If you are going to use HTTPS, use it for everything please

[Crimson Rain]

 

 

Also, empty line before doctype.

[Eric Veteran]

This has been brought up repeatedly and answered already. The advertisements and many external links do not load with a secure connection. Subscribers do, however, have the option of using it throughout the site.

[+Red King Subscriber²]

TBH this is very annoying - if I use the https version of this site - the browser complains.

[xendrome]

What is the purpose of HTTPS on a public site? Anything you type/comment on can be seen by anyone else on a non-secure HTTP connection. If you are worried about your password then use a different unique one for Neowin. And don't conduct any banking or private financial business over Private Messages on the site.

 

Other then that, I just don't get it.... seriously.

[xWhiplash]

What is the purpose of HTTPS on a public site? Anything you type/comment on can be seen by anyone else on a non-secure HTTP connection. If you are worried about your password then use a different unique one for Neowin. And don't conduct any banking or private financial business over Private Messages on the site.

 

Other then that, I just don't get it.... seriously.

 

It doesn't matter.  I am adding it to my site and am using HSTS.  There is a big push for HTTPS everywhere, and HTTP/2 will (mostly) require it.

[xendrome]

It doesn't matter.

 

Exactly, it doesn't. At least not here.

[Athernar]

Exactly, it doesn't. At least not here.

 

It's funny because being a global moderator, you in particular are a choice target for the kind of MITM attack that is mitigated by HTTPS.

[+Kyle Subscriber¹]

Exactly, it doesn't. At least not here.

Don't be an idiot. If a user is using an insecure connection or a connection at work, the data the user is sending to/from has a potential to be interfered and interpreted. It's not what is being posted/read that people care about, it's about not being identifiable on a compromised connection. Any web service that houses any personal/private data (Neowin stores email addresses, post history, liked post history and private messages, location/ip address history) should be under HTTPS and that is what the entire internet is moving toward. 

 

To the OP, Neowin is in talks with their advertiser to allow HTTPS everywhere across the site/forums. Neobond has/had a meeting scheduled to discuss this and Steve (Neobond) is in the process to get this implemented. He has said multiple times that security is important to him and Neowin.

[Crimson Rain]

This has been brought up repeatedly and answered already. The advertisements and many external links do not load with a secure connection. Subscribers do, however, have the option of using it throughout the site.

Then make them load using secure connection.

 

If an advertiser refuses to provide https, find a new one.

 

Because of this crap, this is what I get when I click quote button:

 

 

A non-functioning editor without any text. I cant type anything there.

 

 

Essentially Neowin is now causing trouble for me for NOT using adblock.

[Crimson Rain]

The prime reason Neowin wants HTTPS is probably higher ranking in Google; not berating MITM attacks on mods/admins in anyway. Just my opinion.

 

 

 

Don't be an idiot. If a user is using an insecure connection or a connection at work, the data the user is sending to/from has a potential to be interfered and interpreted. It's not what is being posted/read that people care about, it's about not being identifiable on a compromised connection. Any web service that houses any personal/private data (Neowin stores email addresses, post history, liked post history and private messages, location/ip address history) should be under HTTPS and that is what the entire internet is moving toward. 

 

To the OP, Neowin is in talks with their advertiser to allow HTTPS everywhere across the site/forums. Neobond has/had a meeting scheduled to discuss this and Steve (Neobond) is in the process to get this implemented. He has said multiple times that security is important to him and Neowin.

 

 

That's good to hear but until that is done, https should not be forced/default for users as it breaks the site.

[DaveLegg Developer]

HTTPS is not supported for non-subscribers/staff. If you are experiencing issues trying to use the site over HTTPS rather than plain HTTP (aside from login, where HTTPS is supported for all), then simply switch to HTTP, as that is the only supported way to use the site.

[Crimson Rain]

HTTPS is not supported for non-subscribers/staff. If you are experiencing issues trying to use the site over HTTPS rather than plain HTTP (aside from login, where HTTPS is supported for all), then simply switch to HTTP, as that is the only supported way to use the site.

I'm not trying to use HTTPS. I access neowin from RSS feed ( https://www.neowin.net/news/rss/ ) and browse if needed. Somewhere along the path, I'm being moved to HTTPS.

 

Unless HTTPS is working perfectly, one should not be auto moved to HTTPS or auto move back to HTTP when certain pages (like login/change pass) are not being accessed. Visitors should not have to manually edit address bar when they didn't type https to begin with.

[DaveLegg Developer]

I'm not trying to use HTTPS. I access neowin from RSS feed ( https://www.neowin.net/news/rss/ ) and browse if needed. Somewhere along the path, I'm being moved to HTTPS.

 

Unless HTTPS is working perfectly, one should not be auto moved to HTTPS or auto move back to HTTP when certain pages (like login/change pass) are not being accessed. Visitors should not have to manually edit address bar when they didn't type https to begin with.

 

It should move you to https to login, and back again afterwards. It would be helpful if you could tell us which page "along the path" is causing the problem, and then we can look into why you're not being sent back.

[Crimson Rain]

It should move you to https to login, and back again afterwards. It would be helpful if you could tell us which page "along the path" is causing the problem, and then we can look into why you're not being sent back.

I'm always logged in; at least I don't remember logging in for a long time now. So that's not the page.

 

I noticed change email/display name pages use https (no, I haven't gone there recently).

 

Some of the new "deals" pages are using https by default.

 

If I notice more, I'll post here.

[Mr.XXIV]

I'd probably curse the server manager out to find out you're still handling php and mysql connections through IP instead of sockets alongside not using HTTPS. HTTPS is highly important right now with a lot of the crap going on around the world, I'm putting my sites on HTTP soon as well, SPDY and all. Yes HTTPS is good for boosting rankings, but screw that, the bigger your site, the bigger the risk of attacks and I'm sure we've already seen Neowin go through a downed server a couple years ago. If I were the developer of this site, I'd lock it down, through HTML, PHP, CSS, turn all links into inline code and whatnot. Cause security and performance has been urking me a lot.

 

You have no idea how much a lot of WordPress sites ###### me off with all these generic themes that have no respect for speed and learning to use functions only when the actions are called and not every time a visitor comes around. Nowadays, I load inline CSS and JS through PHP instead of the files. And I create conditionals that make only certain styles and scripts load when they're actually needed. Other than that. Nginx/PHP-FPM/MySQL/Redis? We gotta talk.

[DaveLegg Developer]

I'd probably curse the server manager out to find out you're still handling php and mysql connections through IP instead of sockets alongside not using HTTPS. HTTPS is highly important right now with a lot of the crap going on around the world, I'm putting my sites on HTTP soon as well, SPDY and all. Yes HTTPS is good for boosting rankings, but screw that, the bigger your site, the bigger the risk of attacks and I'm sure we've already seen Neowin go through a downed server a couple years ago. If I were the developer of this site, I'd lock it down, through HTML, PHP, CSS, turn all links into inline code and whatnot. Cause security and performance has been urking me a lot.

 

You have no idea how much a lot of WordPress sites ###### me off with all these generic themes that have no respect for speed and learning to use functions only when the actions are called and not every time a visitor comes around. Nowadays, I load inline CSS and JS through PHP instead of the files.

 

I *am* the server manager Aside from DDoS, which none of the above can help with, Neowin hasn't suffered a successful attack for almost 10 years, we run a very secure setup. General users browsing using HTTP rather than HTTPS doesn't compromise our security in any way at all.

[Mr.XXIV]

I *am* the server manager Aside from DDoS, which none of the above can help with, Neowin hasn't suffered a successful attack for almost 10 years, we run a very secure setup. General users browsing using HTTP rather than HTTPS doesn't compromise our security in any way at all.

 

I mean, besides Invision doing their job (which reminds me, I wonder when you guys plan to move on to IPS4, it's gorgeous), the forum itself I know is secure, really the only job you guys have to do now is make it look good.   But I think generally, we need to support expanding our thoughts and ideals on how servers should be handled on a large scale so that others like us won't have to suffer the turmoil of an possible injections and so on. What about users who access Neowin from a coffee shop, there's no guarantee someone's NOT watching them and using a fake version of this site to get their usernames and passwords. Although this is a tech site, so I suppose the majority of the users on here aren't silly haha.

 

Which reminds me, I'm kind of curious personally how you modify the conf of Nginx and the other 2-3 softwares because I've yet to create the perfect server and I'm still trying to make sites load less than 600-300ms. Fast I know, but I'm greedy for more right now. 

[Ambroos]

You should still try to serve ads over HTTPS if the page is requested over HTTPS.
 
I've been using HTTPS Everywhere for ages now, and since Neowin technically supports HTTPS (and even SPDY), it's been pointing my browser towards the HTTPS site for a long time now. (* on the forums only, news is always HTTP)
 
Result: no ads. Everything works, I just don't see any ads. And I'm not using Adblock. The ad script gets blocked since it's HTTP-only, but everything else works fine.
 
I wonder why you're not serving ads as `https://ad5.netshelter.net/` on HTTPS pages, or as `//ad5.netshelter.net/` everywhere. Are netshelter ads incompatible with HTTPS somewhere further down the line? The initial script itself loads fine over HTTPS.

[Mr.XXIV]

You should still try to serve ads over HTTPS if the page is requested over HTTPS.

 

I've been using HTTPS Everywhere for ages now, and since Neowin technically supports HTTPS (and even SPDY), it's been pointing my browser towards the HTTPS site for a long time now. (* on the forums only, news is always HTTP)

 

Result: no ads. Everything works, I just don't see any ads. And I'm not using Adblock. The ad script gets blocked since it's HTTP-only, but everything else works fine.

 

I wonder why you're not serving ads as `https://ad5.netshelter.net/` on HTTPS pages, or as `//ad5.netshelter.net/` everywhere. Are netshelter ads incompatible with HTTPS somewhere further down the line? The initial script itself loads fine over HTTPS.

 

Isn't netshelter a part of the Google Ad Network? They should be supporting HTTPS.

[DaveLegg Developer]

You should still try to serve ads over HTTPS if the page is requested over HTTPS.

 

We would love to, and if we could, we'd be offering HTTPS site-wide to all users, but as it stands, not all of our advertising partners support HTTPS, so we have to use HTTP only for the majority of users, or we would suffer massively in terms of lot advertising revenue.

[+Red King Subscriber²]

We would love to, and if we could, we'd be offering HTTPS site-wide to all users, but as it stands, not all of our advertising partners support HTTPS, so we have to use HTTP only for the majority of users, or we would suffer massively in terms of lot advertising revenue.

I think that should start to change. I would love this site to be HTTPS only.

[Mr.XXIV]

And also make all lot of CSS and JS inline. And if they're external, make them asynchronous through inline code such as the way Facebook loads their SDK.

[Crimson Rain]

I wonder why you're not serving ads as `https://ad5.netshelter.net/` on HTTPS pages, or as `//ad5.netshelter.net/` everywhere. Are netshelter ads incompatible with HTTPS somewhere further down the line? The initial script itself loads fine over HTTPS.

Exactly same thoughts here. Why not just use //. If user is using http, it will work with backdated ad partners. If user is using https and the ad server doesn't support https, browsers are gonna block http anyways.

 

In fact, you should never use https or http in your urls. Everything should be // and force redirect to http or https from webserver where needed.

[Brian M. Veteran]

And also make all lot of CSS and JS inline. And if they're external, make them asynchronous through inline code such as the way Facebook loads their SDK.

Out of interest, why is making CSS inline an advantage? On generated pages, that would just mean sending the same hunk of CSS/JS every time - which would be rather pointless IMO.

[vanx]

Here is a thought: if you want HTTPS everywhere, feel free to subscribe.