If on your server side you have a verified cert and you enable “Full SSL (Strict)” on cloud flair the message will go away.
I was referring to spounge
I was looking around and found that on top of having “301 moved permanently” we also need “Strict Transport Security” to force https connections only, from the browser side.
See here: Security/Server Side TLS - MozillaWiki
and watch this:
The reason for the invalid certs is that cloudflare have been rolling out a catch-all cert, and are slowly going through every cloudflare site and rolling out a valid cert.
1 Like
@The_Doctors_Life @RME all sites received a catch-all cert, and individual certs are being issued currently. Source: Universal SSL: Be just a bit more patient
The thing is that in less than 48h aprox. all will be working fine.
So do we know that the back end, (cloud flair ↔ Spongepowered) is setup correctly? I only ask because we cannot see that portion, and I don’t want to project a false scene of security. I must also ask if after this error is gone do they intend to implement 301 redirects to the https site and Strict Transport Security, so even those ignorant to security altogether can have it even without knowing? I would very much like to see this happen. 
right now as long as when you get the warning for this site when connecting by https and it’s ssl2000.cloudflare.com your good as far as between you and cloudflare.
I am not in charge of the website, right now is not protected that half, the webmaster has to upload a selfsigned cert and enable Full SSL at the Cloudflare panel.
SERVER ----selfsigned—> CLOUDFLARE —validssl—> BROWSER
They do have a WildCard cert it’s a matter of cloudflare putting up a valid cert for this website and someone from the sponge team putting the wildcard cert up and enabling full ssl Strict if it is valid or just full ssl if it is self signed.
They do have a valid signed cert, IDK if it’s a wiled card or just a multi sub domain cert. So I do expect that full ssl Strict will be enabled soon.
See wildcard cert
Now its fully working (except its flexible mode).
Still better then nothing.
Mixed content alert in Chrome and httpsEverywhere:
The page at ‘https://forums.spongepowered.org/’ was loaded over HTTPS, but displayed insecure content from ‘http://forums.spongepowered.org/uploads/default/772/40d509b647c77817.png’: this content should also be loaded over HTTPS.
And yet https://forums.spongepowered.org/uploads/default/772/40d509b647c77817.png is valid, this is the only mixed content so it needs to be changed in the code, ether hard coded to the https version or using protocol relative addresses. This is a quick fix to correct browser mixed content errors.
(and any update on using cloudflair’s “Full SSL (Strict)” as opposed to “flexible”?)
Edit 1:
http://forums.spongepowered.org/uploads/default/68/6a919b2708767919.png does this too, change to https://forums.spongepowered.org/uploads/default/68/6a919b2708767919.png
Edit 2:
Youtube embeding does this too:
http://img.youtube.com/vi/cBhZ6S0PFCY/hqdefault.jpg vs
https://img.youtube.com/vi/cBhZ6S0PFCY/hqdefault.jpg
Edit 3:
Instead of me going around looking for errors, I’d like to recruit some help:
In chrome press “Ctrl+Shift+J” to open the script console, look for “The page at <Page> was loaded over HTTPS, but displayed insecure content from '<Insecure content>': this content should also be loaded over HTTPS.” messages.
1 Like
I can help later on once I get the chance.
So we are not going to get ssl with sponge, I am glad to see everything is written in text to whomever wants to see it.
To clarify @The_Doctors_Life : Bump! Because things are not fixed yet! Because we are currently hanging in the air between the two trapezes, and without some effort we will fall! Because someone out there has taken only a half measure!
We have Mixed content, we are not yet using “Full SSL (Strict)”, we are not being redirected to the secure page, all links lead to the insecure version of the page, there are no 301 redirect, and no Strict Transport Security! You can consider this line compromised and yet nothing is being done.
Pls fix the things.
1 Like