HTTPS Everywhere - let's "ban" HTTP

20 views
Skip to first unread message

David Veksler

unread,
Mar 21, 2012, 11:55:26 PM3/21/12
to Mises.org Development
https://www.eff.org/https-everywhere/ 

This is really cool (and important).  Let's "ban" the http:// scheme from Mises.org.  Instead I will use either Request.Url.Scheme or href="// URLs.

Who wants to help?


---
Regards, 
David Veksler

David Veksler

unread,
Mar 22, 2012, 12:25:41 AM3/22/12
to Mises.org Development
As promised:


Things that don't work with SSL:

  • Google Books preview
  • Reddit +1 button

---
Regards, 
David Veksler


Briggs Armstrong

unread,
Mar 22, 2012, 12:24:06 PM3/22/12
to mise...@googlegroups.com
Works fine in firefox but in chrome...
Inline image 1
image.png

jcfo...@pureperfect.com

unread,
Mar 22, 2012, 1:09:38 PM3/22/12
to mise...@googlegroups.com


Are you not concerned with the performance implications of doing this?

David Veksler

unread,
Mar 22, 2012, 1:11:15 PM3/22/12
to mise...@googlegroups.com, mise...@googlegroups.com
What are those exactly?

Sent from my iPad

jcfo...@pureperfect.com

unread,
Mar 22, 2012, 2:04:14 PM3/22/12
to mise...@googlegroups.com

Increased request latencies, increased heap footprint and increased CPU usage. I suspect it will probably be a bigger problem for people who use mobile.

Ideally, converting from http vs https should be transparent. There isn't any reason that I can think of to hard code a scheme in the urls on any site, except for explicitly switching between http and https for cases such as authentication.

Any other time, you can just use a relative url and the browser will pick up and use the preexisting scheme regardless of whether it is http or https. A single link which says "encrypt all traffic in https" and then redirects to https://mises.org or https://whateverpageiamon should make this possible.

So as long as you don't enforce either in any of your urls, you should be fine. Just put an encrypt all traffic button or something similar that redirects to the current page using https instead of http. Of course, if you have existing urls that specify specifically http, those will have to be removed to only specify a host and a document and not a scheme, but they shouldn't have been there in the first place. There's no point in writing http://mises.org/daily when /daily works better.

David Veksler

unread,
Mar 23, 2012, 5:27:51 AM3/23/12
to mise...@googlegroups.com
Yes, that is what I am doing.

---
Regards,
David Veksler
+86 186 168 73407

David Veksler

unread,
Mar 26, 2012, 2:17:40 AM3/26/12
to mise...@googlegroups.com
Success!

I just figured out a fool-proof way to detect the non-SSL resources.  Inspect the page, go to network, "Copy all as HAR", paste into notepad, and search for http://



Inline image 1

---
Regards,
David Veksler
+86 186 168 73407



image.png
image.png
Reply all
Reply to author
Forward
0 new messages