Revisit https discussion? November 15, 2017 10:44 AM Subscribe
Can metafilter force https?
It looks like this as discussed a few times, the last being was just over a year ago.
A couple specific things I find troubling:
I understand the arguments about it being detrimental to user experiences and certain widgets won't work, but surely an announcement "Hey, we're switching to HTTPS on July 1, 2018 - this might break your greasemonkey scripts" and maybe include a link to a guide on how to update them, would be an adequate warning?
Note that I only just realized there was an option to "use secure browsing" in the preferences, but in my ideal world, https would be on for everyone, and that option would be "don't use secure browsing"?
- When I navigate to https://ask.metafilter.com, or any other metafilter site, it removes the https and takes me back to http
- Forms (except for login) seem to be submitted via http POST (even anonymous asks)
I understand the arguments about it being detrimental to user experiences and certain widgets won't work, but surely an announcement "Hey, we're switching to HTTPS on July 1, 2018 - this might break your greasemonkey scripts" and maybe include a link to a guide on how to update them, would be an adequate warning?
Note that I only just realized there was an option to "use secure browsing" in the preferences, but in my ideal world, https would be on for everyone, and that option would be "don't use secure browsing"?
What she said. We've gotten most of the plumbing taken care of in a development branch, something frimble dug in on after the last discussion, so rolling it out is looking pretty doable and is more just now about setting aside the time to make it all happen. Which this may be a pretty good time for it!
Like you noted in the post, we've already got a user option for this that we've had for several years now, so the change would so much be adding it as changing the defaults. For non-logged-in readers, that would be a blanket change—everybody would now be getting https, no matter what. Which in theory shouldn't affect much of anything, but we'll only see for sure when we roll it out.
For logged-in members, the move to opt-out rather than opt-in would mean a lot of folks would suddenly have that one specific aspect of their browsing the site change, which again should be close to invisible in theory. In practice, there could be hiccups, but as with previous recent discussions there I'm feeling like the hiccups are a worthwhile tradeoff, and by keeping the Preferences option around in any case folks who have some technical reason to need http instead of https will be able to do that.
So my current thinking is: have frimble kick the tires in the next day or two to make sure everything looks solid, and then we can announce the upcoming change with a week or so window before it goes live. In that announcement I can encourage folks who currently use custom scripts to try enabling the secure browsing early, so if there are any notable script issues we can have a better chance of giving their authors (or where applicable friendly willing forkers) to update code as needed.
posted by cortex (staff) at 11:14 AM on November 15, 2017 [8 favorites]
Like you noted in the post, we've already got a user option for this that we've had for several years now, so the change would so much be adding it as changing the defaults. For non-logged-in readers, that would be a blanket change—everybody would now be getting https, no matter what. Which in theory shouldn't affect much of anything, but we'll only see for sure when we roll it out.
For logged-in members, the move to opt-out rather than opt-in would mean a lot of folks would suddenly have that one specific aspect of their browsing the site change, which again should be close to invisible in theory. In practice, there could be hiccups, but as with previous recent discussions there I'm feeling like the hiccups are a worthwhile tradeoff, and by keeping the Preferences option around in any case folks who have some technical reason to need http instead of https will be able to do that.
So my current thinking is: have frimble kick the tires in the next day or two to make sure everything looks solid, and then we can announce the upcoming change with a week or so window before it goes live. In that announcement I can encourage folks who currently use custom scripts to try enabling the secure browsing early, so if there are any notable script issues we can have a better chance of giving their authors (or where applicable friendly willing forkers) to update code as needed.
posted by cortex (staff) at 11:14 AM on November 15, 2017 [8 favorites]
Seems like the time has come.
Maybe after discussion and a decision to move forward, a sort of “HTTPS Week” warning banner and/or sidebar link to the metatalk announcement would be good.
posted by Celsius1414 at 11:15 AM on November 15, 2017 [1 favorite]
Maybe after discussion and a decision to move forward, a sort of “HTTPS Week” warning banner and/or sidebar link to the metatalk announcement would be good.
posted by Celsius1414 at 11:15 AM on November 15, 2017 [1 favorite]
I support the move to HTTPS, though agree a warning banner could be nice. I was logged out (new machine) earlier this week and surprised to see the site kicking me over to HTTP even when I requested otherwise via the URL.
posted by Nonsteroidal Anti-Inflammatory Drug at 11:28 AM on November 15, 2017
posted by Nonsteroidal Anti-Inflammatory Drug at 11:28 AM on November 15, 2017
Am I correct to assume that any special scripts/plugins people employ would need to be updated by their creators (if they have't already)?
Thanks for investigating this. I really want it implemented too.
posted by terrapin at 11:33 AM on November 15, 2017
Thanks for investigating this. I really want it implemented too.
posted by terrapin at 11:33 AM on November 15, 2017
I've had "use secure browsing" and the "HTTPS Everywhere" extension enabled for quite a while, and I had to modify the Metafilter GreaseMonkey scripts to change http to https. I forget the exact steps, but I don't recall it being very difficult.
posted by Greg_Ace at 12:40 PM on November 15, 2017 [1 favorite]
posted by Greg_Ace at 12:40 PM on November 15, 2017 [1 favorite]
For reference, I believe the main change for greasemonkey scripts would be to duplicate any line in the metadata at the top that lists http://metafilter but change to https, for example, the first listed on the mefi wiki page for Greasemonkey scripts has the following metadata:
So it would need to either duplicate each line to add https, so that it works with both, or just change http to https.
In firefox, you would just:
posted by czytm at 2:07 PM on November 15, 2017 [2 favorites]
// ==UserScript==
// @name Subdue Metafilter Titles
// @namespace http://example.com/SubdueMetafilterTitles
// @description Makes titles on the Metafilter front page smaller, and moves them to the "posted by" line.
// @include http://www.metafilter.com/
// @include http://www.metafilter.com/*?page=*
// @include http://ask.metafilter.com/
// @include http://ask.metafilter.com/*?page=*
// @include http://metatalk.metafilter.com/
// @include http://metatalk.metafilter.com/*?page=*
// @version 1
// ==/UserScript==So it would need to either duplicate each line to add https, so that it works with both, or just change http to https.
In firefox, you would just:
- click the little monkey
- click the script name you want to update
- click edit
- then make the changes
posted by czytm at 2:07 PM on November 15, 2017 [2 favorites]
We could in theory; in practice it's a bit dodgy to mefimail tens of thousands of people when a lot of folks in turn get their mefimail forwarded to their email inbox. Makes it less of a magical wand sort of deal since we're not *just* throwing some bits around in the db itself.
So a MetaTalk/banner/sidebar onslaught's really our best bet, and what I'm aiming for. It's a change that will barring any speedbumps go entirely unnoticed by most folks, and we can get out ahead with an announcement and catch any edge-case stragglers after the fact via the contact form.
posted by cortex (staff) at 2:16 PM on November 15, 2017 [3 favorites]
So a MetaTalk/banner/sidebar onslaught's really our best bet, and what I'm aiming for. It's a change that will barring any speedbumps go entirely unnoticed by most folks, and we can get out ahead with an announcement and catch any edge-case stragglers after the fact via the contact form.
posted by cortex (staff) at 2:16 PM on November 15, 2017 [3 favorites]
We could in theory; in practice it's a bit dodgy to mefimail tens of thousands of people when a lot of folks in turn get their mefimail forwarded to their email inbox
Also, some of us have memail turned off.
posted by zarq at 8:30 PM on November 15, 2017
Also, some of us have memail turned off.
posted by zarq at 8:30 PM on November 15, 2017
The lurkers support me in mefimail.
posted by Chrysostom at 10:59 PM on November 15, 2017 [1 favorite]
posted by Chrysostom at 10:59 PM on November 15, 2017 [1 favorite]
+1 Metafilter should absolutely be using https by default.
Just do it & stick a note at the head of the page to let people know so they can fix their scripts if they’ve broken.
posted by pharm at 1:22 AM on November 16, 2017 [2 favorites]
Just do it & stick a note at the head of the page to let people know so they can fix their scripts if they’ve broken.
posted by pharm at 1:22 AM on November 16, 2017 [2 favorites]
I'm excited you're doing this! As a tech/library person I think it's great for community-minded sites to default to letting readers read in privacy.
I think czytm was suggesting not memailing tens of thousands of people, but the ~20 people listed as authors on the mefi wiki page for Greasemonkey scripts. Seems like maybe they wouldn't mind a heads up, either officially or from one of us?
posted by john hadron collider at 5:31 AM on November 16, 2017 [2 favorites]
I think czytm was suggesting not memailing tens of thousands of people, but the ~20 people listed as authors on the mefi wiki page for Greasemonkey scripts. Seems like maybe they wouldn't mind a heads up, either officially or from one of us?
posted by john hadron collider at 5:31 AM on November 16, 2017 [2 favorites]
Ha! I misread that too. Thanks for the clarification. :)
posted by zarq at 9:01 AM on November 16, 2017
posted by zarq at 9:01 AM on November 16, 2017
Ducks are in a row and this looks good to move forward on, so I've just announced the plan to make the change, which we'll do next Friday.
posted by cortex (staff) at 12:59 PM on November 16, 2017 [4 favorites]
posted by cortex (staff) at 12:59 PM on November 16, 2017 [4 favorites]
There’s a weird typo in the above the fold - spacing after the [more inside] runs it right into the posted by line.
posted by bendy at 7:16 PM on November 16, 2017
posted by bendy at 7:16 PM on November 16, 2017
Be particularly mindful of your advertising. The last time I had a customer switch to https by default it was a never-ending parade of discoveries of how fucked the ad providers were. That's been a while and perhaps it's sorted out somewhat in the time since, but my opinion of ad network competence hasn't improved any.
posted by phearlez at 7:43 PM on November 16, 2017
posted by phearlez at 7:43 PM on November 16, 2017
You are not logged in, either login or create an account to post comments
The main sticking point is making a big change in the default behavior (from opt-in to opt-out), which can catch people unawares and we generally don't want to do that any more than we strictly have to. But more and more, people are expecting https as a default, so that argument is less compelling than it used to be.
If folks have comments about it we're all ears.
posted by LobsterMitten (staff) at 10:47 AM on November 15, 2017 [2 favorites]