The site is still not completely TLS exclusive.

[technix]

There are still some elements not served through encrypted means. @EEVBlog please check your advertising code and upgrade those to ones requiring TLS too, or the pages can still be hijacked despite the site itself is mandating TLS.

[PointyOintment]

I use the Chrome extension KB SSL Enforcer. In the past it has for some reason stopped enforcing HTTPS on this site, despite me repeatedly telling it to. It has always worked fine on all other sites. I tried again the other day and it seems to have stuck. However, the background image (the pattern of holes) was not served securely, so that stopped working (resulting in white background) until I told Chrome to "load unsafe scripts" and my other extension uMatrix to not enforce strict HTTPS. This resulted in Chrome telling me the page was not fully secure, of course. As soon as I did that and loaded again, though, it was full HTTPS, with the background working—maybe the background was cached by Chrome and therefore didn't need to be loaded again?

[bitseeker]

or the pages can still be hijacked despite the site itself is mandating TLS.

The last I heard, this site does not mandate TLS. The encryption you receive here is only between your browser and CloudFlare's caching servers. The connection from CloudFlare to the EEVblog server is not encrypted, even if your browser says otherwise. CloudFlare is proving the encryption, not EEVblog.

i.e.,

Browser <--- HTTP ---> CloudFlare <--- HTTP ---> EEVblog

Browser <--- HTTPS ---> CloudFlare <--- HTTP ---> EEVblog

[bitseeker]

Scratch that. I just saw this:

https://www.eevblog.com/forum/news/server-ssl-upgrade/

Things, they are a changing!

[raspberrypi]

I use the Chrome extension KB SSL Enforcer. In the past it has for some reason stopped enforcing HTTPS on this site, despite me repeatedly telling it to. It has always worked fine on all other sites. I tried again the other day and it seems to have stuck. However, the background image (the pattern of holes) was not served securely, so that stopped working (resulting in white background) until I told Chrome to "load unsafe scripts" and my other extension uMatrix to not enforce strict HTTPS. This resulted in Chrome telling me the page was not fully secure, of course. As soon as I did that and loaded again, though, it was full HTTPS, with the background working—maybe the background was cached by Chrome and therefore didn't need to be loaded again?

I always thought that chrome was just an easy way for google to spy on you then neatly package your personal info to sell to advertisers.

[gnif]

I use the Chrome extension KB SSL Enforcer. In the past it has for some reason stopped enforcing HTTPS on this site, despite me repeatedly telling it to. It has always worked fine on all other sites. I tried again the other day and it seems to have stuck. However, the background image (the pattern of holes) was not served securely, so that stopped working (resulting in white background) until I told Chrome to "load unsafe scripts" and my other extension uMatrix to not enforce strict HTTPS. This resulted in Chrome telling me the page was not fully secure, of course. As soon as I did that and loaded again, though, it was full HTTPS, with the background working—maybe the background was cached by Chrome and therefore didn't need to be loaded again?

I always thought that chrome was just an easy way for google to spy on you then neatly package your personal info to sell to advertisers.

Which is why I use Chromium, it's Chrome before its altered by Google with all their crap to become Chrome.

[raspberrypi]

I use the Chrome extension KB SSL Enforcer. In the past it has for some reason stopped enforcing HTTPS on this site, despite me repeatedly telling it to. It has always worked fine on all other sites. I tried again the other day and it seems to have stuck. However, the background image (the pattern of holes) was not served securely, so that stopped working (resulting in white background) until I told Chrome to "load unsafe scripts" and my other extension uMatrix to not enforce strict HTTPS. This resulted in Chrome telling me the page was not fully secure, of course. As soon as I did that and loaded again, though, it was full HTTPS, with the background working—maybe the background was cached by Chrome and therefore didn't need to be loaded again?

I always thought that chrome was just an easy way for google to spy on you then neatly package your personal info to sell to advertisers.

Which is why I use Chromium, it's Chrome before its altered by Google with all their crap to become Chrome.

This site probably uses hostfission; a shit web server service that every time I call technical support its down because they are "upgrading the servers". Place must buy servers that run on double A batteries with bateroo's on them. 

[gnif]

I use the Chrome extension KB SSL Enforcer. In the past it has for some reason stopped enforcing HTTPS on this site, despite me repeatedly telling it to. It has always worked fine on all other sites. I tried again the other day and it seems to have stuck. However, the background image (the pattern of holes) was not served securely, so that stopped working (resulting in white background) until I told Chrome to "load unsafe scripts" and my other extension uMatrix to not enforce strict HTTPS. This resulted in Chrome telling me the page was not fully secure, of course. As soon as I did that and loaded again, though, it was full HTTPS, with the background working—maybe the background was cached by Chrome and therefore didn't need to be loaded again?

I always thought that chrome was just an easy way for google to spy on you then neatly package your personal info to sell to advertisers.

Which is why I use Chromium, it's Chrome before its altered by Google with all their crap to become Chrome.

This site probably uses hostfission; a shit web server service that every time I call technical support its down because they are "upgrading the servers". Place must buy servers that run on double A batteries with bateroo's on them.

I am sorry, is that a personal attack? For the record you are not one of my clients, nor have I had any calls to my technical support line of the sorts.

Edit: Thank you Dave/Simon, someone banned this guy for trolling, not sure if it was in relation to the above post or not.

[gnif]

I use the Chrome extension KB SSL Enforcer. In the past it has for some reason stopped enforcing HTTPS on this site, despite me repeatedly telling it to. It has always worked fine on all other sites. I tried again the other day and it seems to have stuck. However, the background image (the pattern of holes) was not served securely, so that stopped working (resulting in white background) until I told Chrome to "load unsafe scripts" and my other extension uMatrix to not enforce strict HTTPS. This resulted in Chrome telling me the page was not fully secure, of course. As soon as I did that and loaded again, though, it was full HTTPS, with the background working—maybe the background was cached by Chrome and therefore didn't need to be loaded again?

Just to clear things up, yes there was an issue here with the URL, it was absolute and specified HTTP, I corrected this among many other bad URLs for HTTPS, including the embedded advertising.

I have configured the server so that If your browser sends the header 'Upgrade-Insecure-Requests: 1' in it's request (most modern browsers do), the server will redirect you to the HTTPS address instead of serving you the content insecurely, there is no need for a force SSL for this website anymore

Edit: Actually there are a few image issues still to resolve when I next find a free chunk of time, but other then that it is all working

[bitseeker]

Yep, it's been working well after all the time you spent tweaking it today, gnif. Thanks!

Edit: Ah, yes. Just saw that the regular smiley you added was not encrypted. Getting close! https://www.eevblog.com/forum/Smileys/default/smiley.gif

[technix]

I use the Chrome extension KB SSL Enforcer. In the past it has for some reason stopped enforcing HTTPS on this site, despite me repeatedly telling it to. It has always worked fine on all other sites. I tried again the other day and it seems to have stuck. However, the background image (the pattern of holes) was not served securely, so that stopped working (resulting in white background) until I told Chrome to "load unsafe scripts" and my other extension uMatrix to not enforce strict HTTPS. This resulted in Chrome telling me the page was not fully secure, of course. As soon as I did that and loaded again, though, it was full HTTPS, with the background working—maybe the background was cached by Chrome and therefore didn't need to be loaded again?

Just to clear things up, yes there was an issue here with the URL, it was absolute and specified HTTP, I corrected this among many other bad URLs for HTTPS, including the embedded advertising.

I have configured the server so that If your browser sends the header 'Upgrade-Insecure-Requests: 1' in it's request (most modern browsers do), the server will redirect you to the HTTPS address instead of serving you the content insecurely, there is no need for a force SSL for this website anymore

Edit: Actually there are a few image issues still to resolve when I next find a free chunk of time, but other then that it is all working

Maybe set the HTTP Strict Transport Security too? This will not only redirect supported browsers to HTTPS, it tells them to keep using HTTPS in subsequent visits and not even bother with HTTP at all.

[gnif]

I use the Chrome extension KB SSL Enforcer. In the past it has for some reason stopped enforcing HTTPS on this site, despite me repeatedly telling it to. It has always worked fine on all other sites. I tried again the other day and it seems to have stuck. However, the background image (the pattern of holes) was not served securely, so that stopped working (resulting in white background) until I told Chrome to "load unsafe scripts" and my other extension uMatrix to not enforce strict HTTPS. This resulted in Chrome telling me the page was not fully secure, of course. As soon as I did that and loaded again, though, it was full HTTPS, with the background working—maybe the background was cached by Chrome and therefore didn't need to be loaded again?

Just to clear things up, yes there was an issue here with the URL, it was absolute and specified HTTP, I corrected this among many other bad URLs for HTTPS, including the embedded advertising.

I have configured the server so that If your browser sends the header 'Upgrade-Insecure-Requests: 1' in it's request (most modern browsers do), the server will redirect you to the HTTPS address instead of serving you the content insecurely, there is no need for a force SSL for this website anymore

Edit: Actually there are a few image issues still to resolve when I next find a free chunk of time, but other then that it is all working

Maybe set the HTTP Strict Transport Security too? This will not only redirect supported browsers to HTTPS, it tells them to keep using HTTPS in subsequent visits and not even bother with HTTP at all.

Hah, not a chance! Every embedded image from non https websites would break. Simply not suitable for the content of this forum.

[EEVblog]

There are still some elements not served through encrypted means. @EEVBlog please check your advertising code and upgrade those to ones requiring TLS too, or the pages can still be hijacked despite the site itself is mandating TLS.

I am not concerned that the ads are going to be hijacked.

[gnif]

There are still some elements not served through encrypted means. @EEVBlog please check your advertising code and upgrade those to ones requiring TLS too, or the pages can still be hijacked despite the site itself is mandating TLS.

I am not concerned that the ads are going to be hijacked.

This is no issue either as I fixed these when I set things up yesterday.

[technix]

I use the Chrome extension KB SSL Enforcer. In the past it has for some reason stopped enforcing HTTPS on this site, despite me repeatedly telling it to. It has always worked fine on all other sites. I tried again the other day and it seems to have stuck. However, the background image (the pattern of holes) was not served securely, so that stopped working (resulting in white background) until I told Chrome to "load unsafe scripts" and my other extension uMatrix to not enforce strict HTTPS. This resulted in Chrome telling me the page was not fully secure, of course. As soon as I did that and loaded again, though, it was full HTTPS, with the background working—maybe the background was cached by Chrome and therefore didn't need to be loaded again?

Just to clear things up, yes there was an issue here with the URL, it was absolute and specified HTTP, I corrected this among many other bad URLs for HTTPS, including the embedded advertising.

I have configured the server so that If your browser sends the header 'Upgrade-Insecure-Requests: 1' in it's request (most modern browsers do), the server will redirect you to the HTTPS address instead of serving you the content insecurely, there is no need for a force SSL for this website anymore

Edit: Actually there are a few image issues still to resolve when I next find a free chunk of time, but other then that it is all working

Maybe set the HTTP Strict Transport Security too? This will not only redirect supported browsers to HTTPS, it tells them to keep using HTTPS in subsequent visits and not even bother with HTTP at all.

Hah, not a chance! Every embedded image from non https websites would break. Simply not suitable for the content of this forum.

Not really. If the website is marked with HSTS the browser will go straight for https regardless the original link being http or https. Not even requiring a redirect for this to work.

Also you need to check this: https://www.ssllabs.com/ssltest/analyze.html?d=www.eevblog.com&latest

[gnif]

Not really. If the website is marked with HSTS the browser will go straight for https regardless the original link being http or https. Not even requiring a redirect for this to work.

You missed the point, many people embed links to images from other websites that do not have HTTPS, these will break if we use HSTS.

Also you need to check this: https://www.ssllabs.com/ssltest/analyze.html?d=www.eevblog.com&latest

We do not terminate SSL, CloudFlare does, we are not in control of this.

SSL was not put on the website for security, this forum doesn't really need it, it was put on simply for SEO and to keep the paranoid happy.

[technix]

Not really. If the website is marked with HSTS the browser will go straight for https regardless the original link being http or https. Not even requiring a redirect for this to work.

You missed the point, many people embed links to images from other websites that do not have HTTPS, these will break if we use HSTS.

If the images are not from *.eevblog.com the HSTS settings here will not affect it, unless the site pointed to also have HSTS on.

[gnif]

You are correct, I was mixed up with the server side 'Content-Security-Policy: upgrade-insecure-requests' header that causes this behavior. Even still HSTS is not warranted here as not everyone cares to use HTTPS with this website, nor should they.

[technix]

You are correct, I was mixed up with the server side 'Content-Security-Policy: upgrade-insecure-requests' header that causes this behavior. Even still HSTS is not warranted here as not everyone cares to use HTTPS with this website, nor should they.

HSTS silently upgrades everyone to HTTPS and makes sure it stays that way. It also catches the odd image that you forgot to upgrade the link to.

[gnif]

It isn't silent if people do not want HTTPS, there are many reasons to not use HTTPS, and there is no critical sensitive information on this site that requires forcing HTTPS, this topic has been discussed extensively in the past, the general consensus is to have it optional. HSTS is of no use here, I just need to fix the website up to serve the correct scheme.

[technix]

It isn't silent if people do not want HTTPS, there are many reasons to not use HTTPS, and there is no critical sensitive information on this site that requires forcing HTTPS, this topic has been discussed extensively in the past, the general consensus is to have it optional. HSTS is of no use here, I just need to fix the website up to serve the correct scheme.

Then folks will start seeing Keysight or Bryman ads appearing on all websites they visit.

[Monkeh]

It isn't silent if people do not want HTTPS, there are many reasons to not use HTTPS, and there is no critical sensitive information on this site that requires forcing HTTPS, this topic has been discussed extensively in the past, the general consensus is to have it optional. HSTS is of no use here, I just need to fix the website up to serve the correct scheme.

Then folks will start seeing Keysight or Bryman ads appearing on all websites they visit.

Yes, that's how ads work - what's the problem?

[technix]

It isn't silent if people do not want HTTPS, there are many reasons to not use HTTPS, and there is no critical sensitive information on this site that requires forcing HTTPS, this topic has been discussed extensively in the past, the general consensus is to have it optional. HSTS is of no use here, I just need to fix the website up to serve the correct scheme.

Then folks will start seeing Keysight or Bryman ads appearing on all websites they visit.

Yes, that's how ads work - what's the problem?

I mean even with adblocks on advertisers would still know.

[gnif]

I mean even with adblocks on advertisers would still know.

Umm, Dave runs ads here to feed his family, most of us out of support for Dave do not block the ads on this website, and the ads he does run, are non intrusive. In short, we are ok with it... its just the odd person. Remember Dave runs the forum, website, videos, out of his own pocket, this is his full time job, the least we can do is put up with a few ads.

Edit: Btw the ads are served via HTTPS anyway, so I don't know what your issue is. The few images of concern are the simily faces in posts....

[technix]

Btw the ads are served via HTTPS anyway, so I don't know what your issue is. The few images of concern are the simily faces in posts....

The problem is that with the latest ruling in the US, the ISP will allow advertisers know that you are a electronics engineer, regardless of your willingness of ISP tracking you, despite you run Adblock, plainly because you are frequenting EEVblog, if the advertiser is willing to pay. That is the scary part.

As of me, I have to run my browser with AdBlock and a lot of extra security features. It is wide and public that my ISP, China Telecom, is long doing this since 2014 or the like. And Chinese ISP is mandated to send all my Internet traffic to the cops for tab keeping. I definitely have to do something to obscure my traffic to keep the big brother out.