ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Should People Force HTTPS via Redirect?

    Scheduled Pinned Locked Moved IT Discussion
    17 Posts 6 Posters 949 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DustinB3403D
      DustinB3403
      last edited by

      Let's Encrypt is free, for everyone. No reason to not have https enabled.

      scottalanmillerS 2 Replies Last reply Reply Quote -1
      • scottalanmillerS
        scottalanmiller @DustinB3403
        last edited by

        @DustinB3403 said in Wazo to sponsor Astricon 2019:

        chrome_EEwpc0H1PI.png

        Yeah.. . .

        https://wazo.io/

        Works here.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @DustinB3403
          last edited by

          @DustinB3403 said in Wazo to sponsor Astricon 2019:

          Let's Encrypt is free, for everyone. No reason to not have https enabled.

          It is enabled.

          DustinB3403D 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @DustinB3403
            last edited by

            @DustinB3403 said in Wazo to sponsor Astricon 2019:

            Let's Encrypt is free, for everyone. No reason to not have https enabled.

            That's what they use.

            Screenshot from 2019-10-04 11-32-57.png

            1 Reply Last reply Reply Quote 0
            • DustinB3403D
              DustinB3403 @scottalanmiller
              last edited by

              @scottalanmiller said in Wazo to sponsor Astricon 2019:

              @DustinB3403 said in Wazo to sponsor Astricon 2019:

              Let's Encrypt is free, for everyone. No reason to not have https enabled.

              It is enabled.

              So why not have http redirect to https? Seems like a major oversight there.

              scottalanmillerS 1 Reply Last reply Reply Quote -1
              • DustinB3403D
                DustinB3403
                last edited by

                chrome_1vOEEt8sOh.png

                Care to explain?

                quintanaQ 1 Reply Last reply Reply Quote -1
                • scottalanmillerS
                  scottalanmiller @DustinB3403
                  last edited by

                  @DustinB3403 said in Wazo to sponsor Astricon 2019:

                  @scottalanmiller said in Wazo to sponsor Astricon 2019:

                  @DustinB3403 said in Wazo to sponsor Astricon 2019:

                  Let's Encrypt is free, for everyone. No reason to not have https enabled.

                  It is enabled.

                  So why not have http redirect to https? Seems like a major oversight there.

                  Totally different issue. Having HTTPS is considered a must have. Doing redirects to stop people who don't type in https is not considered a universal thing and is purely opinion as to if it should exist. Most people prefer it, but it's a "that's a nice thing to have in most cases", far from "something is in any way wrong to not force it." Leaving it up to the end user is always okay.

                  wirestyle22W 1 Reply Last reply Reply Quote 0
                  • wirestyle22W
                    wirestyle22 @scottalanmiller
                    last edited by wirestyle22

                    @scottalanmiller said in Wazo to sponsor Astricon 2019:

                    @DustinB3403 said in Wazo to sponsor Astricon 2019:

                    @scottalanmiller said in Wazo to sponsor Astricon 2019:

                    @DustinB3403 said in Wazo to sponsor Astricon 2019:

                    Let's Encrypt is free, for everyone. No reason to not have https enabled.

                    It is enabled.

                    So why not have http redirect to https? Seems like a major oversight there.

                    Totally different issue. Having HTTPS is considered a must have. Doing redirects to stop people who don't type in https is not considered a universal thing and is purely opinion as to if it should exist. Most people prefer it, but it's a "that's a nice thing to have in most cases", far from "something is in any way wrong to not force it." Leaving it up to the end user is always okay.

                    It's required in a lot of compliance and IMO should always exist. I'd need more of a reason to not do it than to do it.

                    DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote -1
                    • DustinB3403D
                      DustinB3403 @wirestyle22
                      last edited by

                      @wirestyle22 said in Wazo to sponsor Astricon 2019:

                      It's required in a lot of compliance and IMO should always exist. I'd need more of a reason to not do it than to do it.

                      I'd agree. Why leave it to the end user to chose to be secure or not when it's maybe 10 additional seconds of effort.

                      1 Reply Last reply Reply Quote -1
                      • DustinB3403D
                        DustinB3403
                        last edited by

                        The fact that they used the same certificate from phone.wazo.community (which is a login page) for their main site raises even more red flags.

                        An LE cert isn't difficult to implement, so that there adds to the concern.

                        JaredBuschJ 1 Reply Last reply Reply Quote -1
                        • scottalanmillerS
                          scottalanmiller @wirestyle22
                          last edited by

                          @wirestyle22 said in Should People Force HTTPS via Redirect?:

                          @scottalanmiller said in Wazo to sponsor Astricon 2019:

                          @DustinB3403 said in Wazo to sponsor Astricon 2019:

                          @scottalanmiller said in Wazo to sponsor Astricon 2019:

                          @DustinB3403 said in Wazo to sponsor Astricon 2019:

                          Let's Encrypt is free, for everyone. No reason to not have https enabled.

                          It is enabled.

                          So why not have http redirect to https? Seems like a major oversight there.

                          Totally different issue. Having HTTPS is considered a must have. Doing redirects to stop people who don't type in https is not considered a universal thing and is purely opinion as to if it should exist. Most people prefer it, but it's a "that's a nice thing to have in most cases", far from "something is in any way wrong to not force it." Leaving it up to the end user is always okay.

                          It's required in a lot of compliance and IMO should always exist. I'd need more of a reason to not do it than to do it.

                          What compliance requires it? As the end user alone opts which one to use, that would be one bizarre compliance point.

                          1 Reply Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch @DustinB3403
                            last edited by

                            @DustinB3403 said in Should People Force HTTPS via Redirect?:

                            The fact that they used the same certificate from phone.wazo.community (which is a login page) for their main site raises even more red flags.

                            What the fuck are you talking about? There is no security issue with having a single proxy handling all of the inbound connections. There is also no issue at all with only have a single LE cert on the fucking system that handles all of the domains it needs to handle.

                            You are intentionally breaking the wazo-platform.org URL. They are not redirecting you to HTTPS, you are forcing it to break.

                            DustinB3403D 1 Reply Last reply Reply Quote -1
                            • black3dynamiteB
                              black3dynamite
                              last edited by

                              You're worrying for no reason. All there important links is secured.

                              1 Reply Last reply Reply Quote 0
                              • DustinB3403D
                                DustinB3403 @JaredBusch
                                last edited by

                                @JaredBusch said in Should People Force HTTPS via Redirect?:

                                @DustinB3403 said in Should People Force HTTPS via Redirect?:

                                The fact that they used the same certificate from phone.wazo.community (which is a login page) for their main site raises even more red flags.

                                What the fuck are you talking about? There is no security issue with having a single proxy handling all of the inbound connections. There is also no issue at all with only have a single LE cert on the fucking system that handles all of the domains it needs to handle.

                                You are intentionally breaking the wazo-platform.org URL. They are not redirecting you to HTTPS, you are forcing it to break.

                                I clicked the links you provided, I did absolutely nothing to force it to break. I then went to their site and the same issue occurred. So you can pound sand.

                                JaredBuschJ 1 Reply Last reply Reply Quote 0
                                • JaredBuschJ
                                  JaredBusch @DustinB3403
                                  last edited by

                                  @DustinB3403 said in Should People Force HTTPS via Redirect?:

                                  @JaredBusch said in Should People Force HTTPS via Redirect?:

                                  @DustinB3403 said in Should People Force HTTPS via Redirect?:

                                  The fact that they used the same certificate from phone.wazo.community (which is a login page) for their main site raises even more red flags.

                                  What the fuck are you talking about? There is no security issue with having a single proxy handling all of the inbound connections. There is also no issue at all with only have a single LE cert on the fucking system that handles all of the domains it needs to handle.

                                  You are intentionally breaking the wazo-platform.org URL. They are not redirecting you to HTTPS, you are forcing it to break.

                                  I clicked the links you provided, I did absolutely nothing to force it to break. I then went to their site and the same issue occurred. So you can pound sand.

                                  No, actually you did not. My post is unedited (no pencil icon). There is no https link provided by me.

                                  1 Reply Last reply Reply Quote 0
                                  • quintanaQ
                                    quintana @DustinB3403
                                    last edited by

                                    @DustinB3403 Hello, yes you right, i haven't setup a certificate for wazo-plaform.org. My mistake, it was on my todo list, but i didn't have time to setup it. But now, it's done.

                                    1 Reply Last reply Reply Quote 1
                                    • 1 / 1
                                    • First post
                                      Last post