Jump to content

Recommended Posts

Posted

One of my website users told me that part of my site was no longer working, which came as a surprise since it’s been stable for a long time. This was specifically with the Brave browser.

 

Further investigation revealed a number of issues, not only with Brave, but with the latest version of Chrome:

 

- Inline Javascript (i.e. not in an external file) was not run

- Google web fonts weren’t loaded

- Frame content from Google Maps wasn’t loaded

- Data type images weren’t shown (e.g. <img src="data:image/gif;base64,R0lGODlhEAAQ … )

 

This is because of something called “Content Security Policy” which it appears is going to be rolled out to all mainstream browsers, and is going to break a lot of websites*.

 

For me the fix was to modify my .htaccess file to instruct Apache to add an extra header to every response. The fix was:

 

Header add Content-Security-Policy: "default-src 'self' 'unsafe-inline' fonts.googleapis.com fonts.gstatic.com www.google-analytics.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' thai-notes.com www.google-analytics.com; frame-src 'self' www.google.com;"

 

(I didn’t bother with data: and reverted to using files.)

 

I suspect this will only be OK for a while and that ultimately I’ll be forced to switch to SSL, which will be a pain, and it will either be expensive, or force me to switch hosting company to one which supports free SSL certificates.  Neither option is particularly attractive.

 

 

 

 

* I believe websites using SSL are not affected. I’m not certain.

 

Posted

Basic SSL certificate costs less than 20 USD per year, not very expensive. Still you should use it because Internet providers often inject their scripts for showing ads in plain HTTP traffic.

  • Like 1
Posted

SSL (or rather TLS these days) has been a must for a couple of years now if you want your website to be seen, ranked, usable and viewers to have confidence. It's very easy to do and not expensive. LetsEncrypt secure certificates should be free from hosts.

 

  • Like 2
Posted
49 minutes ago, fdsa said:

Basic SSL certificate costs less than 20 USD per year, not very expensive. Still you should use it because Internet providers often inject their scripts for showing ads in plain HTTP traffic.

 

 

no, they are free on most hosts with lets encrypt.

ridiculous to pay for that and even more ridiculous not to use it.

 

  • Like 1
Posted
49 minutes ago, fdsa said:

Basic SSL certificate costs less than 20 USD per year, not very expensive.

 

My hosting company charges $99.99/year for a basic certificate.

 

20 minutes ago, soi3eddie said:

LetsEncrypt secure certificates should be free from hosts.

 

My hosting company doesn't support automatic renewal of the LetsEncrypt certificates, so I'd have to remember to renew several times a year.  Not really practical.

  • Haha 1
Posted
3 minutes ago, ThaiNotes said:

 

My hosting company charges $99.99/year for a basic certificate.

 

 

My hosting company doesn't support automatic renewal of the LetsEncrypt certificates, so I'd have to remember to renew several times a year.  Not really practical.

 

It's the right time to change the hosting company.

  • Like 2
Posted
23 minutes ago, soi3eddie said:

SSL (or rather TLS these days) has been a must for a couple of years now if you want your website to be seen, ranked, usable and viewers to have confidence.

 

Without SSL my site is seen, ranked and usable.  Viewers should have confidence because I don't collect any personal data and don't take any form of payment.  They never enter any data that could be in the slightest compromising.

From my point of view, being forced into using SSL is a totally unnecessary step.  It also puts an additional overhead on my site, with the computing resources required to encrypt/decrypt.  Anyway, I accept that it's inevitable and I'm going to have to waste a significant amount of time recompiling all my applications to use https when I could be doing the fun stuff:  developing new apps.

  • Haha 1
Posted
1 minute ago, fdsa said:

It's the right time to change the hosting company.

 

Not when I've already paid up front for hosting for some time to come.

  • Haha 1
Posted
3 hours ago, ThaiNotes said:

One of my website users told me that part of my site was no longer working, which came as a surprise since it’s been stable for a long time. This was specifically with the Brave browser.

 

Further investigation revealed a number of issues, not only with Brave, but with the latest version of Chrome:

 

- Inline Javascript (i.e. not in an external file) was not run

- Google web fonts weren’t loaded

- Frame content from Google Maps wasn’t loaded

- Data type images weren’t shown (e.g. <img src="data:image/gif;base64,R0lGODlhEAAQ … )

 

This is because of something called “Content Security Policy” which it appears is going to be rolled out to all mainstream browsers, and is going to break a lot of websites*.

 

For me the fix was to modify my .htaccess file to instruct Apache to add an extra header to every response. The fix was:

 


Header add Content-Security-Policy: "default-src 'self' 'unsafe-inline' fonts.googleapis.com fonts.gstatic.com www.google-analytics.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' thai-notes.com www.google-analytics.com; frame-src 'self' www.google.com;"

 

(I didn’t bother with data: and reverted to using files.)

 

I suspect this will only be OK for a while and that ultimately I’ll be forced to switch to SSL, which will be a pain, and it will either be expensive, or force me to switch hosting company to one which supports free SSL certificates.  Neither option is particularly attractive.

 

* I believe websites using SSL are not affected. I’m not certain.

 

 

huh? you are still running http?

 

use the free certificate service at let's encrypt, won't cost you anything.

 

 

  • Like 1
Posted

 

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.

 

https://letsencrypt.org/about/

  • Like 1
Posted
24 minutes ago, CharlieH said:

Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.

 

Only if your hosting company supports this.  As I've said before, mine doesn't.  In fact the Let's Encrypt website has a (fairly short) list of hosting companies that do support this.  It's not the norm.

  • Haha 1
Posted
29 minutes ago, fdsa said:

NP, come back when your users will start asking why they see a huge pop-up ads on your website.


Site has been up and running for more than 10 years now, and not a single report of any ads on the site at all.  Whilst this script injecting thing is technically possible, in real life it doesn't happen - unless, perhaps you are using the dodgiest of ISPs.

  • Haha 1
Posted
10 hours ago, ThaiNotes said:

 

Without SSL my site is seen, ranked and usable.  Viewers should have confidence because I don't collect any personal data and don't take any form of payment.  They never enter any data that could be in the slightest compromising.

From my point of view, being forced into using SSL is a totally unnecessary step.  It also puts an additional overhead on my site, with the computing resources required to encrypt/decrypt.  Anyway, I accept that it's inevitable and I'm going to have to waste a significant amount of time recompiling all my applications to use https when I could be doing the fun stuff:  developing new apps.

 

 

ok so keep doing your ridiculous website if you know better than us !

 

 

Posted
10 hours ago, ThaiNotes said:

 

Only if your hosting company supports this.  As I've said before, mine doesn't.  In fact the Let's Encrypt website has a (fairly short) list of hosting companies that do support this.  It's not the norm.

 

err, no, this is definitely not true.

Cpanel, Plesk, ISPConfig and many other config panels fully support let's encrypt

Posted

My original posting was to alert website owners to an upcoming change that may well break their sites, not to discuss the pros and cons of SSL.  It's a real issue because 30% of sites currently don't use https as the default protocol (Source:   https://w3techs.com/technologies/details/ce-httpsdefault )

 

That said, out of curiosity I ssl-enabled another of my sites to compare loading performance (clear cache/hard load) using http versus https of the home page.  The results were interesting (average of 5 loads).

 

For http:  average time to finish 1.64 secs (range 1.32-2.18)

For https:  average time to finish 6.26 secs (range 2.43-12.56)

 

I had expected a slight performance hit for https, not something of that magnitude.  The variability for https also comes as a surprise.

 

Not sure what's going on.

 

Typical lighthouse screen shots for the load:

 

http.png.da5d424e1c8e5de992919b7975614feb.png

 

https.png.f16177289291784468efe67fc1d70ae1.png

Posted

Are you hosting apps on the Raspberry Pi? :biggrin: I have a few servers on Intel Atom CPUs and https websites load instantly.

 

Try to refresh the page to determine if the page loads slow only on the very first request or always.

If it loads slow only on the first request it might be a problem with your browser settings, for example forced OCSP stapling or something else with SSL. If it always loads slow it is a problem on the server side. Switching a hosting provider might be a solution ????

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...