http vs. https

Destry · 2015-09-09 22:29:14

Was just looking at this FAQ for releases 4.0.5:¹

Why do all my links point to “https” instead of “http” with IIS?

Answer:

It’s a bug in the auto-detection of whether SSL is used on the connection or not. You can however override the auto-detection code by always forcing the type of protocol (dssl or not) that you prefer. This is done by adding the following line to config.php:

define(‘PROTOCOL’, ‘http://’);

Similarly if you wanted to force textpattern to generate ssl-urls, you could replace http with https in the above line.

What got my attention was the last part, about generating “ssl-urls” by doing this:

define('PROTOCOL', 'https://');

The “https” thing has been on my mind a while now because there seems to be a mass move that direction by the web in general.

So my naive question is, does doing that little line addition in config.php really provide valid “https” protocols, or is that just a superficial fake/lie?

¹ I’m not linking to the FAQ, because FAQs are being audited and redirected (i.e., FAQ dismantling).

Bloke · 2015-09-09 23:02:39

Destry wrote #294587:

does doing that little line addition in config.php really provide valid “https” protocols, or is that just a superficial fake/lie?

It does indeed, but does it site wide and affects the cacheability of resources. And of course, it’s down to you to obtain valid certificates.

Some people would like more fine-grained control over that, but I don’t exactly know how to go about it for the best so it’s still on the to-do list (Edit: ahem, hopefully someone else’s list!)

Last edited by Bloke (2015-09-09 23:04:05)

GugUser · 2015-09-09 23:53:22

Although it is a little outside of the theme, here an additional observation: In the visitor logs the referrers with https are listed falsely as http://https://www.google.ch/ and are clickable, but the page can not be found, logically.

Last edited by GugUser (2015-09-09 23:54:35)

Destry · 2015-09-09 23:59:07

Bloke wrote #294589:

it’s down to you to obtain valid certificates.

I’m still a bit clueless about what’s required and what isn’t, but does this offer anything useful with regard to certificates?

Lets Encrypt

jstubbs · 2015-09-10 05:51:18

Hi Destry, the Let’s Encrypt service looks interesting but not yet open I think? For now, if you want an SSL certificate you’ll need to either get one from your registrar (some, like Gandi offer a free 1 year SSL certificate) or buy one.

Then, you need to install the certificate. How that’s done depends on your web server. I use WebFaction and they need to install the certificate for you, but its pretty quick and painless.

jstubbs · 2015-09-10 05:54:33

Bloke wrote #294589:

It does indeed, but does it site wide and affects the cacheability of resources. And of course, it’s down to you to obtain valid certificates.

Some people would like more fine-grained control over that, but I don’t exactly know how to go about it for the best so it’s still on the to-do list (Edit: ahem, hopefully someone else’s list!)

Before I thought that having granular control was a good thing – for example a shop site might have a secured page but other parts of the site were non-secure. But now, I think secure for the entire site is a good thing and the direction that the web is heading in.

ruud · 2015-09-10 07:42:48

StartSSL offers free certificates.

Destry · 2015-09-10 08:51:45

jstubbs wrote #294615:

Hi Destry, the Let’s Encrypt service looks interesting but not yet open I think?

You’re right. Browser-trusted certificates apparently arriving later this year. Certainly one to watch due to the automated tech they’ve created.

ruud wrote #294619:

StartSSL offers free certificates.

Thanks ruud!

Destry · 2015-09-10 08:56:13

StartSSL…

No charge, unlimited + 100% free

Whew, good thing it’s no charge and 100% free.

But for the first year only, apparently?

gaekwad · 2015-09-10 09:16:07

GugUser wrote #294590:

Although it is a little outside of the theme, here an additional observation: In the visitor logs the referrers with https are listed falsely as http://https://www.google.ch/ and are clickable, but the page can not be found, logically.

I understand that bug was identified, fixed, and committed – but it didn’t make it into the 4.5 branch before 4.5.7.

~~I’ll check for it – back shortly.~~

I found it – r4681 – it was added to 4.x branch. It was fine-tuned by r5075 and both commits appear to have made it GitHub intact.

Last edited by gaekwad (2015-09-10 09:24:47)

ruud · 2015-09-10 09:29:58

Destry wrote #294625:

StartSSL…
Whew, good thing it’s no charge and 100% free.
But for the first year only, apparently?

No. You have to get a new one each year, but it’s free. I’ve used them for several years now. Besides, next year “LetsEncrypt” should be operational and perhaps that will simplify matters.

gaekwad · 2015-09-10 09:43:37

Also, speaking of SSL more generally, standard certificates are really not that expensive in the grand scheme of things. Gandi do a free cert for the first year with a new registration, and then it’s 12EUR a year (1EUR a month, under 0.04EUR a day, etc) if you want to carry on. About 30EUR for three years if you buy upfront.

Textpattern CMS

Textpattern CMS support forum

#1 2015-09-09 22:29:14

http vs. https

#2 2015-09-09 23:02:39

Re: http vs. https

Destry wrote #294587:

#3 2015-09-09 23:53:22

Re: http vs. https

#4 2015-09-09 23:59:07

Re: http vs. https

Bloke wrote #294589:

#5 2015-09-10 05:51:18

Re: http vs. https

#6 2015-09-10 05:54:33

Re: http vs. https

Bloke wrote #294589:

#7 2015-09-10 07:42:48

Re: http vs. https

#8 2015-09-10 08:51:45

Re: http vs. https

jstubbs wrote #294615:

ruud wrote #294619:

#9 2015-09-10 08:56:13

Re: http vs. https

#10 2015-09-10 09:16:07

Re: http vs. https

GugUser wrote #294590:

#11 2015-09-10 09:29:58

Re: http vs. https

Destry wrote #294625:

#12 2015-09-10 09:43:37

Re: http vs. https

Board footer