Redirect HTTP to HTTPS and fix cert for subdomains #42
Comments
|
If redirected, HSTS should be used. |
But it wasn't enabled. It doesn't work now, and the last comment there was «I don't think we're going to do this any time soon». |
|
In principle I believe you should use HSTS for privacy's sake… even if the pronoun page and referrer URL are probably not extremely sensitive. |
HTTPS is enabled: https://pronoun.is But it's not enforced via a redirect. |
|
@konklone Ah, thanks for the correction: https://pronoun.is indeed works, https://my.pronoun.is and https://www.pronoun.is have invalid cert, I was looking at one of those. |
|
Let's get the ball rolling on this. Let's Encrypt should make this a non issue. |
morganastra
changed the title
|
I just came upon this wonderful project, but I'm sad to see that https://my.pronoun.is gives a privacy error because of an invalid certificate. Is there anything I or someone else can do to get this ball rolling? |
|
I tried to open the site today and received a bold warning from Bitdefender that due to the certificate being a mismatch, it was potentially a dangerous website, and then I had to click through a popup saying I knew I was taking a risk. I looked at the certificate and it seems to be issued for "*.herokuapp.com", and that mismatch is what is causing the issue. I recommend using Let's Encrypt, or perhaps even Cloudflare as they give you a free cert with no hassle to upkeep. |
|
That's odd, it works fine for me using Cloudflare SSL. |
|
To clarify my comment, this is what appears when opening my.pronoun.is with BitDefender installed:
This may scare some visitors. I am uncertain how other anti-malware or security extensions may display their warnings regarding this security issue. |
I read #10, and I see HTTPS was enabled, but there was not strong interest in setting up the redirect. However, I strongly encourage you to redirect traffic.
Folks visiting pronoun.is who are trying to be better humans to their fellow humans shouldn't be subject to their ISP selling their browsing behavior or having malware or ads injected into their browsing. Plain HTTP subjects visitors to risk, no matter how "sensitive" the site is perceived to be.
As for cost (which I see was an issue), you can get free certificates from Let's Encrypt -- or, if you're using an Amazon ELB or CloudFront distribution, you can get free certificates through Amazon Certificate Manager. Both of these are new services that didn't exist when #10 was closed.
The text was updated successfully, but these errors were encountered: