Should People Force HTTPS via Redirect?
-
@DustinB3403 said in Wazo to sponsor Astricon 2019:
@scottalanmiller said in Wazo to sponsor Astricon 2019:
@DustinB3403 said in Wazo to sponsor Astricon 2019:
Let's Encrypt is free, for everyone. No reason to not have https enabled.
It is enabled.
So why not have http redirect to https? Seems like a major oversight there.
Totally different issue. Having HTTPS is considered a must have. Doing redirects to stop people who don't type in https is not considered a universal thing and is purely opinion as to if it should exist. Most people prefer it, but it's a "that's a nice thing to have in most cases", far from "something is in any way wrong to not force it." Leaving it up to the end user is always okay.
-
@scottalanmiller said in Wazo to sponsor Astricon 2019:
@DustinB3403 said in Wazo to sponsor Astricon 2019:
@scottalanmiller said in Wazo to sponsor Astricon 2019:
@DustinB3403 said in Wazo to sponsor Astricon 2019:
Let's Encrypt is free, for everyone. No reason to not have https enabled.
It is enabled.
So why not have http redirect to https? Seems like a major oversight there.
Totally different issue. Having HTTPS is considered a must have. Doing redirects to stop people who don't type in https is not considered a universal thing and is purely opinion as to if it should exist. Most people prefer it, but it's a "that's a nice thing to have in most cases", far from "something is in any way wrong to not force it." Leaving it up to the end user is always okay.
It's required in a lot of compliance and IMO should always exist. I'd need more of a reason to not do it than to do it.
-
@wirestyle22 said in Wazo to sponsor Astricon 2019:
It's required in a lot of compliance and IMO should always exist. I'd need more of a reason to not do it than to do it.
I'd agree. Why leave it to the end user to chose to be secure or not when it's maybe 10 additional seconds of effort.
-
The fact that they used the same certificate from phone.wazo.community (which is a login page) for their main site raises even more red flags.
An LE cert isn't difficult to implement, so that there adds to the concern.
-
@wirestyle22 said in Should People Force HTTPS via Redirect?:
@scottalanmiller said in Wazo to sponsor Astricon 2019:
@DustinB3403 said in Wazo to sponsor Astricon 2019:
@scottalanmiller said in Wazo to sponsor Astricon 2019:
@DustinB3403 said in Wazo to sponsor Astricon 2019:
Let's Encrypt is free, for everyone. No reason to not have https enabled.
It is enabled.
So why not have http redirect to https? Seems like a major oversight there.
Totally different issue. Having HTTPS is considered a must have. Doing redirects to stop people who don't type in https is not considered a universal thing and is purely opinion as to if it should exist. Most people prefer it, but it's a "that's a nice thing to have in most cases", far from "something is in any way wrong to not force it." Leaving it up to the end user is always okay.
It's required in a lot of compliance and IMO should always exist. I'd need more of a reason to not do it than to do it.
What compliance requires it? As the end user alone opts which one to use, that would be one bizarre compliance point.
-
@DustinB3403 said in Should People Force HTTPS via Redirect?:
The fact that they used the same certificate from phone.wazo.community (which is a login page) for their main site raises even more red flags.
What the fuck are you talking about? There is no security issue with having a single proxy handling all of the inbound connections. There is also no issue at all with only have a single LE cert on the fucking system that handles all of the domains it needs to handle.
You are intentionally breaking the wazo-platform.org URL. They are not redirecting you to HTTPS, you are forcing it to break.
-
You're worrying for no reason. All there important links is secured.
-
@JaredBusch said in Should People Force HTTPS via Redirect?:
@DustinB3403 said in Should People Force HTTPS via Redirect?:
The fact that they used the same certificate from phone.wazo.community (which is a login page) for their main site raises even more red flags.
What the fuck are you talking about? There is no security issue with having a single proxy handling all of the inbound connections. There is also no issue at all with only have a single LE cert on the fucking system that handles all of the domains it needs to handle.
You are intentionally breaking the wazo-platform.org URL. They are not redirecting you to HTTPS, you are forcing it to break.
I clicked the links you provided, I did absolutely nothing to force it to break. I then went to their site and the same issue occurred. So you can pound sand.
-
@DustinB3403 said in Should People Force HTTPS via Redirect?:
@JaredBusch said in Should People Force HTTPS via Redirect?:
@DustinB3403 said in Should People Force HTTPS via Redirect?:
The fact that they used the same certificate from phone.wazo.community (which is a login page) for their main site raises even more red flags.
What the fuck are you talking about? There is no security issue with having a single proxy handling all of the inbound connections. There is also no issue at all with only have a single LE cert on the fucking system that handles all of the domains it needs to handle.
You are intentionally breaking the wazo-platform.org URL. They are not redirecting you to HTTPS, you are forcing it to break.
I clicked the links you provided, I did absolutely nothing to force it to break. I then went to their site and the same issue occurred. So you can pound sand.
No, actually you did not. My post is unedited (no pencil icon). There is no https link provided by me.
-
@DustinB3403 Hello, yes you right, i haven't setup a certificate for wazo-plaform.org. My mistake, it was on my todo list, but i didn't have time to setup it. But now, it's done.
