To clarify @The_Doctors_Life : Bump! Because things are not fixed yet! Because we are currently hanging in the air between the two trapezes, and without some effort we will fall! Because someone out there has taken only a half measure!
We have Mixed content, we are not yet using “Full SSL (Strict)”, we are not being redirected to the secure page, all links lead to the insecure version of the page, there are no 301 redirect, and no Strict Transport Security! You can consider this line compromised and yet nothing is being done.
This was pending the server move, which has just taken place. I’ve been quite busy as of late (uni term just started and I had some redevelopment works that required equipment installation at uni), and there are a few things I want to get done before just “flipping the switch” on CloudFlare’s end for Full SSL.
tl;dr: just wait. Patience. I’ve just gone ahead and removed two of the pieces of mixed content that were being rendered, but I still have to do a quick sweep to make sure I haven’t missed anything else.
The video thumbnail in YouTube videos using the one line link embed thing, is loading over http, this may be deep inside the embedding code, or even on YouTube’s end, but just ICYDK. If you are digging around in the embed code/ link code could you make it rewrite YouTube and imger links to be proticall relative.
This seems to be link dependent, if you onebox a forum link to http it’s content is loaded over http. I edited all my posts with embeds to fix this, but it does not automatically do it. This seems to be common, as it is true for Wikipedia too.
In contrast, the YouTube onebox is still loading the thumbnail image over http regardless of link type, even an https link will load an insecure image. This is also true about imger, it will also link independently load the insecure image.
I do understand your point but Sponge may not have the funds to get issued a SSL Certificate.
You cannot see Sponge getting a SSL Certificate unless Sponge gets donated a SSL Certificate or there is free ones available (which I am sure I have seen them).
Cloudflair handles the publicly view-able cert, the self signed one would only be between Cloudflair and the real server. Above this they have a proper cert, a wildcard one at that:
If you all actually read up aways before commenting, They have things to do before putting the cert up, But they do have a wildcard cert, and even if they did not, cloudflare would have taken care of that.
Not SSL related, but I found a security … Not hole …, but concern. Apparently big brother is watching, we are being watched by Google analytics. This script is being loaded: https://www.google-analytics.com/analytics.js
Google analytics is OK and more legit than other “analytics”, but I would like to be able to opt-out in the preferences.