Why do popular websites don't serve on ssl

RelatedTitle

I've been seeing a lot of popular websites without ssl including flarum's main website

jordanjay29

RelatedTitle well, to assure you, Flarum's main site doesn't collect data or have any access to the forum. So SSL there is merely for convention, and it will be in place once the website is revamped.

As for others, sometimes it's a case of ignorance. Sometimes nonchalance. And sometimes pure irresponsibility.

RelatedTitle

jordanjay29 On the main flarum site I see why you don't actually need it. But with ssl being basically free I don't see why popular websites aren't aware of this in my opinion I think all websites must use ssl. It's a must for security

clarkwinkelmann

RelatedTitle Flarum's homepage uses GitHub pages, which sadly doesn't offer an easy way of using HTTPS on custom domains... I know they are using a CDN to serve all GitHub Pages websites, and it would probably cost them too much to upload custom certs for every domain there. I hope they will offer a solution to this as it's getting the norm to serve on HTTPS.

I believe GitLab has Let'sEncrypt integrated with their static hosting, but they aren't using a CDN like GitHub.

Flarum could use Cloudflare to have a certificate for the main domain (that's what I use for all my GitHub Pages websites) but I guess they decided not to use it. Using Cloudflare for that does not completely solves the issue as Cloudflare won't validate the certificate between Cloudflare and GitHub.

Safest method would be to setup an Apache/Nginx proxy (with Let'sEncrypt or Cloudflare HTTPS for example) which answers for the main domain and validates GitHub shared certificate to the origin.

luceos

There has been rumors of a test on github pages with ssl. When it's available is another question al together.

Frink

luceos You can use cloudflare DNS and proxy it through their service to get HTTPS

luceos

Frink I'm referring to something github is working on.

Frink

luceos Yup, but for right now, that is a possible workaround ?

gozen

As an addition to the original question, since Apr 30 all websites not using an SSL will be considered as non secure by almost all major browsers including but not limited to Chrome, FireFox, Edge, Opera.

Most of them already applied the following rule.

clarkwinkelmann

Well good news https://blog.github.com/2018-05-01-github-pages-custom-domains-https/

@Toby please switch to the new GitHub IPs and make flarum.org HTTPS ? ?

luceos

@Toby repository is ready for it, just needs an update on DNS:

185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153

https://help.github.com/articles/troubleshooting-custom-domains/#https-errors

Prosperous

And it seems to be working now. ?

At least my address bar in Chrome is showing it.