Can you make sure the website always forces https/ssl?

All suggestions about TPFC should be posted here. Discussions about changes to TPFC will also be carried out here.
Post Reply
Message
Author
lwc
Posts: 184
Joined: Tue Jun 26, 2012 10:40 pm
Contact:

Can you make sure the website always forces https/ssl?

#1 Post by lwc »

While http://portablefreeware.com does a simple redirection to the https version of the website, http://www.portablefreeware.com does not.
As result, everyone that uses it browses the site in a non secure way.
It's hard to trace because it seems sometimes the browser catches up and adds https.

I just know many times I see this site in a non secure way because I type portablefreeware and hit ctrl+enter to enter it in my browser.
Please make sure no matter what https is always used.
Attachments
without www.png
with www.png

freakazoid
Posts: 1212
Joined: Wed Jul 18, 2007 5:45 pm

Re: Can you make sure the website always forces https/ssl?

#2 Post by freakazoid »

If you use Firefox, use HTTPZ. That will automatically redirect you to HTTPS all the time and is more lightweight than HTTPS Everywhere.
is it stealth? ;)

lwc
Posts: 184
Joined: Tue Jun 26, 2012 10:40 pm
Contact:

Re: Can you make sure the website always forces https/ssl?

#3 Post by lwc »

freakazoid wrote: Fri May 01, 2020 1:45 pm If you use Firefox, use HTTPZ. That will automatically redirect you to HTTPS all the time and is more lightweight than HTTPS Everywhere.
Thanks for the tip (I didn't know about that alternative plugin), but since doing what's morally right is obviously not enough, Google and others have declared war on http.
Every time it's found there are repercussions - from damaged SEO (and futuristic removal from search engines) to warnings (and futuristic blockage) from browsers.

User avatar
Midas
Posts: 6705
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Can you make sure the website always forces https/ssl?

#4 Post by Midas »

I agree consistency is important here and I second lwc on this.

OTOH, I'd like to retain the possibility of browsing non-secure sites if I so wish. User discretion is paramount.

User avatar
Andrew Lee
Posts: 3048
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: Can you make sure the website always forces https/ssl?

#5 Post by Andrew Lee »

Fixed. Thanks for bringing this to my attention!

User avatar
vevy
Posts: 795
Joined: Tue Sep 10, 2019 11:17 am

Re: Can you make sure the website always forces https/ssl?

#6 Post by vevy »

While we are at it, I have the following scenario:
- I force HTTPS (extension)
- Open the main site (not the forum), the click Login.
- Enter credentials
- You are given the message: "Tried to redirect to potentially insecure url."

User avatar
Andrew Lee
Posts: 3048
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: Can you make sure the website always forces https/ssl?

#7 Post by Andrew Lee »

vevy wrote: Sun May 03, 2020 6:02 am While we are at it, I have the following scenario:
- I force HTTPS (extension)
- Open the main site (not the forum), the click Login.
- Enter credentials
- You are given the message: "Tried to redirect to potentially insecure url."
Does this still happen after my fix above? I can't reproduce this since the redirection should now be HTTPS.

User avatar
vevy
Posts: 795
Joined: Tue Sep 10, 2019 11:17 am

Re: Can you make sure the website always forces https/ssl?

#8 Post by vevy »

Andrew Lee wrote: Sun May 03, 2020 8:41 pm Does this still happen after my fix above? I can't reproduce this since the redirection should now be HTTPS.
I found out that the issue happens if the URL where you click "Login" ends with an ampersand (For example: https://www.portablefreeware.com/?p=2&). When post-login redirection happens, it produces this message.

An extension of mine was causing the addition of "&" at the end. I made a workaround to resolve the redirection issue but I can't figure out how to solve it completely without losing the extension functionality.

User avatar
Andrew Lee
Posts: 3048
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: Can you make sure the website always forces https/ssl?

#9 Post by Andrew Lee »

What extension is that, and what browser are you using?

I need to replicate your setup so that I can have a chance of reproducing the problem.

User avatar
vevy
Posts: 795
Joined: Tue Sep 10, 2019 11:17 am

Re: Can you make sure the website always forces https/ssl?

#10 Post by vevy »

No need. Just go to: https://www.portablefreeware.com/?p=2& and click login
(or simply go to ucp.php?mode=login&redirect=%2F%3Fp%3D2%26amp%3B)
and then login.

I reproduced it on both Chrome and Firefox.

User avatar
Andrew Lee
Posts: 3048
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: Can you make sure the website always forces https/ssl?

#11 Post by Andrew Lee »

I think I have fixed the issue. Could you please verify?

User avatar
vevy
Posts: 795
Joined: Tue Sep 10, 2019 11:17 am

Re: Can you make sure the website always forces https/ssl?

#12 Post by vevy »

👍

lwc
Posts: 184
Joined: Tue Jun 26, 2012 10:40 pm
Contact:

Re: Can you make sure the website always forces https/ssl?

#13 Post by lwc »

Please do all your tests both with and without www.

User avatar
toxejep219
Posts: 1
Joined: Sat Oct 10, 2020 12:16 am

Re: Can you make sure the website always forces https/ssl?

#14 Post by toxejep219 »

yes, I forced Every website to open in HTTPS so that there is no risk of man in the middle attack.

Post Reply