Hey, there! Log in / Register

Finally, that secure feeling on UHub

Took me way too long, but I've finally managed to get SSL working on the ol' site (the problem, for people who care, will follow).

The home page now has that nice little lock that lets you know the site's secure, as do pages such as login, registration and commenting. You may still run across pages with broken-lock icons, but that's because I've been hard coding links that start with http:// since I was knee-high to a grasshopper. One good MySQL command'll fix that, but, to be honest, Sunday night isn't the best time to do that for somebody whose grasp of SQL commands is shaky, even if I did just back up the whole database.

As for why it took me so long, when I got an SSL certificate a few months back, I could never get it to work, no matter how much fiddling I did with .htaccess. Sometimes, I'd wind up with some weird "too many redirects" error. A lot of the times, nothing at all would happen.

And yet, the other sites I host on the same platform worked fine as soon as I turned on their certificates. The problem, it turned out, is that I'm using CloudFlare for image caching (and secondarily for protection against various Bad Things). The fault wasn't CloudFlare's, though - it was mine, because I never flipped the switch to let them know I now had an SSL certificate on the server. Once I did that, whammo, SSL started working within a couple hours.

Free tagging: 


You lost me. I'm sure you did a fine job. Whatever it was.

Voting closed 44

When you buy something on Amazon, the communications between your computer and Amazon are encrypted so that, theoretically, your credit-card info (and details of what you're buying) can't be sniffed out by somebody else who's managed to intercept your info.

That's what the little lock icon means - the encryption is turned on.

It's obviously not as critical on a site like this - I don't take anybody's credit-card info or ask for anything confidential (if you click on the Support Now link on the right, you get transferred to PayPal). It does protect your password if you connect from, say, a coffeehouse or library, and then log into the site, but most folks don't even log in.

There is a selfish reason for me to finally get it working, though: Google has begun to reduce the search-results rankings of sites that don't use this encryption. The lower UHub pages rank in Google search results, the fewer people click to UHub from Google. Even though I try not to rely too heavily on Google search queries, every little bit helps, since most of the revenue I make from ads is based on how many times they're posted.

Voting closed 5

"It does protect your password if you connect from, say, a coffeehouse or library, and then log into the site..."

Adam, up to this point I've used uHub as a demo in my 'security on the web' lecture each semester, showing how easy it is to capture username / password details from non-SSL sites on public networks (fire up a packet sniffer like PacketPeeper and log on, then show the plaintext user / pass in the captured data). I'll have to find another demo site :^)

I used uHub in my demo mainly because I want to promote the site to my students, and since it isn't really an attack against the server.

BTW, dear readers, this applies to ANY web site you visit, if it isn't HTTPS (little lock icon in th URL bar), then you are sending information back and forth in perfectly readable form across th internet. Anyone who cares to can intercept and read everything (especially your ISP).

Voting closed 35

You can still bring up UHub, in the before section: "This is how you do Web security. And this [here you fire up site X] is how you don't." :-).

Voting closed 6

It's a Dorchester thing. :)

Voting closed 15

So this is one step closer to being verified on Twitter then?

Voting closed 24

I tried. Twitter doesn't seem to like me as much as I like it.

At least Facebook verified me (well, my alter-ego, universalhub).

Voting closed 16

You host other sites? When do you sleep??

Voting closed 2

There are a couple of sites I own that, well, er, um, I haven't updated in forever (so people looking for the definitive Web site about Gaffins will have to wait a bit longer). And there are some sites that I set up and maintain for other folks (like the definitive news site for Dorchester), who do all the actual article writing and posting.

Voting closed 22

I believe that the major browser vendors have announced that they will be treating http links as "insecure" in the somewhat near future.

Eventually anyone serving up plain old in the clear http will get a "Are you sure you want to do that" dialog.

Ever try using Let's Encrypt for certs? They're free and do wildcard certs now but you do have to set up something automated to renew every 30 days. Great solution unless you want extended validation.

Also, you have a "Mixed content blocking in Firefox" issue going on. Maybe that's the cloudflare thing...

Arrghhhh, this stuff drives me nuts.

Voting closed 2

Hmm, interesting. The certificate is based on my server, but there's no "organization" listed at Cloudflare. Now to see how to remedy that. Looks like the traffic's still being encrypted, though.

My host (pair.com) actually offers Let's Encrypt certs and takes care of the updating - which I discovered after I had already paid for and had them install a certificate here (but, eh, only $40 for 5 years). I'm using that on other sites I host with them and so far so good.

Voting closed 8

OK, disregard what I said about the organization name - I clearly didn't know what I was talking about. The issue was a couple of hard-coded links on pages to http:// pages that I somehow missed last night. Fixed those, got a clean reading, but now there's something insecure on pages again. Now to find those.

Voting closed 7

As I'm sure you are no doubt aware, you have more than a few loyal readers of this site that are literally paid to do this stuff every day. So basically if you ever find yourself in a bind, please do not hesitate to reach out. :-)

Voting closed 19

you might consider setting the Strict-Transport-Security response header (with a short max-age, maybe 15 minutes at first), so that browsers will automatically make the protocol upgrade even before asking your site. Once you've had a good burn-in period you can increase it to a day, then a week, etc. Usually people leave it at a year or so.

You can also set Content-Security-Policy: upgrade-insecure-requests to ensure that http:// image references are auto-upgraded to https:// as a stopgap until you clean up the DB.

[Edit: Also, thank you! Really glad to see another news site moving to HTTPS.]

Voting closed 8