(Topic ID: 96339)

Pinside switches to SSL/HTTPS (beta)

By robin

7 years ago


Topic Heartbeat

Topic Stats

  • 40 posts
  • 19 Pinsiders participating
  • Latest reply 7 years ago by altan
  • No one calls this topic a favorite

You

Linked Games

No games have been linked to this topic.

    Topic Gallery

    View topic image gallery

    pinside-1.PNG
    pinside-2.PNG
    adsblocked.jpg
    monkeys with computers.jpg
    simpsons_crunchtime.jpg
    wpid-41ixitctvwl.jpg
    domestic-bot_11-200x300.jpg

    14
    #1 7 years ago

    I have switched the website to exclusively use SSL. You wil automatically be redirected to HTTPS:// if you come in via HTTP://

    Consider this a public beta, I was already running non-SSL and SSL simultaneously for over a year but due to some issues with none-SSL I now want to force all connections to use SLL.

    If you are seeing any problems using the site since, well, now you can always email me at webmaster at pinside dotcom

    Or post in this thread!

    #2 7 years ago

    No problems, so far!
    Mike in Kentucky

    #3 7 years ago

    Robin needs a Pinside Kickstarter so he can hire some helper monkeys or robots to do all the hard work.

    domestic-bot_11-200x300.jpg wpid-41ixitctvwl.jpg simpsons_crunchtime.jpg monkeys with computers.jpg
    #4 7 years ago

    other than during authentication what is the benefit of running everything under SSL?

    #6 7 years ago

    In this particular case it would have been beneficial to only pass the auth through a subdomain limited to ssl instead of forcing everything through. Considering you aren't doing ssl offload you are going to see an increase in utilization for no intrinsic benefit.

    #7 7 years ago
    Quoted from Pinchroma:

    Considering you aren't doing ssl offload you are going to see an increase in utilization for no intrinsic benefit.

    I don't think it's that much of a difference in load. If you read the link above they mention that Google has said that they only saw a 1% increase.

    I fully believe that it is worth it to use end-to-end encryption on all sites. You want to eliminate the man in the middle if possible. It's a great benefit to have SSL on this site.

    I would love to see a proper mobile site next... hint, hint.

    #8 7 years ago

    Pinside is one of the few sites that I visit that actually looks good and works well without a mobile version.
    I typically hate using mobile sites with my iphone.
    The SSL encryption seems to be working great though.

    #9 7 years ago

    Site-wide SSL is a good thing. The added overhead is negligible. I wish more sites would do the same.

    #10 7 years ago

    Just don't forget the cert expires soon!

    Wednesday, July 23, 2014 at 7:59:59 PM Eastern Daylight Time

    #11 7 years ago
    Quoted from MrRad:

    Pinside is one of the few sites that I visit that actually looks good and works well without a mobile version.
    I typically hate using mobile sites with my iphone.
    The SSL encryption seems to be working great though.

    Agree, with all the features and archived information on this website, only a few items would benefit from a mobile version, like "Pin Map". All my Pinside bookmarks via Firefox are working, no issues spotted yet.

    Thanks for the extra security robin!

    #13 7 years ago
    Quoted from altan:

    Just don't forget the cert expires soon!
    Wednesday, July 23, 2014 at 7:59:59 PM Eastern Daylight Time

    Thanks, I renewed last week but did not get round to updating it on the server until today!

    Quoted from Pinchroma:

    In this particular case it would have been beneficial to only pass the auth through a subdomain limited to ssl instead of forcing everything through. Considering you aren't doing ssl offload you are going to see an increase in utilization for no intrinsic benefit.

    We were already doing that, for well over 6 months. But I figured that in this day and age you just don't want any website that uses any kind of authentication to go without SSL. Why risk man in the middle attacks when the added server CPU load or network overhead is negligible? Hence this change, I just wanted to make sure that everyone is still able to access the site properly. I've had zero complaints thus far, fortunately.

    Quoted from steve1515:

    I would love to see a proper mobile site next...

    I'm working on a mobile-friendly concept. It should only look slightly different from the full version. And only the forum section will be affected for now. going "mobile" will always be a choice of preference, I hate forced mobile sites.

    #14 7 years ago

    I'm getting errors when trying to upload a pic from Android. I did just update my phone though, so it could be (and likely is) on my end.

    #15 7 years ago

    I didn't change much in the uploading code except for adding a caption field to images. I suggest to first try another site, to see if the error is Pinside or on all sites (another factor). Post screenshots or error messages and I may be able to help you figure out whats going on.

    #16 7 years ago
    Quoted from pinball_happy:

    Site-wide SSL is a good thing. The added overhead is negligible. I wish more sites would do the same.

    Well one thing that makes Robin's job much easier is Pinside is ad free (which is why I'm happy to donate to it). Much harder to do full site-wide SSL when you're running ad code.

    #17 7 years ago

    Don't know if this happened when the SSL update occurred, but I can't see pics on the Market ads in Chrome. They render fine in IE (which is opposite of most sites!). Talking the specific for sale market area, not the market sub-forum.

    I.e. I get 6 grey squares here instead of 6 pictures in Chrome: https://pinside.com/pinball/market/ad/13469

    #18 7 years ago
    Quoted from Pac-Fan:

    I.e. I get 6 grey squares here instead of 6 pictures in Chrome:

    I get the same behavior as you in Chrome.

    I took a 30 second look at the code, and I've seen issues with the !important tag before in jQuery. Just a hunch, I have no actual clue without debugging it.

    #19 7 years ago

    Yeah, I haven't tried to debug it yet myself. Been learning jQuery and other JS code myself for work and haven't wanted to extend debugging a web page past work just yet

    #20 7 years ago
    Quoted from Pac-Fan:

    I.e. I get 6 grey squares here instead of 6 pictures in Chrome: https://pinside.com/pinball/market/ad/13469

    I cannot replicate this problem.

    Let's see if we can figure it out. What happens if you click this image link (one of the six thumbs of the above ad)?
    https://img-s.pinside.com/ad/76/thumb/76c8b6cfa54603284d39adb257f4de0e8fe0fde8.jpg

    Does it show or generate an error on your end?

    Note that Pinside uses MooTools framework.

    #21 7 years ago
    Quoted from robin:

    Does it show or generate an error on your end?

    Both the thumb and other size links work for me when I go to the actual .jpg link.

    #22 7 years ago

    Ok, I did some debugging here before I went to work.

    I think it's the Chrome extension AdBlock Plus (or any one of the ad blocking ones).

    For me, it's definitely adblock. Stepping through their code, adblock is preventing the image from loading because the URL has "ad" in it.

    #23 7 years ago

    Here is a screenshot with Adblock Plus on, showing that it blocked the images on that page:

    adsblocked.jpg
    #24 7 years ago

    When you go into some threads (or just pages of threads), FF gives a security warning that some content is not being encrypted. Is there a subdomain or something that is used for pulling pictures or something that's not happening over SSL?

    #25 7 years ago
    Quoted from Wolfmarsh:

    I think it's the Chrome extension AdBlock Plus (or any one of the ad blocking ones).

    Ah, that explains it! That was actually a well known bug. But what I didn't know was that it was caused due to having the string "ad" in the file name. That's kind of absurd if you think about it. I will look into changing the filename for ad images. Thanks!

    #26 7 years ago
    Quoted from aobrien5:

    When you go into some threads (or just pages of threads), FF gives a security warning that some content is not being encrypted. Is there a subdomain or something that is used for pulling pictures or something that's not happening over SSL?

    Not that I know of, but I will check. Could you post a screenshot of the warning?

    #27 7 years ago
    Quoted from robin:

    Not that I know of, but I will check. Could you post a screenshot of the warning?

    ah, it may be just pages with youtube links or something:

    img src="http://img.youtube.com/vi/zw1tiNGQ4wI/0.jpg"

    pinside-2.PNG pinside-1.PNG
    #28 7 years ago

    Ah, that explains it. Will fix this. Thanks!

    #29 7 years ago

    This is why SSL can be a pain for sites, when you have mixed content like that you generate all kinds of scary looking warnings. Robin has a ton of control over everything here, but when you have ads and tracking scripts and all the normal stuff commercial sites have to run to survive it becomes very tricky to navigate.

    I'm not a fan of ad blockers, but if you have one just whitelist Pinside, there's not even any reason to run it here.

    #30 7 years ago

    Nice work!

    https://www.ssllabs.com/ssltest/analyze.html?d=pinside.com

    A- is the lowest grade! Good security for pinball.

    #31 7 years ago

    Crap -- Yes, I did install both AdBlock and FlashBlock a couple weeks ago. Sorry for not thinking to disable those. They help tremendously on news sites (and Yahoo mail) that auto-load animations with no way to pause. Good detective work Wolfmarsh!

    #32 7 years ago

    Robin . . . sorry to bother you, but I can't seem to get past Page 1. Everything works great, but when I scroll down to get to the end of Page 1, I get a mile long blank page and the caption: Page 1 of 947 pages. Has anyone else had this problem? Am I doing something wrong?

    Thanks,
    Mike in Kentucky

    #33 7 years ago

    Oh, hell! I think I fixed it myself. I saw a little tab on the right side of the page that said "Load pages" . . . clicked it and all the pages flooded my screen. All is normal now. I cleaned my computer yesterday while your site was down. Got a feeling it was either your changeover or my newly cleaned laptop that caused this. Suppose my laptop just needed to get back in sync with things.

    Thanks anyway.
    Mike in Kentucky

    1 week later
    #34 7 years ago

    This is a major bunmer for me. My work does not allow access to https sites so no more browsing at work? Please bring back http!!

    #35 7 years ago
    Quoted from mac622:

    My work does not allow access to https sites

    Wut. Might want to rethink that policy, HTTPS is only going to gain momentum moving forward. What's the justification for that?

    #36 7 years ago

    Probably want to see what employees are browsing.

    #37 7 years ago
    Quoted from altan:

    Probably want to see what employees are browsing.

    Instead of blocking HTTPS completely they should just deploy a domain wide CA cert on every workstation and break up/re-encrypt the SSL stream...

    #38 7 years ago
    Quoted from Aurich:

    Wut. Might want to rethink that policy, HTTPS is only going to gain momentum moving forward. What's the justification for that?

    I'm surprised by that too, especially because he indicated they don't block http. Seems weird.

    #39 7 years ago
    Quoted from Aurich:

    Wut. Might want to rethink that policy, HTTPS is only going to gain momentum moving forward. What's the justification for that?

    yeah this is absurd.

    #40 7 years ago
    Quoted from Biv:

    Instead of blocking HTTPS completely they should just deploy a domain wide CA cert on every workstation and break up/re-encrypt the SSL stream...

    Ah, someone who has some insight into those sneaky corporations... Yup. But who knows how much still these guys have.

    Hey there! Got a moment?

    Great to see you're enjoying Pinside! Did you know Pinside is able to run thanks to donations from our visitors? Please donate to Pinside, support the site and get anext to your username to show for it! Donate to Pinside