MetaFilter is moving to https as a default November 16, 2017 12:58 PM   Subscribe

A week from now, we'll be updating MetaFilter to always serve https pages instead of http! You most likely don't need to care at all that this is happening, but I'll explain what it means below. Come on in!

Super brief primer, if you're not really clear on what the hell https is about:

It's a more secure way of transferring information on the web.

The web was designed around http, HyperText Transfer Protocol, as a standard method for serving up requested web pages when you're browsing. https is a variant on that (s as in "secure", eyyyy) which incorporates encryption using an SSL certificate to avoid moving page text, form content, etc around in plain text over the internet. Which means that a third party can't snoop on what you're sending and receiving via your web browser.

https has been around for a while and so is common and well-supported; traditionally it had been used specifically for security-sensitive portions of web traffic (stuff like login/password forms, financial transactions, private communications, etc.) where the specific content being moved around was especially sensitive, but in recent years it has become increasingly common for sites to deliver all their content via https as a general good practice.


So what's changing now?

Short version: we're making it so that MetaFilter will be delivered to you in secure https format, unless you personally specifically need it to not do so.

MetaFilter already uses https for the obvious stuff (e.g. the login process, so your password isn't being sent in plain text across the internet when you sign in to the site), and we have for several years now provided logged-in members a Preferences item ("Use secure browsing?") to opt-in to using https on the site.

This change, starting a week from now, will mean two things:

1. For logged-in members of MetaFilter, the opt-in for secure browsing will become an opt-out; everyone will be on https unless they go to their Preferences and switch the preference off. You are very unlikely to need to opt out, but if there arises some specific technical issue with your setup that makes it necessary, that option will still be there.

2. For non-logged-in readers, everything will now be delivered as https instead of http. This shouldn't affect many active MeFites and shouldn't actually affect anyone as the change should be essentially invisible.


Do you need to do anything?

Probably not! My expectation is that this will be pretty painless, and for most MetaFilter users will be an essentially undetectable change. If something does break with the change, you may want to temporarily uncheck "Use secure browsing?" in your Preferences while you/we figure out what's up.

The main case where the difference between http and https could cause hiccups—and this has been a point of concern when we've discussed this possibility in the past —is that users who rely on custom browser extensions or user scripts may find that those scripts weren't written to account for the possibility of https URLs and so will behave incorrectly or not at all after the update.

Changing those scripts is thankfully usually very simple—sometimes as simple as literally changing "http" to "https" in the script or extension's code—but we'd like to identify any common scripts ahead of time so we can try to make sure updated versions are available to users in advance of us throwing the switch on this next week, instead of requiring everybody to individually edit their installed copies.


What you can do to help?

If you use any scripts or extensions, please consider changing your Preferences now to enable the "Use secure browsing?" option early, and keep an eye out for anything that breaks in your normal browsing process. If you run across something wrong, please note it in this thread or drop us a line at the contact form.

If you are a script author, please take a look at the currently available version of your scripts/extensions and check to see that they behave correctly with secure browsing enabled. If you don't have time to review/update yourself but are okay with folks doing so for you or forking your code, please let us know and we'll try to make sure that happens.


That's it!

That's the whole thing. A week from now, next Friday, we'll update the server with https-by-default code; if you spot any https-related issues between now and then, let us know and we'll try to address them ahead of time.
posted by cortex (staff) to Feature Requests at 12:58 PM (96 comments total) 49 users marked this as a favorite

Woot! \o/
posted by Celsius1414 at 1:11 PM on November 16, 2017


Thank you, cortex. Glad y'all are doing this.
posted by zarq at 1:33 PM on November 16, 2017


Tsk. How are you going to monetize if you can't run the lowest level of malware riddled ads*?

* Actual concern I have heard expressed for other sites in the wild.
posted by Artw at 1:37 PM on November 16, 2017 [4 favorites]


Neat! (But the top of page alert link is bringing us to the July ownership transfer announcement instead of this post.)
posted by maudlin at 1:37 PM on November 16, 2017 [1 favorite]


The banner is linking to the wrong MetaTalk post. That was confusing as I was skimming the post...
posted by mbrubeck at 1:37 PM on November 16, 2017 [2 favorites]


ha, goddammit, fixed
posted by cortex (staff) at 1:38 PM on November 16, 2017 [6 favorites]


I thought the extra 's' stood for sauce. As in delicious MetaFilter sauce! That extra ingredient that just made things that much better. You know what, I'm going to keep on pretending that that is what it means.

Carry on.
posted by Fizz at 1:43 PM on November 16, 2017 [7 favorites]


a very long time ago someone asked me what http stood for and i told them "hot tips" so "hot tips sauce" is definitely valid
posted by poffin boffin at 1:48 PM on November 16, 2017 [12 favorites]


Is this what the future is like?
posted by tobascodagama at 1:49 PM on November 16, 2017 [1 favorite]


Rah!
posted by jessamyn (retired) at 1:52 PM on November 16, 2017


Cortex, are you planning on using Let's Encrypt once they offer wildcard certificates?
posted by Foci for Analysis at 1:54 PM on November 16, 2017


[sauce needed]
posted by kindall at 1:54 PM on November 16, 2017 [2 favorites]


[saucing intensifies]
posted by zachlipton at 1:57 PM on November 16, 2017 [5 favorites]


Thatss reallys greats tos hears.
posted by leotrotsky at 1:59 PM on November 16, 2017 [2 favorites]


Thatss reallys greats tos hears.

I just read that in the voice of the blue-collar/trucker dude in Futurama.
posted by Greg_Ace at 2:14 PM on November 16, 2017 [2 favorites]


YAY!
posted by one4themoment at 2:24 PM on November 16, 2017


Just wanted to make sure you realize that you're making the change on Friday of Thanksgiving weekend.
posted by DanSachs at 2:55 PM on November 16, 2017


Yep! frimble's in Austria and I don't have any complicated family plans, so we've got the bandwidth to roll it out and kick the tires and worst case roll back and do some more work on it in the near future if something manages to go spectacularly wrong somehow.
posted by cortex (staff) at 2:57 PM on November 16, 2017 [2 favorites]


glad to hear it
posted by indubitable at 2:58 PM on November 16, 2017


Thatss reallys greats tos hears

What are those extra s's for?
posted by hwyengr at 3:11 PM on November 16, 2017


(s as in "secure", eyyyy)

Is cortex the Fonz?
posted by D.C. at 3:14 PM on November 16, 2017 [1 favorite]


Just wanted to make sure you realize that you're making the change on Friday of Thanksgiving weekend.

It truly would not be Thanksgiving on MetaFilter without some sort of jiggery pokery.
posted by jessamyn (retired) at 3:17 PM on November 16, 2017 [25 favorites]


I'll take the jiggery, thanks, but you can keep the pokery. :)
posted by blurker at 3:18 PM on November 16, 2017 [1 favorite]


I feel more secure already. This is truly a safe space on the web. Thank you.
posted by valkane at 3:56 PM on November 16, 2017


This is good news!

The Markdown for MeFi extension has been working just fine with https. But if folks run into trouble during the changeover, let me know and I’ll have a look.
posted by evand at 4:32 PM on November 16, 2017 [2 favorites]


instead of adding the s and contributing to website bloat, can we get rid of one of the other letters? I never like those slashes, what if we just dd htp:/metafilter.com?
posted by rebent at 4:46 PM on November 16, 2017 [2 favorites]


I never like those slashes

Neither did Tim Berners Lee, it turns out.
posted by cortex (staff) at 4:50 PM on November 16, 2017 [6 favorites]


Neither did Tim Berners Lee, it turns out.

Still better than null references.
posted by shponglespore at 4:54 PM on November 16, 2017 [2 favorites]


For anyone who currently uses Metafilter to hit those dumb, obfuscated wifi login pages, you can rely on http://neverhttps.com/.
posted by The Gaffer at 4:55 PM on November 16, 2017 [16 favorites]


For anyone who currently uses Metafilter to hit those dumb, obfuscated wifi login pages, you can rely on http://neverhttps.com/.

Firefox uses http://detectportal.firefox.com/success.txt, although I doubt they'd notice if you used chrome instead =)
posted by pwnguin at 5:31 PM on November 16, 2017 [3 favorites]


For anyone who currently uses Metafilter to hit those dumb, obfuscated wifi login pages, you can rely on http://neverhttps.com/.

Thanks! My first thought on seeing the announcement link was that I'd have to look for such a site.
posted by spaceman_spiff at 5:41 PM on November 16, 2017 [2 favorites]


if anyone wants to fix the deleted posts script for chrome that would be rad too

pls don't link me to previous fix it posts in meta, none of them work

posted by poffin boffin at 6:36 PM on November 16, 2017


Thanks for doing this! I'm not in Metatalk that often, but every time I come in I'm so impressed with the work being put in quietly and effectively behind the curtain.

Best of the web.
posted by Nancy_LockIsLit_Palmer at 6:39 PM on November 16, 2017


Yay! And we even get an A grade on the TLS implementation on SSLLabs - which can be surprisingly hard to do sometimes....nice one!

(And I know we say SSL above - but looks like we moved to TLS only and don’t support SSL protocols anymore...we are just going to call it SSL forever aren’t we)
posted by inflatablekiwi at 6:43 PM on November 16, 2017 [5 favorites]


Speaking of scripts, is "mefi navigator" still maintained? Honestly, I have no idea where I found it originally as the link has gone.

If it is not, I would be willing to put it on my github and "maintain" it, for maxwelton values of maintain. I started some practical changes (easier "other links" UI, optional live stats vis a vis user/comments, watch for load of new comments, etc.) awhile ago, but like everything I touch, it stalled...I could be inspired to finish those and make sure it continues working.
posted by maxwelton at 7:33 PM on November 16, 2017 [2 favorites]


So sometimes you get on a strange wifi network, and it isn't loading anything, and you're not sure if it's because there's a dumb sign-in protal or the network quality is just abysmal. In these moments, I have historically hit metafilter, since https won't get redirected to the portal, and mefi is low-latency enough that it might actually load if shit's just slow.

So prepare to lose fives of page views from me in the years to come... (minuscule compared with the probably embarrassing number I give on a near-daily basis, though...)

(And yeah, https is good!)
posted by kaibutsu at 7:40 PM on November 16, 2017 [1 favorite]


Does this mean we can have the image tag back?
posted by tzikeh at 7:43 PM on November 16, 2017 [6 favorites]


Yes, but only for ceiling cat GIFs.
posted by Chrysostom at 8:20 PM on November 16, 2017 [1 favorite]


I'm a pretty heavy script user, and I'm very happy to see this change.
I can report success* with the following scripts in Tampermonkey in both Chrome and Firefox (even Quantum), on both Windows 10 and Sierra.
Original authors credited where possible. I have modified some scripts over time solely to add the necessary include line to work over https.
In no particular order: And 2 that are broken for me, though honestly I'm not sure either of these have worked since the site redesign. Both scripts are originally by plutor
  • Metafilter mark contact contributions
  • Does(n't) what it says on the box.
  • Mefiquote (updated for redesign) (orgingally by plutor, this edit by Rhaomi)
  • automatically quote and link comments, either entire comment or highlighted selection. Issue: "quote" link added to all comments, and clicking "quote" moves to comment input box, but no longer inserts quoted comment or highlighted text.

* I use the classic theme. I haven't tested these against the Modern theme. Themes marked broken for me were tested as the only enabled theme to eliminate possibility of conflicts.
posted by namewithoutwords at 8:28 PM on November 16, 2017 [10 favorites]


I have a version of Mefiquote that works on classic theme fine, if anyone needs it.
posted by Chrysostom at 8:42 PM on November 16, 2017


*as the only enabled script.
posted by namewithoutwords at 8:48 PM on November 16, 2017


Getting an A on the SSL Labs test can be tricky, great jorb! And trying to figure out how to fix it to get a better grade can be fun, too.

I think it's IE8 on WinXP (Maybe? It's been a year or so since I had to do this a lot)that has run out of ciphers that haven't been cracked. Though I suspect those users have become used to the web being slightly broken for them for a while. Also, they should really, really upgrade if they can.
posted by fifteen schnitzengruben is my limit at 10:23 PM on November 16, 2017 [1 favorite]


diediedead j(Firefox only) / Nancy (Chrome only)

diediedead works fine for me in chrome using tampermonkey so i guess ymmv
posted by poffin boffin at 11:09 PM on November 16, 2017


Does this mean we can have the image tag back?
posted by tzikeh at 7:43 PM on November 16 [2 favorites −] Favorite added! [!]

Can we have Blink back too? I can live happily without 'big'; I remember those pages with maybe one giant word on them.
posted by Cranberry at 12:13 AM on November 17, 2017


Cortex, are you planning on using Let's Encrypt once they offer wildcard certificates?

LetsEncrypt do offer multi-site certificates right now, which is not as flexible as a wildcard cert but does mean that it’s possible to get a single cert that covers metafilter.com, fanfare.metafilter.com, metatalk.metafilter.com, etc etc.

But if the current cert is cheap, it may not be worth the effort :)
posted by pharm at 12:26 AM on November 17, 2017 [1 favorite]


Glad to say that the four user scripts I've been maintaining all work with https.

That being said: if your hedgehog / unicorn / narwhal / rainbows stopped working after the latest update to Firefox 57 / Greasemonkey 4, you can get them back by installing the Stylish extension and then installing the user style versions of the scripts. (I'll look into updating the scripts when I can.)

All of the scripts should still work with Chrome / Tampermonkey.

- inline video fishy icon: script*
- unicorn + narwhal buttons + laser kitty (originally by Rhomboid): style* / script
- Recent Activity border o' rainbows: style* / script
- hedgehog comment pointer: style* / script

* works for me in Firefox 57

> (And I know we say SSL above - but looks like we moved to TLS only and don’t support SSL protocols anymore...we are just going to call it SSL forever aren’t we)

After I learned about SSL being outdated in a long-ago MeFi thread, I've always referred to it as TLS or TLS/SSL -- I've noticed that if I refer to it as just TLS, more often than not, people don't seem to get it. It doesn't help that most vendors still market certificates as SSL certs.
posted by rangefinder 1.4 at 2:20 AM on November 17, 2017 [2 favorites]


Bat signal to frimble:

I have https browsing enabled in my preferences -- just noticed that when previewing my comment before posting (https://metatalk.metafilter.com/contribute/post_comment_preview.mefi#commentpreview), I get a mixed content warning. Looks like the icon src used for the RSS feed link at the top (line 258 in the source for this thread) uses http:
src="http://mefi.us/images/mefi/feed10.gif"
Did a quick check on previewing a comment on other subsites - IRL (https://irl.metafilter.com/contribute/post_comment_preview.cfm#commentpreview) has three src attributes pointing to http. One is the same RSS feed icon, and two are these scripts:
src="http://www.metafilter.com/scripts/comments.js"
src="http://www.metafilter.com/scripts/activespell.js"
The other subsites' comment previews seemed okay.
posted by rangefinder 1.4 at 2:40 AM on November 17, 2017


This is a good post and y'all should feel good.
posted by Too-Ticky at 3:34 AM on November 17, 2017


For anyone who currently uses Metafilter to hit those dumb, obfuscated wifi login pages, you can rely on http://neverhttps.com/.

Thank you for this. I have recently been mourning the loss of purple.com which was my previous go-to for this until it got sold to an actual company that used it for a purpose in the past couple of weeks.
posted by eykal at 4:18 AM on November 17, 2017


Great news, are you enabling HSTS too? (n.b. not a reversible decision)
posted by Lanark at 5:47 AM on November 17, 2017 [2 favorites]


So sometimes you get on a strange wifi network, and it isn't loading anything, and you're not sure if it's because there's a dumb sign-in protal or the network quality is just abysmal. In these moments, I have historically hit metafilter, since https won't get redirected to the portal, and mefi is low-latency enough that it might actually load if shit's just slow.

Today I have learned a thing!
posted by jessamyn (retired) at 6:56 AM on November 17, 2017 [3 favorites]


Speaking for those of us who care about such things theoretically but are also too ignorant/lazy/distracted to do it right, I appreciate this change. (Until checking my preferences 30 seconds ago, I would have told you with absolute certainty that I'd checked "Use secure browsing?" as soon as it was an option.)
posted by MCMikeNamara at 7:00 AM on November 17, 2017


But if the current cert is cheap, it may not be worth the effort

More to the point, the current cert is paid for for a while, but it's something we can revisit next time we get within a few months of expiration.

Great news, are you enabling HSTS too?

This is the part where I glance at frimble and wait for subtle hand signals, which is to say "I don't think so but also there's a reason I hired someone else to implement this stuff".
posted by cortex (staff) at 7:16 AM on November 17, 2017 [4 favorites]


Oh hey, I just started helping out with HTTPS Everywhere and just checked and saw there is not yet a rule for MetaFilter. Perhaps I, or someone else, could/should add one in December? Of course it would be awesome to have MetaFilter implement HSTS and get on the browser preload list but I understand you probably want to ramp up to that.
posted by brainwane at 7:45 AM on November 17, 2017 [2 favorites]


Does this mean we can have the Markov comment generator back?
posted by languagehat at 8:56 AM on November 17, 2017 [2 favorites]


I updated the script I use, called "Metafilter MultiFavorited Multiwidth", which indents and highlights comments based on number of favorites (super useful for long threads). Original is over here. I changed it to https and cleaned up some code lint warnings. Updated version over here.
posted by Is It Over Yet? at 9:19 AM on November 17, 2017


Does this mean we can have the Markov comment generator back?

We need a Markov Post Generator.
posted by zarq at 9:21 AM on November 17, 2017 [5 favorites]


Favorited because I think Zarq just made a Night Court joke.
posted by ActingTheGoat at 9:35 AM on November 17, 2017 [8 favorites]


If you need a guaranteed-to-work page to trick your browser into redirecting you to a WiFi login page, http://www.example.com is an excellent choice.

The existence and purpose of example.com is baked into the internet at a fairly low level, so the site is unlikely to go away anytime soon. You can safely use it as an example in documentation and published materials. It's pretty much guaranteed to always work, and won't fall into the wrong hands. (It's possible that the site may someday switch to https-by-default, but there'd be very little reason for that)
posted by schmod at 10:05 AM on November 17, 2017 [6 favorites]


Favorited because I think Zarq just made a Night Court joke.

But I'm feeling MUCH BETTER now...
posted by fifteen schnitzengruben is my limit at 10:12 AM on November 17, 2017

The Markdown for MeFi extension
OHMYGOD where has this been for all my life since 2004?
posted by kindall at 10:40 AM on November 17, 2017 [3 favorites]


if anyone wants to fix the deleted posts script for chrome that would be rad too
pls don't link me to previous fix it posts in meta, none of them work


What would people think of having a shared Github organization where we can collaborate on keeping userscripts, styles, and bookmarklets up to date? This would be sort of like the wiki userscripts page, but let those of us who are programmers actually contribute fixes in one centralized place, instead of having a bunch of half-fixed scripts floating around.

To see how that would look, I put together a demonstration repo for comment over at github.com/mefiscripts/mefiscripts. The proposal is pretty wikilike: (1) scripts are added to the repo only with permission from the author, but (2) once they're added, any active Mefite can join and help keep things up to date.

Floating this here to see if it already exists or is otherwise a bad idea. If there's interest, I can post a separate meta.
posted by john hadron collider at 11:01 AM on November 17, 2017 [6 favorites]


I really like the github repo idea. I would gladly help move scripts over (with appropriate author attribution and permission, of course!)
posted by Is It Over Yet? at 11:23 AM on November 17, 2017 [1 favorite]


I love that idea and you can have all my scripts (or I can probably figure out how to move them)
posted by jessamyn (retired) at 11:28 AM on November 17, 2017


count me in for sure on the github idea for scripts. As you can tell from the scripts I linked, the sources are all over the place, and one location would be ideal.
posted by namewithoutwords at 1:32 PM on November 17, 2017


namewithoutwords: "but no longer inserts quoted comment or highlighted text."

...I use MefiQuote, and it works to insert the selected text (Firefox Quantum, script edited to add HTTPS sites)
posted by caution live frogs at 2:20 PM on November 17, 2017


I also rewrote the navigator, multiband favourites, and the mouseover favourites scripts a while back - standalone, no Greasemonkey required. You can find them on the project site.
posted by urbanwhaleshark at 5:52 PM on November 17, 2017 [1 favorite]


Cranberry: "Can we have Blink back too?"

If I recall correctly, MF still supports blink, but browsers mostly don't? Or maybe I'm thinking of marquee.
posted by Chrysostom at 7:49 PM on November 17, 2017


Incidentally, I went to school with Markie Blink.
posted by Greg_Ace at 8:13 PM on November 17, 2017


Chrysostom has it. The world has betrayed the blink tag, but MetaFilter keeps the faith.
posted by cortex (staff) at 7:53 AM on November 18, 2017


Does this mean we can have the Markov comment generator back?

languagehat, MarkovFilter has been running again for...? a while? Maybe not on purpose?

posted by carsonb at 8:31 AM on November 18, 2017 [2 favorites]


And the marquee tag is pretty much just as broken. This link probably works for nobody.
posted by carsonb at 8:35 AM on November 18, 2017


I have no idea what you people are talking about. Will I need to ask my kid to set up new WiFi’s on my internets?
posted by Slarty Bartfast at 9:07 AM on November 18, 2017


> languagehat, MarkovFilter has been running again for...? a while? Maybe not on purpose?

Yay! Thank you for that, and thank the internet deities who have restored it. (If you don't remember it: try it, you'll like it!)
posted by languagehat at 9:26 AM on November 18, 2017 [1 favorite]


It has been quietly unofficially lurking for a while, yeah. It really needs more attention at some point before I want to throw any real attention at it again because it's a computational humdinger relatively speaking, but quietly playing with it a bit is okay.
posted by cortex (staff) at 10:07 AM on November 18, 2017


Great news! 🔐
posted by So You're Saying These Are Pants? at 10:20 AM on November 18, 2017


Markov bot on my comments has just given me this:
yeah, unleashing ones inner outrage on ask does seem to be *completely* unhelpful.
Can’t say I disagree :)
posted by pharm at 1:36 PM on November 18, 2017 [1 favorite]


I’ve set a calendar alert so I can be ready pressing refresh repeatedly to see that sweet padlock finally appear.
posted by Segundus at 2:48 PM on November 18, 2017


I just wanted to say, thank you and good luck. We're all counting on you.
posted by petebest at 7:33 PM on November 18, 2017


cortex: "Chrysostom has it. "

For future reference, if you ever disagree with something I am saying, please note that the official corporate stance of MetaFilter Network Inc. is, "Chrysostom has it."
posted by Chrysostom at 7:08 PM on November 19, 2017 [4 favorites]


Happy American Thanksgiving. I'm going to pull the switch on this now. What you can expect:
  • The site may flake out for a few minutes, because changes will be made to both Apache (webserver) files and ColdFusion (website) files at the same time. The Apache changes should take effect immediately, but I then have to manually tell ColdFusion to reload its files. The lag between files changing and me saying that they've been changed may cause pages to load badly.
  • Everyone's "use secure browsing" preference will be set to true. That's not my first choice, but I'm disinclined to have years of telling people to update that easily-overlooked preference.
  • Users who aren't logged in will always be redirected from http to https.
  • People who are logged in will be redirected by default from http to https.
  • People who are logged in, and who unset the preference for "use secure browsing" will not be redirected. If they visit the site over http, the site will load over http, and if they visit it via https, it will load via https.
  • New user accounts will have "use secure browsing" turned on by default.
posted by frimble (staff) at 7:06 AM on November 24, 2017 [2 favorites]


And looks like we're good. Of course, if something is going wrong, please tell me, either here or via the contact form, and I'll look at it ASAP.
posted by frimble (staff) at 7:29 AM on November 24, 2017 [2 favorites]


https://www.metafilter.com/170749/Someone-left-the-cake-out-in-the-rain works for me if logged in, but gets into a redirect loop if logged out or in incognito.
posted by twooster at 9:19 AM on November 24, 2017 [1 favorite]


Really sorry. I think I've got it now, but please tell me if it's still breaking.
posted by frimble (staff) at 10:16 AM on November 24, 2017


i forgot about this happening and had a brief tragic incident wherein my comment dividers script failed to load and i became awash in despair
posted by poffin boffin at 10:22 AM on November 24, 2017


What happens for me:

I have unchecked secure browsing in my profile.

Visiting the homepage works, but after that the site keeps trying to redirect me to https.

I notice that the site has set a cookie with name SSL and contents 1. Deleting the cookie enables me to visit the http page.

With each page that I visit the cookie is set again, so rinse, repeat.

(This is happening on an ancient Mac that I only use to play DVDs and occasionally visit MeFi, so this may just be something I'll have to live with.)
posted by rjs at 11:34 PM on November 24, 2017


Could you try the following for me please:

Go to your preferences and uncheck the “Use secure browsing” preference.

Save your preferences.

At this point, the cookie should be SSL and set to a value of 0.

If that cookie has a value of 0, then the site should not redirect you to https from http pages. If it still does, then likely my quick fixing of the infinite redirect bug broke something for you.
posted by frimble (staff) at 1:51 AM on November 25, 2017


Yes, that does the trick, thanks!

(I had used my mobile phone to uncheck the 'use secure browsing' preference, and going to my preferences and saving them on the ancient Mac solved the problem. It looks like you can set your preference per device, which is actually kind of neat.)
posted by rjs at 2:23 AM on November 25, 2017


Hey frimble... I'm getting "redirected you too many times." on the "My Ask MeFi" RSS feed, e.g. http://ask.metafilter.com/myask/297CAD46DD585217/rss. It seems to be busted with/without the s in https.

Also, the regional RSS feed, previously accessed from here, now 404s instead of too many redirecting.

It's probably for the best since I have too many damn unread RSS feeds, and I just now noticed, but it'd be nice if they were fixed.
posted by togdon at 11:37 AM on November 26, 2017


I think this is related to https as default, so I'm posting it here.

Following the previously link (https://metafilter.com/tags/chartparty) in this post while secure browsing is enabled brings me to a error page :
Not Found
The requested URL /tags/chartparty was not found on this server.
It works fine when secure browsing is disabled.

The https URL with 'www' (i.e., https://www.metafilter.com/tags/chartparty) seems to work fine.
posted by invokeuse at 3:29 PM on December 1, 2017


When trying to load the Recent Activity page on my Windows 10 laptop, AVG AntiVirus popped up to tell me that the page is infected with "JS:Phishing-BW [Phish]".

Now Recent Activity won't load for me at all, and Firefox just gives me a "your connection is not secure" error, which according to Firefox happens when:
When Firefox connects to a secure website (the URL begins with "https://"), it must verify that the certificate presented by the website is valid and that the encryption is strong enough to adequately protect your privacy. If the certificate cannot be validated or if the encryption is not strong enough, Firefox will stop the connection to the website and instead show an error page
I can load the Recent Activity page on my iPad just fine, but I also get an error message when I try to open Recent Activity on Microsoft Edge, on the same laptop. That error message says: "The connection to the website was reset. Error Code: INET_E_DOWNLOAD_FAILURE"

I sent a message to the mods through the contact form, and they couldn't see anything, so I'm dropping this in here to see if anyone else has had the same problem.
posted by Kattullus at 3:24 PM on December 2, 2017


To clarify, I also got the AVG popup about JS:Phishing-BW [Phish] when I used Microsoft Edge on my laptop.
posted by Kattullus at 4:02 PM on December 2, 2017


Some forms still appear to be hard-coded as http: in their URL instead of https: when secure browsing is on.

For example, the New Question page for Ask MetaFilter has a form field for "Search[ing] Previous Questions", and the page source reads:
<form method="get" action="http://www.metafilter.com/contribute/search.mefi" target="_self" style="display:inline;margin:0;padding:0;">
Firefox gives the following security warning message when one attempts to use the form:
The information you have entered on this page will be sent over an insecure connection and could be read by a third party.

Are you sure you want to send this information?
posted by runcifex at 10:36 PM on December 4, 2017


Such form actions should be coded to go to //www.metafilter.com/etc so the protocol is preserved automatically by the browser.
posted by kindall at 8:39 AM on December 5, 2017


Even the blogger who popularized protocol-relative URLS has unendorsed them. I seem to recall another argument being email -- if your templates generate HTML for both web and email, what's the protocol relative url used by Outlook? smtp://?

If you're going to TLS everywhere, then just grep the codebase for http://.
posted by pwnguin at 12:26 PM on December 5, 2017


Still getting the same error on Recent Activity, with same warning from AVG, when using my laptop. I've scoured the computer with spyware removers and antivirus programs but nothing's changed. I won't be able to check anything for a few days because I need to have the laptop repaired (for an unrelated hardware problem).
posted by Kattullus at 1:45 AM on December 6, 2017


« Older This pony is mostly decorative   |   Secret Quonsar thank you thread (2017) Newer »

You are not logged in, either login or create an account to post comments