Transition Technology: Ticket #920: SSL weirdness?

attachment set

sam — Thu, 14 Jul 2016 20:22:10 GMT

attachment set to Screen Shot 2016-07-14 at 20.08.05.png

status changed; resolution set

sam — Thu, 14 Jul 2016 23:10:13 GMT

status changed from new to closed
resolution set to fixed

hours, totalhours changed

chris — Fri, 15 Jul 2016 09:38:11 GMT

hours changed from 0.0 to 0.25
totalhours changed from 0.0 to 0.25

Sorry I wasn't able to look at this last night, there are 3 things that, I would suggest, should be addressed:

For people who didn't visit the site when it had a HSTS header can now login using an unencrypted connection, thus sending their password in the clear, this is the first time that has been allowed since the Drupal site was set up. There should be a Redirect in place here: http://transitionnetwork.org/user/login (if you follow this link and get the HTTPS page it is because HSTS is causing your client to only request the encrypted version of the page, try with a new web browser and you can login using a unencrypted connection.)

The intermediate certs are not sent by the server, see https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org and https://wiki.gandi.net/en/ssl/intermediate

The HTTPS version of the site is no longer sending a HSTS header, the Header directive needed is documented here https://docs.webarch.net/wiki/HTAccess#Enforcing_HTTPS

attachment set

chris — Fri, 15 Jul 2016 09:57:20 GMT

attachment set to mixed-content.png

hours, totalhours changed

chris — Fri, 15 Jul 2016 09:58:29 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.25 to 0.35

People are going to be getting even more mixed content warnings than before, when the site was on PuffinServer there was an issue, which was never resolved with the slide show on the front page, see ticket:680, but now are additional images embedded in the HTTPS front page via HTTP, eg http://www.transitionnetwork.org/sites/default/files/imagecache/featured_image_thumb/sites/www.transitionnetwork.org/files/romaniafood.jpg

Content loaded from the dev site, on the live front page, is not available via HTTPS, eg this image http://dev.transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg can't be accessed at https://dev.transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg

paul — Fri, 15 Jul 2016 11:10:08 GMT

Thanks for the feedback Chris. I'll go through these now.

Fixed.

paul — Fri, 15 Jul 2016 11:40:04 GMT

@Sam

1 The website now has the canonical URL https://transitionnetwork.org

2 and 3. Would you like me to explore 2 and 3? This looks to be something that would be better managed by Chris?

4 This looks to be a problem with the slideshow module. The image is requested over HTTPS but is delivered over HTTPS. Let me know if this needs to be investigated further.

https://transitionnetwork.org/admin/content/node-type/slide/fields/field_slide_destination_link https://transitionnetwork.org/node/46457/edit

5 http://www.transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg is now redirecting to https://transitionnetwork.org/sites/default/files/imagecache/slideshow_660/sites/www.transitionnetwork.org/files/images/slides/iraq8.jpg.