Shop OBEX P1 Docs P2 Docs Learn Events
SSL Enabled — Parallax Forums

SSL Enabled

Jim EwaldJim Ewald Posts: 733
in General Discussion
Hello,

If you would like to view the site more securely, try this:

https://forums.parallax.com/

Please report any issues to the usual suspects.


Comments

  • Heater.Heater. Posts: 21,230
    Jim,

    Seems to work. Let me log in from scratch for example.

    I presume you will disable HTTP soon. Having both negates the security of having HTTPS.
  • PublisonPublison Posts: 12,366
    Works here with normal forums and moderator forums.

    Thanks Jim
  • Jim EwaldJim Ewald Posts: 733
    Heater. wrote: »
    Jim,

    Seems to work. Let me log in from scratch for example.

    I presume you will disable HTTP soon. Having both negates the security of having HTTPS.

    I am glad that HTTPS is working for you. The site will continue to support both HTTP and HTTPS. Those who wish to have a more secure connection are free to use HTTPS. We do not wish to impose the overhead of SSL on those who do not see the need to use it. The choice is left to the individual.
  • SapphireSapphire Posts: 496
    Gives the "Only Secure Content Display" message for me on every page. Must still have some non-secure content.
  • Jim EwaldJim Ewald Posts: 733
    Try doing a forced refresh of the page to clear the "Only Secure Content Displayed" message. That seemed to work on the three different browsers I used to test this.
  • SapphireSapphire Posts: 496
    Still have the problem after Ctrl+F5 in IE11 on Win 7 64-bit.
  • Heater.Heater. Posts: 21,230
    What is this in the page:

    <script src="http://connect.facebook.net/en_US/all.js#xfbml=1&quot; type="text/javascript"></script>

    No security here yet.

    As far as I understand running HTPPS and HTTP in parallel renders HTTPS pointless. Correct me if I am wrong.
  • SapphireSapphire Posts: 496
    Right, and I have that blocked in my hosts file, but still get the secure content warning. Any http on an https page is insecure.
  • Jim EwaldJim Ewald Posts: 733
    Current versions of Chrome and Firefox default to ignoring http resources when processing a page obtained via HTTPS. You still see the warning, but there is no harm in the default configuration. Still, it would be a better thing to do if we corrected the http references that impact page security. I just patched the code to correct where the Facebook js is coming from. Please do let me know if you find any others.
  • Heater.Heater. Posts: 21,230
    Jim,

    Tell me again, why is there a facebook link in the page? Whilst you were patching that you could have removed it.
  • SapphireSapphire Posts: 496
    There are still 12 http: references on the home page.
  • Jim EwaldJim Ewald Posts: 733
    The facebook link is included in a plugin in support of the 'Liked' feature. The plugin will work without the Javascript, so the script has to remain.

    A reference to a http resource is handled differently than a link containing an http URL. Most of the remaining http references are embedded in links and do not impact the 'loading resources from http' issue. Ideally, we're trying to get to where the browser no longer reports "Only Secure Content Displayed".
  • Heater.Heater. Posts: 21,230
    edited 2015-08-20 00:01
    We have a "liked" feature here?

    Is my Chrome broken?

    I don't see any warnings here. Only a nice safe looking green padlock.

    Which is odd because the page has an insecure script tag to http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js&quot;

    Edit:

    Ah, I found the error popping up in the browser console: "This request has been blocked; the content must be served over HTTPS"

    Thanks for reminding me to block "secure.gravatar.com".
  • Jim EwaldJim Ewald Posts: 733
    Yeah, that google script was in my sights. It was "one of the few remaining". I will also check the gravitar links to ensure they are secure as well. This looks like progress. Thanks for your help.
Sign In or Register to comment.