#157 https doesn't work correctly on fedoramagazine.org
Closed: Fixed None Opened 5 years ago by sparks.

When forcing https on fedoramagazine.org it appears to break CSS.


Https is not needed on the site since auth is going through FAS for users. If we decided to change from FAS or change the infrastructure behind the Magazine this ticket can be revisited. Marking as wontfix.

Actually, HTTPS is needed to keep the authentication tickets a secret. It's fine that FAS authentication is encrypted but when the ticket is passed around for authentication purposes in WP in the clear it leaves your authentication open for attack (and could leave other services vulnerable that use FAS for auth). This is a known attack vector and I believe we've seen some attacks in the wild with this.

Hiya,

I see that https still causes the rendering to break. Chris, will this remain a wontfix?

Hi all,

Not sure where the status on this is right now. I've noticed it seems SSL is the default on the Magazine, but WordPress images are not being served over SSL, which causes browsers to complain about the page being insecure. Not sure how difficult this is, but as far as I know, this is really the only blocking element to being 100% SSL-ready for the Magazine?

Thanks!

maybe you can use the communityblog configuration also for the magazine since it supports https now properly: https://communityblog.fedoraproject.org/

Also please do not forget to set the authentication cookies to be secure and enable http strict transport security once https is properly configured.

This ticket was brought up in the weekly Magazine meeting tonight. Featured images are being served over SSL but not content images like screenshots found in [https://fedoramagazine.org/never-leave-irc-znc/ this article].

puiterwijk is taking a look at it now.

This seems to work for me in Chrome 46 on Fedora 23, and also in Firefox. Has this been fixed?

The Fedora Magazine articles have now all been fixed, and this issue should be resolved.
Please reopen the ticket if you find any images or references that are still broken.

Note: sslonly and HTTP Strict Transport Security will be enabled by the end of this week.

After that is enabled, people will not be able to visit the magazine through non-secured channels anymore.

Replying to [comment:11 puiterwijk]:

Note: sslonly and HTTP Strict Transport Security will be enabled by the end of this week.

After that is enabled, people will not be able to visit the magazine through non-secured channels anymore.
Awesome news, thanks again Patrick!

Login to comment on this ticket.

Metadata