[aklug] Re: Slightly off Topic: site doesn't behave the same for https as it does for http

From: Leif Sawyer <lsawyer@gci.com>
Date: Tue Dec 16 2014 - 09:32:39 AKST

At the risk of being mocked, I humbly submit my piece of crap CA management script.


https://github.com/akhepcat/BashCA


My motto: if you don't know what something does, write your own version of it so you
can learn that you still don't understand what something does.



-----Original Message-----
From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org] On Behalf Of Leif Sawyer
Sent: Tuesday, December 16, 2014 8:54 AM
To: Royce Williams; aklug@aklug.org
Subject: [aklug] Re: Slightly off Topic: site doesn't behave the same for https as it does for http

Just goes to show that you should use a standard trust framework for generating self-signed certificates, and then install your local "root cert"
into your browser's trust store so you don't have to deal with these issues.


"I have this script...." seems to be a common thread, but I guess it's true.

I should clean it up and throw it on github for people to mock.


-----Original Message-----
From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org] On Behalf Of Royce Williams
Sent: Monday, December 15, 2014 8:54 PM
To: aklug@aklug.org
Subject: [aklug] Re: Slightly off Topic: site doesn't behave the same for https as it does for http

Specifically, it's NET::ERR_CERT_AUTHORITY_INVALID - likely due to a self-signed cert. Do you intend to get one of the less-expensive public certs?

Once you get your SSL clean and stable, you might consider redirecting all HTTP to HTTPS, because security. ;-)

SSLv3 is disabled (good), but the self-signed cert is going to make most browsers mad these days.

Make sure everything looks like you expect here:

https://www.ssllabs.com/ssltest/analyze.html?d=frontierfunflyers.org

Some other unsolicited guidance (non-SSL related):

This looks like semi-manually-generated HTML, right? (Not the product of a canned framework?) Either way, I recommend squashing any invalid HTML - a bit of a pain at first, but very handy when troubleshooting down the road. The Firefox "HTML Validator" extension rocks, as does Google Page Speed and or Yahoo's YSlow. Even if you elect to not use some of the guidance they provide, just understanding the output is really educational.

I'm not sure what this JPEG is:

    https://frontierfunflyers.org/photos/15.jpg

... but it purports to be 1.2M but fails to even load in Firefox or Chrome - both complain that it's an invalid image.

Also, body-bg.jpg and counter.js return 404. And counter.js takes a loooong time to time out, so dropping that will probably significantly improve page finishing time.


Separate from the geek feedback ... looks like a fun club to be in!

Royce

On Mon, Dec 15, 2014 at 7:08 PM, Jim Gribbin <jimgribbin@gmail.com> wrote:
> It appears that with "mixed mode", Chrome doesn't like it at all.
> Chrome gives me a warning about lack of security and recommends I go elsewhere.
>
> I am able to bypass the warning and go there anyway, but my address
> bar shows "https://" in red with a red slash through it along with the
> padlock with a red "X" across it.
>
> The pictures do seem to be scrolling though...
>
>
>
> On Sat, Dec 13, 2014 at 5:24 PM, Mike <alaskabarsalou@gmail.com> wrote:
>>
>> Thanks.
>>
>> I haven't used this tool in that way before...I'll give it a shot.
>>
>> Thanks!
>>
>> Mike B.
>>
>>
>> Quoting Christopher Howard <ch.howard@zoho.com>:
>>
>>> The first thing I would check is to see if, when using HTTPS, all of
>>> the javascript (or other critical components) are actually loading.
>>> Many Web pages have javascript or other components delievered by
>>> some other domain or subdomain than the one you typed in at the
>>> address bar. The javascript might be coming from a server that does
>>> not have HTTPS properly configured for that URL. This is pretty easy
>>> to check with Firebug (an add-on for firefox): turn it on, select
>>> the "net" tab, and then reload the page and it will list the status
>>> of every resources that the browser tried to load.
>>>
>>> On Sat, 13 Dec 2014 16:24:03 -0900
>>> Mike <alaskabarsalou@gmail.com> wrote:
>>>
>>>>
>>>> Can someone explain why a site wouldn't behave the same under https
>>>> as it does for http?
>>>>
>>>> When I go to the site using http.... there is some javascript code
>>>> that scrolls four random pictures and it works how I would expect it.
>>>>
>>>> However, when going to the same site with https, it doesn't scroll
>>>> the pictures...from what I can tell, it just stacks them atop of
>>>> each other.
>>>>
>>>> This particular site is using a self-signed certificate, but that
>>>> doesn't seem to matter.
>>>>
>>>> Thoughts?
>>>>
>>>> Mike B.
>>>>
>>>>
>>>> Troubleshooting Background:
>>>>
>>>> This isn't true for all browsers, so far only firefox 34 on my
>>>> ubuntu machine.
>>>>
>>>> Works fine for ipad, haven't tested others.
>>>>
>>>> Site is https://frontierfunflyers.org
>>>>
>>>>
>>>> ---------
>>>> To unsubscribe, send email to <aklug-request@aklug.org> with
>>>> 'unsubscribe' in the message body.
>>>>
>>
>>
>> ---------
>> To unsubscribe, send email to <aklug-request@aklug.org> with
>> 'unsubscribe' in the message body.
>>
>
---------
To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.

N r zǧu隊[hjIn -jIn +a {.n + ^ ,j
N‹§²æìr¸›zǧu隊[hjIn‚·ª¹ë-jIn‚ŠàÂ+aº{.nÇ+‰·¢žØ^™ë,j›
Received on Tue Dec 16 09:34:03 2014

This archive was generated by hypermail 2.1.8 : Tue Dec 16 2014 - 09:34:03 AKST