TLS/HTTPS on discuss.okfn.org

Meta
1

A community member has requested secure access to Discourse via TLS:

Would this be possible to implement and if not could we explain to them why?

Thanks very much!

Jenny

2

Well, I have decided to go with the insecure, plain text password, but would be willing to help out or assist in setting up Twitter and GitHub log in, at least.

3

A ticket requesting this is in the sysadmin queue so it’s just a matter of time - hopefully soon! Of course, if anyone on the forum has that kind of access and could help out, it would be much appreciated…

4

There seem to be some severe TLS/HTTPS issues with cert on this instance. I’ve gotten some feedback from security aware community members.

  • Insecure 3rd Party connections

With e.g. Firefox users get “Connection is not secure” because there are too many insecure 3rd party connection. Through Request Policy Continued addon I figured out there are three+ 3rd party connections
=> CloudFront CDN
=> raw.githubusercontent
=> Discourse.org

Can you convert to tls/https connection with these so one doesn’t load semi-secure experience?

  • Certificate is not configured and verified correctly.

Could someone fix this? A free cert through https://letsencrypt.org with proper config does the job really good. :slight_smile:

ping @sam.saffron (presuming sysadmin capabilities)

Just wanna create a safe space for everyone by posting this :slight_smile:

5

@mattias this isn’t really our fault :slight_smile: a bunch of assets on the page are pointing at HTTP sources. I will get them all uploaded now and served via our CDN

OK lock looks green to me…

@jcmolloy I had to remove a few assets that were 404 here, can you dig up your mobile logo and favicon, once you do upload them to https://discuss.okfn.org/t/assets-for-the-site-design/7/2 and use the CDN link in the site settings.

6

I am not intending to blame anyone for any fault, just forwarding feedback. That sounds great, thank you! :slight_smile:

Update 13/5: Green lock for me! Thanks!

7

What assets, can you look in the developer toolbar?

8

It seems fixed, noticed last night. Might have been browser cache or temporary cookie. :slight_smile:

Edit: There’s still remote content loaded from Discourse.org? Why? :slight_smile: