Stonehearth Discourse, HTTPS, and You!

Good evening everyone!

Back in September, we flipped the switch and started serving the Stonehearth Discourse over HTTPS. “But I didn’t notice anything”, you say? Good - you shouldn’t have. So what is HTTPS, and why should you care?

Already know about HTTPS? Great! Click here to skip the details.

##What is it?
HTTPS stands for HTTP over SSL, or HTTP Secure, or HTTP over TLS (ok, there’s a couple of possible names…). HTTP, or HyperText Transport Protocol is a formal protocol for transmitting information over the internet. I’ll spare the technical details, but if you’re interested you can read up about it on Wikipedia.

If you’re really interested, you can read the formal Internet Engineering Task Force (IETF) papers on HTTP here, here, and here, beware they are quite long and technical.

HTTP by itself is not secure. Someone with technical know-how can intercept the traffic and steal information like credit cards, personal information, and more. HTTPS, as the names imply, is a secure version of HTTP. Traffic is encrypted during transit, preventing information from being stolen during transit.

##Why is HTTPS important?
You may be wondering why we’d use HTTPS when we don’t really do anything private here on the Discourse. There are a couple of reasons:

  • Logging In - When you logged in, you used a password right? Of course, I know no one here would possibly use the same password on multiple sites - but why risk that password being intercepted?
  • It’s faster - Recent improvements to HTTPS have resulted in dramatic speed improvements. More secure and faster? Sounds good to me!
  • No interference - Loading a website is complicated:

    First, you make the request by typing a URL into your browser. Next, the traffic is transmitted via your internet provider (ISP) - think Comcast, Charter, Time Warner, etc. here in the USA. Your ISP then likely sends the data over a transit company’s network. Eventually, it arrives at Discourse’s ISP, and finally to the Discourse server itself.

    Without HTTPS, data being sent to, or received from the Discourse server could be changed, stored, or deleted. A rogue server could steal data. Your ISP could stick ads on top of the site. With HTTPS, you can trust that you are receiving data directly from the server (and only from the server).

For more details on the importance of HTTPS, check out Google Developers, CIO.gov, Discourse’s co-founder’s blog, and more.

What do you need from me?

When we flipped the switch, all topics, posts, uploads, and other content _stored on the Discourse servers_ are being transmitted securely. However, not everything on the Discourse is located on the Discourse servers. Some images are actually links to other websites, like Imgur, Photobucket, or Flickr. These images are still being transmitted over HTTP as we don't have any control over external sites.

Help us find mixed-content

**Secure:** Chrome: ![|166x33](upload://ch8Wk08NJhEyFBkGVmc5u4g3N1i.png)    Firefox: ![|125x31](upload://9cBAQYus5KGinuoJJVIRpvsqCE3.png) **Mixed-content:** Chrome: ![|108x33](upload://qk08jDYK6lJvPEHYDD6CeRhLJvG.png)    Firefox: ![|118x32](upload://lqjBntv0Ohi300n3SLgqE4GbEun.png)

When you see a page that has mixed-content, please flag the topic so we (the moderators) can find the insecure content and either get a secure link, or upload the content directly.

Thanks for your help!

7 Likes

So that’s why lots of my posts were marked as “changed by @jomaxro” yesterday.
jomaxro, I often use external links and references (for example I use Imgur to decrease bandwidth load on SH Discourse server). I guess I’m not the only one. I’ve noticed you changed links from http:// to https:// so I suppose Imgur does support referencing its stored images over https as well. Is there a general way to modify our habits to make life easier for you? :merry:

Also, HTTPS is always good news. Kudos.

1 Like

I should have mentioned this explicitly above - there’s nothing wrong with using external links. One of the great features of Discourse is that it works so seamlessly with other sites, automatically getting information, images, etc. and pulling them in.

Many websites now support https, even if they don’t default (or force) you to use it. I don’t think anyone needs to modify habits. If you happen to think about it, check if the site you’re using supports https. If it does, great, please use it! If not, please embed the image/reference directly. However, if you don’t think about it, no big deal. It’s a quick task to add an s to a link, or upload the image if there not https support.

Fortunately, the internet is moving towards HTTPS everywhere, so that will certainly help.

2 Likes

Funny enough, this very post is showing as mixed content for me :jubilant:

Edit: Never Mind, a refresh mad it go to secure.

1 Like

You’re the second person to say that. Not sure what’s going on…