Page 1 of 2

HTTPS is now enabled (it will break some offsite images)

Posted: Sat May 27, 2017 2:22 am
by emk
You have have noticed that the site just changed from http://forum.language-learners.org/ to https://forum.language-learners.org/. This happened as part of another upgrade, and it became effectively irreversible before I realized it. :-/

Here's why HTTPS is a very good thing:

  • More and more often, Internet providers are tampering with websites in transit. They're injecting tracking headers for advertising, and custom JavaScript for various purposes. I feel strongly that the pages we serve should be the pages you receive, and no malicious payloads should be injected.
  • Governments around the world are collecting Internet traffic on a massive scale and (most likely) storing it forever. The systems to analyze this traffic and build profiles about people are rapidly becoming more sophisticated.
  • Browser vendors are starting to make certain new features available only to sites using HTTPS.
  • If you log into the forum from a public wifi using plain HTTP, it only takes a fraction of a second to steal your password.
Unfortunately, this comes at a cost. :-( A page using HTTPS can't embed non-HTTPS images or videos, because doing so would break security, and web browsers generally disallow it. This may break certain kinds of YouTube or images links in logs, including mine. In many cases, this can be fixed by editing the old links to use "https:" instead of "http:".

But the good news here it that (1) this should help fix our Google searches, which have been broken, and (2) as part of this work, I made the necessary changes to allow rdearman and I to bring the Super Challenge bot back online.

EDIT: Check out that SSL security rating:

llo-ssl-a-plus.png
llo-ssl-a-plus.png (74.34 KiB) Viewed 1231 times

Re: HTTPS is now enabled (it will break some offsite images)

Posted: Sat May 27, 2017 11:40 am
by iguanamon
Thanks for your hard work, emk! You were right about youtube videos. All of the ones I had embedded in my log (despite being htpps) are gone. So, it looks like the youtube embedding feature will no longer work. Not that I'm complaining, but I did like the feature and took full advantage of it in my log. Still, the trade-off for having a secure site and restoring google search is worth it.

Is there a way to embed video with https protocol or are we back to just providing links to videos? If the youtube embed feature cannot be made to work, then we should eliminate it from the post menu. There's no point in having an "orphan" feature that nobody can use. I guess I'll have to go back now and change the embedded material to links.

Re: HTTPS is now enabled (it will break some offsite images)

Posted: Sat May 27, 2017 11:56 am
by Serpent
Thanks for pointing that out. It may (should?) be possible to fix that by changing some code. Youtube itself supports https embedding.
I would wait before doing any mass-editing.

Re: HTTPS is now enabled (it will break some offsite images)

Posted: Sat May 27, 2017 12:08 pm
by emk
iguanamon wrote:Is there a way to embed video with https protocol or are we back to just providing links to videos? If the youtube embed feature cannot be made to work, then we should eliminate it from the post menu. There's no point in having an "orphan" feature that nobody can use. I guess I'll have to go back now and change the embedded material to links.

There's almost certainly a way to fix the "youtube" feature in the editor.

Let's see:


Yup! It works here for me. Everybody who used the "youtube" tag should now be OK (at least after the next time the forum page cache clears and regenerates the HTML). As an added plus, we've gotten rid of some sketchy YouTube integration that still tried to use Flash when available.

Here at language-learners.org, we are deeply committed to the embedding of interesting YouTube videos with foreign language content. ;-)

Re: HTTPS is now enabled (it will break some offsite images)

Posted: Sat May 27, 2017 1:41 pm
by Stefan
Did the favicon go missing or is it an older issue?

Re: HTTPS is now enabled (it will break some offsite images)

Posted: Sat May 27, 2017 1:52 pm
by Serpent
This happened during the migration to the new server. We've discussed it in this thread.

Re: HTTPS is now enabled (it will break some offsite images)

Posted: Sat May 27, 2017 3:43 pm
by jeff_lindqvist
emk wrote:Yup! It works here for me.


And for me too! Thanks emk!

Re: HTTPS is now enabled (it will break some offsite images)

Posted: Sat May 27, 2017 4:42 pm
by rdearman
Serpent wrote:This happened during the migration to the new server. We've discussed it in this thread.

I've uploaded the icon to github, hopefully we'll get it installed soon. (It is a sort of lowish priority) :)

Re: HTTPS is now enabled (it will break some offsite images)

Posted: Sat May 27, 2017 6:06 pm
by Serpent
Obviously :D

Re: HTTPS is now enabled (it will break some offsite images)

Posted: Sun May 28, 2017 1:20 am
by Carmody
emk

Thanks so much for your ongoing great work!