Gizmos Freeware Reviews  

Go Back   Gizmo's Freeware Forum > Site Forums > Comments, Suggestions and Feedback

Reply
 
Thread Tools Display Modes
Old 12. Mar 2019, 12:55 AM   #11 (permalink)
Senior Member
 
Sea Mac's Avatar
 
Join Date: Apr 2008
Location: Body: San Diego | Mind: Lost | Heart: With You
Posts: 571
Implementation Try HTTP Strict Transport Security (HSTS) first ...

Quote:
Originally Posted by Remah View Post
Many websites redirect http to https automatically. This is the only one I use regularly that doesn't do this automatically.

It is slightly jarring when I'm logged in to see the padlock disappear in my web browser. But then the solution MaiKL suggested is available to all of us: edit our bookmarks so http becomes https.

P.S. The actual security not a real concern for me but, on reflection, automatic redirection would be the best solution. It is not a good look to be commenting on security and then leave this issue outstanding for the many users who arrive via other sites following "http" links.
If I may make a suggestion ...

Last July, when Chrome started actively warning about sites that used only HTTP ... as "Security Risks" ... and I started having a REASON to secure my 5 domains ... I peeked into my cPanel and found out that my Hosting Provider fully supported ACME and "Let's Encrypt" and there were shiny new SSL Certificates just begging to be used in there.

So I told the cPanel something like "Yes, let's start using the security already offered FOR FREE." (Free is good.)

And, just like that, I had HTTPS and HTTP both Operating smoothly.

But then, I had the SAME Issue that now faces this fine site: I have been "Insecure" for a decade or more ... so HOW do I get them all to use ONLY My SECURE Links, now?

And the Answer IS: HSTS !

I SSH into the root of my Hosting plan - and add this to my .htaccess file:

Code:
Header set Strict-Transport-Security "max-age=604800" env=HTTPS
Whereby my server DEMANDS of compatible connecting clients that - for the next MONTH - They NOT Request any HTTP "Unsecured" resources from it. EVEN IF you doctor your URLs in the address bar and "Strip" off the "S" from the "HTTPS" to TRY to get the insecure version of the page ... HA-Ha-ha! ... (Foiled!) The SERVER nails that "S" back ON the URL before servicing the page request!

Read the support article from my Hosting Provider - that I linked to up there: then pop into your hosting plan and "Write" the 'Header set' command into the .htaccess file(s) of the root(s) of your Domains. And, you're Done.
__________________
"Software Santa" owes a debt of thanks to Tech Support Alert. Thank You.
Sea Mac is offline   Reply With Quote
Old 13. Mar 2019, 08:30 AM   #12 (permalink)
Site Manager
 
MidnightCowboy's Avatar
 
Join Date: Aug 2008
Location: South American Banana Republic, third bunch from the left
Posts: 15,143
Default

Quote:
Originally Posted by Sea Mac View Post
[B]If I may make a suggestion ...
Many thanks for your input which is appreciated. Our tech team are now looking at this.
__________________
Buy a Hoover and prove technology sucks.
MidnightCowboy is online now   Reply With Quote
Old 13. Mar 2019, 05:27 PM   #13 (permalink)
Senior Member
 
Sea Mac's Avatar
 
Join Date: Apr 2008
Location: Body: San Diego | Mind: Lost | Heart: With You
Posts: 571
Exclamation I think it COULD Help ....

Well, it worked for me, and my simple 128 bit Keys / 5 Domains on one hosting platform setup. It OUGHT To work for us, here, also.

Oh, and I was wrong ... It's the BROWSER that will paste the "S" back on - if you manually strip it off of "HTTPS" to try to get a "HTTP" page - before SENDING the request to the Server to be fulfilled. I had it backwards - up there ....

But you'd better NOT Enable this header IF ANY resources on this site WON'T WORK from "HTTPS" pages ... because it FORCES The use of "HTTPS" Everywhere.
__________________
"Software Santa" owes a debt of thanks to Tech Support Alert. Thank You.
Sea Mac is offline   Reply With Quote
Old 16. Mar 2019, 04:16 AM   #14 (permalink)
Senior Member
 
Sea Mac's Avatar
 
Join Date: Apr 2008
Location: Body: San Diego | Mind: Lost | Heart: With You
Posts: 571
Thumbs up Uh, Huh. Buttoned up TIGHT Now.

Some change you made in the last couple of days PREVENTS ME from landing on any "HTTP" Page anywhere on this Domain. A week ago I COULD go to http://www.techsupportalert.com !!! Now, I can NOT.

So, say I followed an old bookmark for http://techsupportalert.com ? Uh-Uh, No, that won't load INSECURELY ANY MORE. I tried entering it MANUALLY with an HTTP - Like last week - unlike last week that is NOT Accessible anymore, sorry. (I mean, Hooray!)

And, NO Browser is going to Complain about "This Connection is Insecure" on this site ever again. Problem Solved.

So, did HSTS work out for you, or did you use ANOTHER Method of causing a HTTPS redirect? (If that simple Header Write actually FIXED the Issue ... go See what Grade you get over at SSL Mate: https://www.ssllabs.com/ssltest/ - I get a "B" ... which is NOT Bad ... and I might be upgraded to an "A" later this year.)

EDIT: You get an "A" because you PAID for your Certificates. Quite Nice.

OK, Let's White Hat hack our own site to SEE if any of us CAN find an Unsecured Page ... like a Treasure Hunt. (If You used the 'HSTS On' headers on this Domain: please tell me ... because I Won't bother to PRY any further ... I'll not be finding ANY THING Exposed ever again!)
__________________
"Software Santa" owes a debt of thanks to Tech Support Alert. Thank You.

Last edited by Sea Mac; 16. Mar 2019 at 04:31 AM.
Sea Mac is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT +1. The time now is 11:40 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.