technical issue Embeds on posts don't load over HTTPS

[WriteCodes46 178]

I work testing the rulesets for the EFF's HTTPS Everywhere (I recommend you check it out). While testing this site I found that many embedded media in posts (such as external pictures, YouTube videos, etc) do not load with the browser's default mixed content blocking (block Active Content, but permit Passive Content, see blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/ for more information), whereas they should. A good example is this thread: mlpforums.com/topic/4900-rainbow-dash-fan-club/ Try viewing the first pages over both HTTP and HTTPS. The embeds only load over HTTPS after disabling all mixed content blocking. I suspect this problem is caused by the code you use to load such embeds only until the user scrolls down to them.

 

Since this breaks the site usage with the default browser settings, I will have to request that the ruleset for mlpforums.com be disabled by default, which would mean HTTPS Everywhere users would no longer connect to this site securely. I'm notifying you beforehand (or should I say beforehoof?) so you can fix this problem and we don't have to resort to security-degradating measures.

 

I await your response. Greetings.

Edited January 18, 2015 by Jeric
Checking Prefix

[Twilight Sparkle ✨ 8,527]

Thanks for bringing this up.

 

While MLP Forums doesn't officially support HTTPS, we do try to load assets over secure connections when possible. It looks like we have a ton of content that has HTTP URL's hardcoded from before we did this, which can be fixed with a script. I've made a note to get this script made and update these assets to be secure.

 

I noticed that the thread you linked to has a number of HTTP Imgur embeds as well; I'll have this script address those as well.

[WriteCodes46 178]

Thank you. I'll hold off from filling a bug report while you fix this problem. Would a month be enough for me to check back and see if the problem is fixed?

 

And it is my understanding that IP.Board does not allow easy handling of both HTTP and HTTPS on the same site. Have you considered defaulting to HTTPS accross the site? If you are concerned about performance you should know that TLS currently causes little processing overhead, specially if your server supports the AES-NI instruction set and you use it with a cipher suit like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA.

[WriteCodes46 178]

For the record, I saw you response in the other thread, and it is nice to see you even have plans for HSTS down the road. I understand that you can't have an ETA for full implementation, however I'm going to leave the rule enabled for now, since it's far more complicated to re-enable rules for fixed sites than to disable them.

 

I'll stick around, so you can contact me if you have questions about HTTPS Everywhere or general TLS implementation.