Can you make sure the website always forces https/ssl?
Can you make sure the website always forces https/ssl?
While http://portablefreeware.com does a simple redirection to the https version of the website, http://www.portablefreeware.com does not.
As result, everyone that uses it browses the site in a non secure way.
It's hard to trace because it seems sometimes the browser catches up and adds https.
I just know many times I see this site in a non secure way because I type portablefreeware and hit ctrl+enter to enter it in my browser.
Please make sure no matter what https is always used.
As result, everyone that uses it browses the site in a non secure way.
It's hard to trace because it seems sometimes the browser catches up and adds https.
I just know many times I see this site in a non secure way because I type portablefreeware and hit ctrl+enter to enter it in my browser.
Please make sure no matter what https is always used.
-
- Posts: 1212
- Joined: Wed Jul 18, 2007 5:45 pm
Re: Can you make sure the website always forces https/ssl?
If you use Firefox, use HTTPZ. That will automatically redirect you to HTTPS all the time and is more lightweight than HTTPS Everywhere.
is it stealth?
Re: Can you make sure the website always forces https/ssl?
Thanks for the tip (I didn't know about that alternative plugin), but since doing what's morally right is obviously not enough, Google and others have declared war on http.freakazoid wrote: ↑Fri May 01, 2020 1:45 pm If you use Firefox, use HTTPZ. That will automatically redirect you to HTTPS all the time and is more lightweight than HTTPS Everywhere.
Every time it's found there are repercussions - from damaged SEO (and futuristic removal from search engines) to warnings (and futuristic blockage) from browsers.
Re: Can you make sure the website always forces https/ssl?
I agree consistency is important here and I second lwc on this.
OTOH, I'd like to retain the possibility of browsing non-secure sites if I so wish. User discretion is paramount.
OTOH, I'd like to retain the possibility of browsing non-secure sites if I so wish. User discretion is paramount.
- Andrew Lee
- Posts: 3071
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Can you make sure the website always forces https/ssl?
Fixed. Thanks for bringing this to my attention!
Re: Can you make sure the website always forces https/ssl?
While we are at it, I have the following scenario:
- I force HTTPS (extension)
- Open the main site (not the forum), the click Login.
- Enter credentials
- You are given the message: "Tried to redirect to potentially insecure url."
- I force HTTPS (extension)
- Open the main site (not the forum), the click Login.
- Enter credentials
- You are given the message: "Tried to redirect to potentially insecure url."
- Andrew Lee
- Posts: 3071
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Can you make sure the website always forces https/ssl?
Does this still happen after my fix above? I can't reproduce this since the redirection should now be HTTPS.
Re: Can you make sure the website always forces https/ssl?
I found out that the issue happens if the URL where you click "Login" ends with an ampersand (For example: https://www.portablefreeware.com/?p=2&). When post-login redirection happens, it produces this message.Andrew Lee wrote: ↑Sun May 03, 2020 8:41 pm Does this still happen after my fix above? I can't reproduce this since the redirection should now be HTTPS.
An extension of mine was causing the addition of "&" at the end. I made a workaround to resolve the redirection issue but I can't figure out how to solve it completely without losing the extension functionality.
- Andrew Lee
- Posts: 3071
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Can you make sure the website always forces https/ssl?
What extension is that, and what browser are you using?
I need to replicate your setup so that I can have a chance of reproducing the problem.
I need to replicate your setup so that I can have a chance of reproducing the problem.
Re: Can you make sure the website always forces https/ssl?
No need. Just go to: https://www.portablefreeware.com/?p=2& and click login
(or simply go to ucp.php?mode=login&redirect=%2F%3Fp%3D2%26amp%3B)
and then login.
I reproduced it on both Chrome and Firefox.
(or simply go to ucp.php?mode=login&redirect=%2F%3Fp%3D2%26amp%3B)
and then login.
I reproduced it on both Chrome and Firefox.
- Andrew Lee
- Posts: 3071
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Can you make sure the website always forces https/ssl?
I think I have fixed the issue. Could you please verify?
Re: Can you make sure the website always forces https/ssl?
Please do all your tests both with and without www.
- toxejep219
- Posts: 1
- Joined: Sat Oct 10, 2020 12:16 am
Re: Can you make sure the website always forces https/ssl?
yes, I forced Every website to open in HTTPS so that there is no risk of man in the middle attack.