BEAST attack.
posted by pb (staff) at 3:45 PM on July 2, 2013
This could be an Apache problem, I'm not sure. I'm leaning toward updating, but wondered if you have any more info about enabling forward secrecy while also limiting the BEAST attack.
posted by pb (staff) at 3:45 PM on July 2, 2013
yay, thanks friends!
posted by Divine_Wino at 3:49 PM on July 2, 2013
posted by Divine_Wino at 3:49 PM on July 2, 2013
This really is damn awesome. Thanks very much for putting the work in to make it happen pb.
posted by ish__ at 4:43 PM on July 2, 2013
posted by ish__ at 4:43 PM on July 2, 2013
I went through all the junk I had posted to userscripts.org and gave everything a cleanup pass. If you want your unicorns and narwhals and laser kitties and whatnot, it should work with https now.
(Minor nit: SSL is the outdated term for what is now properly referred to as TLS or Transport Layer Security, even though I can understand using SSL in the description since more people are probably familiar with that term.)
posted by Rhomboid at 5:51 PM on July 2, 2013 [2 favorites]
(Minor nit: SSL is the outdated term for what is now properly referred to as TLS or Transport Layer Security, even though I can understand using SSL in the description since more people are probably familiar with that term.)
posted by Rhomboid at 5:51 PM on July 2, 2013 [2 favorites]
On Safari for iPad (6.1.3), initial page loads are slow but seem ok after the pages are cached.
posted by double block and bleed at 6:35 PM on July 2, 2013
posted by double block and bleed at 6:35 PM on July 2, 2013
Initial page loads are fine on chrome (27.0.1453.10) for iPad (6.1.3)
posted by double block and bleed at 6:43 PM on July 2, 2013
posted by double block and bleed at 6:43 PM on July 2, 2013
In Safari for iPad on iOS 6, all MetaFilter tabs list the page title as "MetaFilter Network, Inc." I'm not sure there's anything you can do about that, since I think Mobile Safari always just lists the registrant of the SSL certificate there. Chrome on iPad shows the page titles properly on each tab, but it shows the SSL certificate info in the address bar. (Mobile Safari might have different behavior on iOS 7 since I think it is moving to a combined address/search bar and it might have room for the certificate info in the bar then.)
posted by stopgap at 7:04 PM on July 2, 2013
posted by stopgap at 7:04 PM on July 2, 2013
I am not a crypto expert but tl;dr I think beast and pfs are orthogonal.
As I understand BEAST simply having
The
For comparison, duckduckgo's ssl test has no BEAST and gets the forward secrecy checkmark as well. Mefi only gets forward secrecy on chrome and firefox; ie and safari fall back to a CBC cipher that's BEAST-vulnerable and not-forward-secure anyway.
That's all assuming the ssllabs.com checker is right, I haven't busted out /usr/bin/openssl to verify any of this. And of course I have no idea when TLS 1.2 is going to be usable in the real world, hopefully soon.
posted by Skorgu at 7:14 PM on July 2, 2013
As I understand BEAST simply having
RC4
before CBC-based ciphers (i.e. HIGH
) in the cipher suites is enough to mitigate it. RC4 isn't great but it's the only safe fallback for a lot of older browsers. The
ECDHE
implies a modified version of Diffie-Hellman that uses elliptic curve crypto to do <magic>. This blog post has some stuff about PFS and this one about BEAST. For comparison, duckduckgo's ssl test has no BEAST and gets the forward secrecy checkmark as well. Mefi only gets forward secrecy on chrome and firefox; ie and safari fall back to a CBC cipher that's BEAST-vulnerable and not-forward-secure anyway.
That's all assuming the ssllabs.com checker is right, I haven't busted out /usr/bin/openssl to verify any of this. And of course I have no idea when TLS 1.2 is going to be usable in the real world, hopefully soon.
posted by Skorgu at 7:14 PM on July 2, 2013
Nice! I've switched it on, and will report if anything goes shonky. Looking good so far.
posted by stavrosthewonderchicken at 7:48 PM on July 2, 2013
posted by stavrosthewonderchicken at 7:48 PM on July 2, 2013
So of course now I had to spend the last hour munchkin-ing that ssl checker. I stand by my cipher selection above.
Enabling TLSv1.1 and 1.2 seems wise, it's coming to Chrome and Firefox and you'll get better security for free as that happens (and hopefully disable RC4 once it's prevalent enough).
Disabling SSLv3 is probably safe. Wikipedia tells me only IE6 didn't support it by default. Google has it enabled though so what do I know.
Enabling strict transport security is easy if it matches your semantics.
posted by Skorgu at 9:13 PM on July 2, 2013
Enabling TLSv1.1 and 1.2 seems wise, it's coming to Chrome and Firefox and you'll get better security for free as that happens (and hopefully disable RC4 once it's prevalent enough).
Disabling SSLv3 is probably safe. Wikipedia tells me only IE6 didn't support it by default. Google has it enabled though so what do I know.
Enabling strict transport security is easy if it matches your semantics.
posted by Skorgu at 9:13 PM on July 2, 2013
Insecure links to particular comments appear to be rewritten without the target anchor.
For example, if I click the "this insightful comment" link in this comment I end up at the top of the Westboro Baptist Church thread (albeit as a secure page) instead at the targeted comment.
posted by RichardP at 9:42 PM on July 2, 2013
For example, if I click the "this insightful comment" link in this comment I end up at the top of the Westboro Baptist Church thread (albeit as a secure page) instead at the targeted comment.
posted by RichardP at 9:42 PM on July 2, 2013
You are probably already aware of this given your "we still have many non-secure page redirects happening" comment, but the links in the sideblog on the front page are not secure links. They also have the "secure redirect doesn't preserve target anchor" issue if they're linking to a specific comment.
posted by RichardP at 9:53 PM on July 2, 2013
posted by RichardP at 9:53 PM on July 2, 2013
Thanks for the research, Skorgu. That's very helpful. The version of OpenSSL we're running doesn't support anything above TLSv1.0, so until we make a change there it looks like we'll go with RC4 (and without PFS).
I'm not seeing the anchor issue, RichardP. Which browser/OS are you using?
posted by pb (staff) at 10:39 PM on July 2, 2013
I'm not seeing the anchor issue, RichardP. Which browser/OS are you using?
posted by pb (staff) at 10:39 PM on July 2, 2013
Re. the anchor issue: it happens to me on Mobile Safari, iOS 6.1.3, but Desktop Safari 5.1.9 on OS X 10.6.8 works fine.
posted by Johnny Wallflower at 5:57 AM on July 3, 2013
posted by Johnny Wallflower at 5:57 AM on July 3, 2013
I can't seem to get the "Mark as best answer" link to work but I'm not sure if that is because of SSL or not...
posted by Deathalicious at 9:02 AM on July 3, 2013
posted by Deathalicious at 9:02 AM on July 3, 2013
Yup, almost certainly due to SSL. From the console:
The page at https://ask.metafilter.com/242096/Recipes-that-highlight-eggs displayed insecure content from http://ask.metafilter.com/contribute/bestjax.cfm. jquery.min.js:5 The page at https://ask.metafilter.com/242096/Recipes-that-highlight-eggs displayed insecure content from http://www.metafilter.com/login/. Recipes-that-highlight-eggs:1posted by Deathalicious at 9:04 AM on July 3, 2013
I just made a change to address the Safari anchor issue. This change should help cut down on insecure redirects as well. Let me know if you're still seeing it.
posted by pb (staff) at 11:00 AM on July 3, 2013
posted by pb (staff) at 11:00 AM on July 3, 2013
Your fix does indeed seem to have fixed a number of the "on site" links that have a URL fragment/anchor. Non-https links from external sites to specific comments remain broken if your browser is Safari.
posted by RichardP at 11:20 AM on July 3, 2013
posted by RichardP at 11:20 AM on July 3, 2013
OK, I found at least one set of cases where Safari anchors are still broken. If I visit http://bestof.metafilter.com I get redirected to https://bestof.metafilter.com. However the links to the "bestof" content on https://bestof.metafilter.com are still http links. These links don't work in Safari if they're links to comments.
For example, the "JHarris explains a few nifty pinball hacks." link on bestof.metafilter.com doesn't succesfully link to JHarris' comment in Safari.
posted by RichardP at 11:31 AM on July 3, 2013
For example, the "JHarris explains a few nifty pinball hacks." link on bestof.metafilter.com doesn't succesfully link to JHarris' comment in Safari.
posted by RichardP at 11:31 AM on July 3, 2013
I get an SSL certificate failure if I visit https://mobile.metafilter.com directly. For example, click the mobile.metafilter.com link in FAQ entry #292. The problem appears to be that "mobile.metafilter.com" is not in the cert as a SAN field.
posted by RichardP at 11:54 AM on July 3, 2013
posted by RichardP at 11:54 AM on July 3, 2013
No, it isn't on the certificate. We'll need to discuss that and come up with a plan for that one.
posted by pb (staff) at 11:56 AM on July 3, 2013
posted by pb (staff) at 11:56 AM on July 3, 2013
The only thing that domain does is switch on the mobile view and then redirect to www. So my guess is that we'll come up with a different switch that lives on www somewhere.
posted by pb (staff) at 11:57 AM on July 3, 2013
posted by pb (staff) at 11:57 AM on July 3, 2013
HTTPS tag links like "https://ask.metafilter.com/tags/employment" end up loading as HTTP pages. For example, clicking on any of the tags on the "https://ask.metafilter.com/tags/" page takes you to a non-secure page, even though the links are HTTPS links.
With regards to mobile.metafilter.com, keeping it is a little tricky since you've already hit the 25 SAN limit in your cert. If you want to keep it I'd recommend you move fuelly.com and it's subdomains to its own cert, freeing up three entries.
posted by RichardP at 12:03 PM on July 3, 2013
With regards to mobile.metafilter.com, keeping it is a little tricky since you've already hit the 25 SAN limit in your cert. If you want to keep it I'd recommend you move fuelly.com and it's subdomains to its own cert, freeing up three entries.
posted by RichardP at 12:03 PM on July 3, 2013
Hmm, it seems like the comment editing page doesn't redirect correctly back to your comment after you save an edit (in Safari).
posted by RichardP at 12:05 PM on July 3, 2013
posted by RichardP at 12:05 PM on July 3, 2013
Chrome: 28.0.1500.63 m. Recent Activity shows as having some insecure resources.
posted by arcticseal at 12:23 PM on July 3, 2013
posted by arcticseal at 12:23 PM on July 3, 2013
The tag links were loading securely for me, but there was an insecure script loading that broke the lock. I fixed that up.
odd on Recent Activity, arcticseal. I'm not seeing that. Are you running any browser add-ons? Can you take a look a the Developer Console and see which items aren't secure? That might tell us exactly what isn't loading securely.
posted by pb (staff) at 12:27 PM on July 3, 2013
odd on Recent Activity, arcticseal. I'm not seeing that. Are you running any browser add-ons? Can you take a look a the Developer Console and see which items aren't secure? That might tell us exactly what isn't loading securely.
posted by pb (staff) at 12:27 PM on July 3, 2013
Comment editing should be redirecting with the correct protocol now.
posted by pb (staff) at 12:31 PM on July 3, 2013
posted by pb (staff) at 12:31 PM on July 3, 2013
Clicking the "MeFi Status Blog" link in the metatalk.metafilter.com sidebar goes to https://status.metafilter.com, which doesn't load for me. However, a direct visit to http://status.metafilter.com does work for me.
Editing comments is still broken in Safari (well, the redirect at the end is broken, editing works fine). Please excuse my abuse of the edit functionality for this test.
posted by RichardP at 12:32 PM on July 3, 2013
Editing comments is still broken in Safari (well, the redirect at the end is broken, editing works fine). Please excuse my abuse of the edit functionality for this test.
posted by RichardP at 12:32 PM on July 3, 2013
Clicking on any of the categories on https://ask.metafilter.com/archive.mefi breaks the lock.
Editing of a comment now redirects correctly for me.
posted by RichardP at 12:57 PM on July 3, 2013
Editing of a comment now redirects correctly for me.
posted by RichardP at 12:57 PM on July 3, 2013
Assorted HTTPS errors that break the lock on various pages:
https://ask.metafilter.com/clothing-beauty-fashion
https://metatalk.metafilter.com/policy
https://metatalk.metafilter.com/archived.mefi/1/01/2003/
https://music.metafilter.com/archived.mefi/4/01/2009/
https://jobs.metafilter.com/archived.mefi/1/1/2012
https://irl.metafilter.com/archived.mefi/7/01/2013
posted by RichardP at 1:09 PM on July 3, 2013
https://ask.metafilter.com/clothing-beauty-fashion
The page at https://ask.metafilter.com/clothing-beauty-fashion ran insecure content from http://ask.metafilter.com/scripts/favorite_front031611-min.js.
https://metatalk.metafilter.com/policy
The page at https://metatalk.metafilter.com/policy ran insecure content from http://metatalk.metafilter.com/scripts/favorite_front031611-min.js.
https://metatalk.metafilter.com/archived.mefi/1/01/2003/
The page at https://metatalk.metafilter.com/archived.mefi/1/01/2003/ ran insecure content from http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js. The page at https://metatalk.metafilter.com/archived.mefi/1/01/2003/ ran insecure content from http://d217i264rvtnq0.cloudfront.net/scripts/mefi/members070313-min.js. The page at https://metatalk.metafilter.com/archived.mefi/1/01/2003/ ran insecure content from http://d217i264rvtnq0.cloudfront.net/scripts/mefi/jplayer-jsp-mscroll-v3.min.js. The page at https://metatalk.metafilter.com/archived.mefi/1/01/2003/ displayed insecure content from http://www.cs.uct.ac.za/~flifson/images/ad.png. The page at https://metatalk.metafilter.com/archived.mefi/1/01/2003/ displayed insecure content from http://d217i264rvtnq0.cloudfront.net/images/mefi/blackshirt.png. The page at https://metatalk.metafilter.com/archived.mefi/1/01/2003/ ran insecure content from http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js. The page at https://metatalk.metafilter.com/archived.mefi/1/01/2003/ ran insecure content from http://d217i264rvtnq0.cloudfront.net/scripts/mefi/members070313-min.js. The page at https://metatalk.metafilter.com/archived.mefi/1/01/2003/ ran insecure content from http://d217i264rvtnq0.cloudfront.net/scripts/mefi/jplayer-jsp-mscroll-v3.min.js. The page at https://metatalk.metafilter.com/archived.mefi/1/01/2003/ displayed insecure content from http://people.cs.uct.ac.za/~flifson/images/ad.png. http://people.cs.uct.ac.za/~flifson/images/ad.png Failed to load resource: the server responded with a status of 404 (Not Found)
https://music.metafilter.com/archived.mefi/4/01/2009/
The page at https://music.metafilter.com/archived.mefi/4/01/2009/ displayed insecure content from http://d217i264rvtnq0.cloudfront.net/images/mefi/blackshirt.png. The page at https://music.metafilter.com/archived.mefi/4/01/2009/ ran insecure content from http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js. The page at https://music.metafilter.com/archived.mefi/4/01/2009/ ran insecure content from http://d217i264rvtnq0.cloudfront.net/scripts/mefi/members070313-min.js. The page at https://music.metafilter.com/archived.mefi/4/01/2009/ ran insecure content from http://d217i264rvtnq0.cloudfront.net/scripts/mefi/jplayer-jsp-mscroll-v3.min.js.
https://jobs.metafilter.com/archived.mefi/1/1/2012
The page at https://jobs.metafilter.com/archived.mefi/1/1/2012 displayed insecure content from http://d217i264rvtnq0.cloudfront.net/images/mefi/blackshirt.png. The page at https://jobs.metafilter.com/archived.mefi/1/1/2012 ran insecure content from http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js. The page at https://jobs.metafilter.com/archived.mefi/1/1/2012 ran insecure content from http://d217i264rvtnq0.cloudfront.net/scripts/mefi/members070313-min.js.
https://irl.metafilter.com/archived.mefi/7/01/2013
The page at https://irl.metafilter.com/archived.mefi/7/01/2013 displayed insecure content from http://d217i264rvtnq0.cloudfront.net/images/mefi/blackshirt.png. The page at https://irl.metafilter.com/archived.mefi/7/01/2013 ran insecure content from http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js. The page at https://irl.metafilter.com/archived.mefi/7/01/2013 ran insecure content from http://d217i264rvtnq0.cloudfront.net/scripts/mefi/members070313-min.js.
posted by RichardP at 1:09 PM on July 3, 2013
The "MeFi Status Blog" link in the metatalk.metafilter.com sidebar still doesn't load for me (although it works as a non-secure link).
It's not really fair to mention, but one of the links above still fails...
https://metatalk.metafilter.com/archived.mefi/1/01/2003/
... but it's due to the old IMG embedding policy. Pretty much the only way to fix that when in SSL Everywhere mode is for the server to rewrite IMG tags (sort of like you're doing now for HTTP links) in old comments to reference a locally hosted placeholder image that says something like "Old IMG tags not supported in SSL everywhere mode."
Here's another example:
https://metatalk.metafilter.com/archived.mefi/6/01/2006/
posted by RichardP at 1:34 PM on July 3, 2013
It's not really fair to mention, but one of the links above still fails...
https://metatalk.metafilter.com/archived.mefi/1/01/2003/
The page at https://metatalk.metafilter.com/archived.mefi/1/01/2003/ displayed insecure content from http://www.cs.uct.ac.za/~flifson/images/ad.png. The page at https://metatalk.metafilter.com/archived.mefi/1/01/2003/ displayed insecure content from http://people.cs.uct.ac.za/~flifson/images/ad.png.
... but it's due to the old IMG embedding policy. Pretty much the only way to fix that when in SSL Everywhere mode is for the server to rewrite IMG tags (sort of like you're doing now for HTTP links) in old comments to reference a locally hosted placeholder image that says something like "Old IMG tags not supported in SSL everywhere mode."
Here's another example:
https://metatalk.metafilter.com/archived.mefi/6/01/2006/
The page at https://metatalk.metafilter.com/archived.mefi/6/01/2006/ displayed insecure content from http://static.flickr.com/63/174127658_4352b45101_t.jpg. The page at https://metatalk.metafilter.com/archived.mefi/6/01/2006/ displayed insecure content from http://static.flickr.com/58/174127681_727098346c_t.jpg. The page at https://metatalk.metafilter.com/archived.mefi/6/01/2006/ displayed insecure content from http://l.yimg.com/g/images/photo_unavailable_t.gif.
posted by RichardP at 1:34 PM on July 3, 2013
Here's an old comment of mine that better demonstrates the IMG tag problem:
https://ask.metafilter.com/16219/LCD-text-legibility-distances#275503
posted by RichardP at 1:40 PM on July 3, 2013
https://ask.metafilter.com/16219/LCD-text-legibility-distances#275503
posted by RichardP at 1:40 PM on July 3, 2013
Yeah, I think we're going to have to live some insecurity in the archives. You won't be sending your metafilter.com cookies across the wire—that's the main thing we're trying to avoid.
posted by pb (staff) at 1:41 PM on July 3, 2013
posted by pb (staff) at 1:41 PM on July 3, 2013
I think the mobile and status subdomains are ok to stay insecure. We set the secure cookie attribute and modern browsers won't send those cookies out when you visit those domains. We'll need to make sure we don't link to a secure a version of those sites since they won't work. But I think it's ok to use a standard http connection with those.
posted by pb (staff) at 2:37 PM on July 3, 2013
posted by pb (staff) at 2:37 PM on July 3, 2013
I think you're right when you say that insecure linking to status is OK (although, from a coding standpoint, special casing it is probably kind of galling). I don't know enough about what mobile.metafilter.com does to make an informed comment. Does it do any login processing?
URL rewrite tests:
http -> status.metafilter.com
https -> status.metafilter.com
(looks like right now http://status.metafilter.com gets rewritten to https://status.metafilter.com)
Regarding other problems, it's really scraping the bottom of the barrel, but the 404 handler for www.metafilter.com and ask.metafilter.com runs/displays insecure content. Example URLs:
https://www.metafilter.com/xyz
https://ask.metafilter.com/xyz
posted by RichardP at 2:55 PM on July 3, 2013
URL rewrite tests:
http -> status.metafilter.com
https -> status.metafilter.com
(looks like right now http://status.metafilter.com gets rewritten to https://status.metafilter.com)
Regarding other problems, it's really scraping the bottom of the barrel, but the 404 handler for www.metafilter.com and ask.metafilter.com runs/displays insecure content. Example URLs:
https://www.metafilter.com/xyz
https://ask.metafilter.com/xyz
posted by RichardP at 2:55 PM on July 3, 2013
Does it do any login processing?
No, there's no processing at all. It's really just a switch.
Yeah, it's true, links to those domains are being rewritten on the fly. I guess I will have to set up a special case for them.
Thanks on the 404, I'll get those fixed up.
posted by pb (staff) at 3:01 PM on July 3, 2013
No, there's no processing at all. It's really just a switch.
Yeah, it's true, links to those domains are being rewritten on the fly. I guess I will have to set up a special case for them.
Thanks on the 404, I'll get those fixed up.
posted by pb (staff) at 3:01 PM on July 3, 2013
Oh, it looks like the "contact the admins" link on https://login.metafilter.com/forgot-password.mefi is insecure.
posted by RichardP at 3:03 PM on July 3, 2013
posted by RichardP at 3:03 PM on July 3, 2013
The URL https://www.metafilter.com/contribute/customize.cfm displays insecure content if you don't have a user photo.
posted by RichardP at 3:07 PM on July 3, 2013
posted by RichardP at 3:07 PM on July 3, 2013
When I load https://www.metafilter.com/contribute/activity/myposts I get the following error in the console:
When I load https://www.metafilter.com/contribute/activity/myfavorites I get the following error in the console:
posted by RichardP at 3:14 PM on July 3, 2013
The page at https://www.metafilter.com/contribute/activity/myposts ran insecure content from http://www.metafilter.com/scripts/favorite052708-min.js.
When I load https://www.metafilter.com/contribute/activity/myfavorites I get the following error in the console:
The page at https://www.metafilter.com/contribute/activity/myfavorites ran insecure content from http://www.metafilter.com/scripts/ff031611-min.js.
posted by RichardP at 3:14 PM on July 3, 2013
The "editing your preferences" link on https://login.metafilter.com/customize-email.cfm is insecure.
posted by RichardP at 3:19 PM on July 3, 2013
posted by RichardP at 3:19 PM on July 3, 2013
I'll fix up the scripts because those affect whether or not the page will work. I think having some insecure links is ok because the user will be redirected to the secure version of the page and no cookies will be sent insecurely. If the link doesn't have an anchor there won't be an issue with Safari.
posted by pb (staff) at 3:23 PM on July 3, 2013
posted by pb (staff) at 3:23 PM on July 3, 2013
If you enter the geographical location "test" into the form at https://www.metafilter.com/contribute/customize-location.cfm the resulting page has the following errors:
posted by RichardP at 3:25 PM on July 3, 2013
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon1.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon2.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon3.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon4.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon5.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon6.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon7.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon8.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon9.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon10.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm ran insecure content from http://maps.google.com/maps?file=api&v=2&key=ABQIAAAAz0mOBSmZMg7N26vuZTiJqhQ2LGsyOqFkx9y6c_9eTMkNcTv4LBSQ1KZAQb5PzXZncmRqdhssC_JBVw.
2The page at https://www.metafilter.com/contribute/customize-location.cfm ran insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/450c/maps2.api/main.js.
76The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=18&y=9&z=5&s=Galileo.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=17&y=9&z=5&s=Gali.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=18&y=10&z=5&s=.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=17&y=10&z=5&s=Galil.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=18&y=8&z=5&s=Galile.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=17&y=8&z=5&s=Gal.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=19&y=9&z=5&s=Ga.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=19&y=10&z=5&s=Gal.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=19&y=8&z=5&s=G.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=20&y=9&z=5&s=Galil.
2The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm ran insecure content from http://maps.google.com/maps/vp?spn=4.708586,17.753906&z=5&key=ABQIAAAAz0mOBSmZMg7N26vuZTiJqhQ2LGsyOqFkx9y6c_9eTMkNcTv4LBSQ1KZAQb5PzXZncmRqdhssC_JBVw&mapclient=jsapi&vp=58.334535,23.994489.
32The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm ran insecure content from http://maps.google.com/maps/vp?spn=6.294948,17.753906&z=5&key=ABQIAAAAz0mOBSmZMg7N26vuZTiJqhQ2LGsyOqFkx9y6c_9eTMkNcTv4LBSQ1KZAQb5PzXZncmRqdhssC_JBVw&mapclient=jsapi&vp=45.396939,-45.919959&ev=p.
12The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm ran insecure content from http://maps.google.com/maps/vp?spn=96.653134,284.0625&z=1&key=ABQIAAAAz0mOBSmZMg7N26vuZTiJqhQ2LGsyOqFkx9y6c_9eTMkNcTv4LBSQ1KZAQb5PzXZncmRqdhssC_JBVw&mapclient=jsapi&vp=45.396939,-45.919959&ev=zo.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=20&y=10&z=5&s=Galile.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=20&y=8&z=5&s=Gali.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon1.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon-shadow.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon2.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon3.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon4.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon5.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon6.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon7.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon8.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon9.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon10.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=11&y=11&z=5&s=Gali.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=12&y=11&z=5&s=Galileo.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=11&y=10&z=5&s=Gal.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=11&y=12&z=5&s=Galil.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=12&y=10&z=5&s=Galile.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=12&y=12&z=5&s=.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=10&y=11&z=5&s=G.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=13&y=11&z=5&s=Ga.
The page at https://www.metafilter.com/contribute/customize-location.cfm ran insecure content from http://maps.gstatic.com/cat_js/intl/en_us/mapfiles/450c/maps2.api/%7Bmod_drag,mod_ctrapi%7D.js.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=10&y=10&z=5&s=.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=10&y=12&z=5&s=Ga.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=13&y=10&z=5&s=G.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=13&y=12&z=5&s=Gal.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=0&y=0&z=1&s=.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=1&y=0&z=1&s=Gal.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=0&y=1&z=1&s=G.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=1&y=1&z=1&s=Gali.
4The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon1.png.
10The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon-shadow.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon2.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon3.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon4.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon5.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon6.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon7.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon8.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon9.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mefi.us/images/mefi/markericon10.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/poweredby.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/transparent.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/smc.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/openhand_8_8.cur.
2The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=0&y=0&z=1&s=.
2The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=1&y=0&z=1&s=Gal.
2The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt0.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=0&y=1&z=1&s=G.
2The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://mt1.googleapis.com/vt/lyrs=m@220000000&hl=en&src=apiv2&x=1&y=1&z=1&s=Gali.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/poweredby.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm displayed insecure content from http://maps.gstatic.com/intl/en_us/mapfiles/smc.png.
The page at https://www.metafilter.com/contribute/customize-location.cfm ran insecure content from http://maps.google.com/maps/api/jsv2/AuthenticationService.Authenticate?1shttps%3A%2F%2Fwww.metafilter.com%2Fcontribute%2Fcustomize-location.cfm&5e0&callback=_xdc_._3hip3fkf1&token=11337.
The page at https://www.metafilter.com/contribute/customize-location.cfm ran insecure content from http://maps.google.com/maps/api/jsv2/QuotaService.RecordEvent?1shttps%3A%2F%2Fwww.metafilter.com%2Fcontribute%2Fcustomize-location.cfm&4e0&5e0&6u1&7sp3fkhm&callback=_xdc_._4hip3fkhm&token=43.
posted by RichardP at 3:25 PM on July 3, 2013
I'll fix up the scripts because those affect whether or not the page will work. I think having some insecure links is ok because the user will be redirected to the secure version of the page and no cookies will be sent insecurely.
Sure. Although I think you should also fix the placeholder profile photo on https://www.metafilter.com/contribute/customize.cfm -- that's the only thing stopping that page from being error free (and you're already handling this for the theme images).
posted by RichardP at 3:31 PM on July 3, 2013
Sure. Although I think you should also fix the placeholder profile photo on https://www.metafilter.com/contribute/customize.cfm -- that's the only thing stopping that page from being error free (and you're already handling this for the theme images).
posted by RichardP at 3:31 PM on July 3, 2013
Sure, fixed up the placeholder photo. And fixed up the maps issue.
posted by pb (staff) at 3:32 PM on July 3, 2013
posted by pb (staff) at 3:32 PM on July 3, 2013
The map still gets the markericon ("http://mefi.us/images/mefi/markericon1.png" etc.) errors.
posted by RichardP at 3:35 PM on July 3, 2013
posted by RichardP at 3:35 PM on July 3, 2013
Looks like you'll probably want to special case "stuff.metafilter.com" like mobile and status. It isn't in the cert. Currently it's being rewritten. For example, see the "Infodump" link at the https://faq.metafilter.com/271/privacy-questions URL. It's currently being rewritten from http://stuff.metafilter.com/infodump/ to https://stuff.metafilter.com/infodump/ (which 404's). However, http://stuff.metafilter.com/infodump/ works fine.
posted by RichardP at 3:48 PM on July 3, 2013
posted by RichardP at 3:48 PM on July 3, 2013
Lesser used, but current pages that run/display insecure content:
Final Answers ( https://ask.metafilter.com/home/finalanswers )
Social Explorer ( https://www.metafilter.com/contribute/socialexplorer.mefi?sid=1 )
Profile Photos ( https://www.metafilter.com/profilephotos.mefi )
MeFi Mall ( https://www.metafilter.com/mefimall.mefi )
Browser Check ( https://www.metafilter.com/browser_check.mefi )
Read Only Mode ( https://www.metafilter.com/read-only.mefi )
Gift Account ( https://www.metafilter.com/donateusers/gift.cfm )
There very well could be a whole bunch of these, but I only checked a couple of the "obsolete, but still around" pages. Here are two old pages that run/display insecure content:
Scholarship ( https://www.metafilter.com/scholarship.mefi ) -- this references junk.metafilter.com
Fundraiser ( https://www.metafilter.com/dios-rothkofundraiser.mefi )
I'm not sure of the uses of junk.metafilter.com, does it need special handling as well?
posted by RichardP at 4:17 PM on July 3, 2013
Final Answers ( https://ask.metafilter.com/home/finalanswers )
Social Explorer ( https://www.metafilter.com/contribute/socialexplorer.mefi?sid=1 )
Profile Photos ( https://www.metafilter.com/profilephotos.mefi )
MeFi Mall ( https://www.metafilter.com/mefimall.mefi )
Browser Check ( https://www.metafilter.com/browser_check.mefi )
Read Only Mode ( https://www.metafilter.com/read-only.mefi )
Gift Account ( https://www.metafilter.com/donateusers/gift.cfm )
There very well could be a whole bunch of these, but I only checked a couple of the "obsolete, but still around" pages. Here are two old pages that run/display insecure content:
Scholarship ( https://www.metafilter.com/scholarship.mefi ) -- this references junk.metafilter.com
Fundraiser ( https://www.metafilter.com/dios-rothkofundraiser.mefi )
I'm not sure of the uses of junk.metafilter.com, does it need special handling as well?
posted by RichardP at 4:17 PM on July 3, 2013
Just got this briefly. I had made no changes to my prefs page. Let me know if I should use the contact form instead.
---
Element SSL is undefined in COOKIE.
The error occurred on line 640.
Current Page: http://ask.metafilter.com/
Referring Page: http://www.metafilter.com/activity/173448/favorited/
Date and Time: Wed Jul 03 16:11:15 PDT 2013
Your Browser: Mozilla/5.0 (iPod; CPU iPhone OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B329 Safari/8536.25
Your Location: 76.179.181.137
posted by seemoreglass at 4:18 PM on July 3, 2013
---
Element SSL is undefined in COOKIE.
The error occurred on line 640.
Current Page: http://ask.metafilter.com/
Referring Page: http://www.metafilter.com/activity/173448/favorited/
Date and Time: Wed Jul 03 16:11:15 PDT 2013
Your Browser: Mozilla/5.0 (iPod; CPU iPhone OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B329 Safari/8536.25
Your Location: 76.179.181.137
posted by seemoreglass at 4:18 PM on July 3, 2013
Thanks again RichardP, fixed some of those up. Profile Photos is no longer being updated, so I added a note about that. Some of those old one-off pages like Fundraiser will fall under the "archives" rule. Insecure content from other domains is going to happen.
posted by pb (staff) at 4:32 PM on July 3, 2013
posted by pb (staff) at 4:32 PM on July 3, 2013
oh, and no, junk isn't a subdomain that we're going to use going forward.
posted by pb (staff) at 4:32 PM on July 3, 2013
posted by pb (staff) at 4:32 PM on July 3, 2013
And we're now working around the Safari anchor issue by doing those redirects on the client side instead of the server side. It's not pretty, but comments should be targeted correctly now.
posted by pb (staff) at 4:33 PM on July 3, 2013
posted by pb (staff) at 4:33 PM on July 3, 2013
Interesting. By the way, I can't seem to get mobile mode to work any more. Visiting mobile.metafiler.com and logging in doesn't seem to enable to mobile mode, no matter whether I've enable SSL Everywhere or not.
posted by RichardP at 4:49 PM on July 3, 2013
posted by RichardP at 4:49 PM on July 3, 2013
It should be working now. You might try clearing your cache—you've been loading mobile in various SSL states today, something might be cached wonkily.
posted by pb (staff) at 4:59 PM on July 3, 2013
posted by pb (staff) at 4:59 PM on July 3, 2013
OK, it's working now. The problem was that the browser was interpreting my bare entry of "mobile.metafilter.com" as a request for "https://mobile.metafilter.com" because it was remembering past vists to the https version. Using an explicit http://mobile.metafilter.com works fine.
posted by RichardP at 5:10 PM on July 3, 2013
posted by RichardP at 5:10 PM on July 3, 2013
Thanks so much for this feature, pb and mathowie, and to everyone who's helped. It must have taken a long time and a lot of effort to get to this point, so congrats!
And a note to anyone using the MetaFilter hedgehog comment pointer and/or the MetaFilter inline video fishy icon Greasemonkey scripts: I've updated both of them, so you can now install the latest versions to have the hedgehog and the fish accompany you on your MeFi travels when "Use SSL everywhere" is enabled.
(I actually updated the scripts earlier but haven't had a chance to post this until now. BTW, if you run into a gateway error at userscripts.org, try reloading again to see if the error goes away.)
posted by rangefinder 1.4 at 9:02 PM on July 3, 2013
And a note to anyone using the MetaFilter hedgehog comment pointer and/or the MetaFilter inline video fishy icon Greasemonkey scripts: I've updated both of them, so you can now install the latest versions to have the hedgehog and the fish accompany you on your MeFi travels when "Use SSL everywhere" is enabled.
(I actually updated the scripts earlier but haven't had a chance to post this until now. BTW, if you run into a gateway error at userscripts.org, try reloading again to see if the error goes away.)
posted by rangefinder 1.4 at 9:02 PM on July 3, 2013
pb, using Windows7/IE (10.0.6), I was unable restore a removed MetaFilter post to Recent Activity. I was able to restore the post to Recent Activity by temporarily disabling 'Use SSL everywhere'.
posted by de at 3:31 AM on July 4, 2013
posted by de at 3:31 AM on July 4, 2013
I waited and switched over about 10 hours ago. Except for one 1000 comment thread loading a tad slow, no issues as yet.
One question though - an ignoramus n00bie one - what is the difference between this and having always used HTTPS everywhere on one's browser?
/yes yes no need to shout its me again from the crypts
posted by hugbucket at 5:42 AM on July 5, 2013
One question though - an ignoramus n00bie one - what is the difference between this and having always used HTTPS everywhere on one's browser?
/yes yes no need to shout its me again from the crypts
posted by hugbucket at 5:42 AM on July 5, 2013
The HTTPS Everywhere browser add-on isn't able to do anything about sites that don't support https. Its function is to ensure that https is used where the option exists, not to make it available where it doesn't exist, which would have included MeFi prior to this change.
posted by Rhomboid at 6:08 AM on July 5, 2013 [1 favorite]
posted by Rhomboid at 6:08 AM on July 5, 2013 [1 favorite]
Links to shop.metafilter.com lead to the scary "Untrusted Connection" warning:
shop.metafilter.com uses an invalid security certificate.posted by grouse at 10:16 AM on July 8, 2013
The certificate is only valid for the following names:
api.fuelly.com , api.metafilter.com , ask.metafilter.com , bestof.metafilter.com , faq.metafilter.com , irl.metafilter.com , jobs.metafilter.com , login.metafilter.com , m.fuelly.com , metatalk.metafilter.com , music.metafilter.com , podcast.metafilter.com , projects.metafilter.com , www.fuelly.com , www.metafilter.com
(Error code: ssl_error_bad_cert_domain)
Thanks, that's another domain for the exception list. Do you remember where you saw the link? We don't use that domain anymore and I don't think we link to shop.metafilter.com in the header or footer anymore.
posted by pb (staff) at 10:21 AM on July 8, 2013
posted by pb (staff) at 10:21 AM on July 8, 2013
Minor nit: SSL is the outdated term ...
We just updated the Preferences page so it says, "Use secure browsing?" instead of referencing SSL.
posted by pb (staff) at 10:39 AM on July 9, 2013 [1 favorite]
We just updated the Preferences page so it says, "Use secure browsing?" instead of referencing SSL.
posted by pb (staff) at 10:39 AM on July 9, 2013 [1 favorite]
ten.metafilter.com is also Untrusted. Linked from a comment by elizardbits in MetaTalk.
posted by grouse at 10:15 PM on July 9, 2013
posted by grouse at 10:15 PM on July 9, 2013
Is there any leaking of user tokens via cat-scan.com? I notice there is a USER_TOKEN cookie set and it is unsecure HTTP. No USER_KEY though.
posted by grouse at 12:18 PM on July 14, 2013
posted by grouse at 12:18 PM on July 14, 2013
There could be some issues there leftover from when we had people posting new material to cat-scan for the anniversary a few years ago. I'll double check that this week and disable any cross-cookie stuff happening there.
posted by pb (staff) at 8:39 PM on July 14, 2013
posted by pb (staff) at 8:39 PM on July 14, 2013
You are not logged in, either login or create an account to post comments
We still have many non-secure page redirects happening. So if you click on an internal MetaFilter link such as a username, it might be an insecure request that is then routed to the secure version of the page. That means your MetaFilter cookies could be intercepted on a public network. We're working on changing these links across the site.
What about when someone includes a link in a comment, or is linked to MetaFilter from elsewhere?
Would you consider using Secure cookies instead?
posted by grouse at 10:04 AM on July 2, 2013 [1 favorite]