06-15-2022, 08:21 AM
HTTPS
Hi. I'm a new forum user. I created an account intending on getting help with my sleep issues; however, I quickly noticed that your site does not work properly when accessed using HTTPS/TLS. I read your sticky thread on the topic, but as an experienced software developer of over 20 years and an IT security expert, you are not fully appreciating why browsers give "scary" warnings and why the need for HTTPS exists.
HTTPS is not used only to protect login credentials. Using HTTPS for all resources delivered by the server to the user agent (browser) ensures that no tampering has occurred by any man-in-the-middle software or network appliances. To demonstrate the security vulnerability, imagine you are at a Starbucks with your laptop but you unknowingly connect to a fake Starbucks access point. Any HTTP requests/responses that are unencrypted are vulnerable to being changed midstream by the attacker. For example, the attacker can inject malicious JavaScript into the response. To the browser, the JavaScript is simply part of the website; it has no way to detect what is malicious and what isn't. This is a very common class of attack against HTTP, although it can be mitigated by using only known-safe access points.
When I access your site using HTTPS, the HTML delivered by the server contains numerous insecure URLs (i.e., URLs that begin with http://). Modern browsers consider this a "mixed content" scenario and will often block access to those resources. With your site, this means nearly nothing works because nearly every resource including CSS style sheets and JavaScript files are insecure and are thus blocked. The reason browser vendors do this is because most users do not have the awareness that the address bar URL, despite being HTTPS, does not itself guarantee that all resources loaded by the browser are secure. In other words, users will be fooled into thinking the page is secure when it is not. Browsers used to allow this and merely warn the user about the condition, but now most browsers will simply block these requests as insecure.
There is lots of information about this attack vector on the internet if you'd like to research further. However, my free expert advice is you should correct the deployment of your website to use only TLS 1.2+ (SSL is a deprecated protocol) and ensure that all URLs rendered in HTML are using the https:// scheme. This will ensure that all traffic, not just login credentials, is secure and immune to tampering by malicious actors.
Feel free to contact me privately if you'd like more information or advice.
HTTPS is not used only to protect login credentials. Using HTTPS for all resources delivered by the server to the user agent (browser) ensures that no tampering has occurred by any man-in-the-middle software or network appliances. To demonstrate the security vulnerability, imagine you are at a Starbucks with your laptop but you unknowingly connect to a fake Starbucks access point. Any HTTP requests/responses that are unencrypted are vulnerable to being changed midstream by the attacker. For example, the attacker can inject malicious JavaScript into the response. To the browser, the JavaScript is simply part of the website; it has no way to detect what is malicious and what isn't. This is a very common class of attack against HTTP, although it can be mitigated by using only known-safe access points.
When I access your site using HTTPS, the HTML delivered by the server contains numerous insecure URLs (i.e., URLs that begin with http://). Modern browsers consider this a "mixed content" scenario and will often block access to those resources. With your site, this means nearly nothing works because nearly every resource including CSS style sheets and JavaScript files are insecure and are thus blocked. The reason browser vendors do this is because most users do not have the awareness that the address bar URL, despite being HTTPS, does not itself guarantee that all resources loaded by the browser are secure. In other words, users will be fooled into thinking the page is secure when it is not. Browsers used to allow this and merely warn the user about the condition, but now most browsers will simply block these requests as insecure.
There is lots of information about this attack vector on the internet if you'd like to research further. However, my free expert advice is you should correct the deployment of your website to use only TLS 1.2+ (SSL is a deprecated protocol) and ensure that all URLs rendered in HTML are using the https:// scheme. This will ensure that all traffic, not just login credentials, is secure and immune to tampering by malicious actors.
Feel free to contact me privately if you'd like more information or advice.
