Meteor.JS Issue, All Meteor Apps Should Use HTTPS

[Almog Koren]

Well this isn’t really a Meteor.JS issue or that Meteor is at fault. But there is an known issue with HTML5 web sockets, proxy servers and firewalls. I wrote a blog post covering this issue http://blog.almogdesign.net/ 

Big thanks to Gadi Cohen and Zoltan Olah from Percolate Studio in helping me figure this out. 

If I missed anything please let me know. 

Thanks,

Almog

[Gadi Cohen]

Hey, that was quick :)

I think the subject might warrant more debate before suggesting all Meteor sites force SSL on their users.

Meteor aside, I'm definitely pro everyone and everything going SSL, but for other reasons.

Also, should developing a Meteor app mandate the developer to buy SSL certificates for their domain, more expensive hosting, etc?

I'd be very interested to know how widespread the problem is.

I think rather than the world catering to BezeqInt, BezeqInt should sort out their proxy, or even better, stop filtering their users traffic without consent (but ok fine, that's a different issue).

I think we need to further research the issue, establish exactly how this transparent proxy is affecting the connection, and the ideal in my mind, should it prove possible, is to be able to detect this particular issue, and fall back to the sockjs emulation (like we do when unable to establish a wss connection, except now, we need to detect buggy ones).

Interested to hear other opinions.

And thanks for the mention :)

[Almog Koren]

Hey, 

I agree the subject warrants more debate, really open to this. I wanted to bring this issue out. Well not be surprised id there is a different way to solve this. 

But right now the quick and easy fix is using SSL, yes buying SSL certificates for a domain is more expensive, hosting might be different and makes everything complicated which is a downside considering how easy it is to get started with Meteor. 

However you can't ignore markets I pretty sure a number ISP's due this not just BezeqInt, and there is no way we can change how ISP work I think we can all agree on that. But beyond ISP's you have companies running there connections thur proxies and firewalls, you have extensions like ad blockers and so forth. 

So for now I do think if your developing a production Meteor app you should consider using SSL.     

ᐧ

Almog Design www.almogdesign.net Almog Koren Mobile: +972 54 663 3308  |  LinkedIn: almogdesign  |  Twitter: @almogdesign Email: al...@almogdesign.net

--
You received this message because you are subscribed to a topic in the Google Groups "meteor-talk" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/meteor-talk/OLmn04jiUNo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to meteor-talk...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Arunoda Susiripala]

I think using SSL is a must. Not only for this reason. 

But setting up it is a pain, specially if you are your own. 

So, you might can try Cloudflare since it's just a click a way for SSL. But you have to turn off we sockets. 

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---

Arunoda Susiripala

I curate Meteor Weekly - Check it out!

[Aaron Judd]

I'm all for SSL on every site. I don't think expense should matter much, you could always use self generated certs or cheap ones for a few bucks. Having a pain free way to install at meteor deploy (that worked across the board) would be the magic piece in my book. 

[Gadi Cohen]

Yeah look like I said, I'm also for SSL on every site, I just don't like the idea of "Want to write a Meteor app?  Better make sure it's SSL-only or don't bother".

Btw, if you host your app on meteor.com - on the meteor.com domain - SSL is in fact all set up for you (using Meteor's certificate).  And if you 'meteor add force-ssl', your users will be automatically forced to SSL on initial connect.  If you're hosting with a custom domain, you're out of luck (if you want a valid certificate.  for the same reason I don't think self generate certs are an acceptable option).

[Shawn Lim]

I wished there was an easy package to set up ssl. 

[AJ ONeal]

On Wednesday, March 26, 2014 at 1:15:37 AM UTC-6, Shawn Lim wrote:

I wished there was an easy package to set up ssl. 

Your wish is granted:

https://letsencrypt.org

https://github.com/letsencrypt/node-acme