So I finally changed one of my sites to HTTPS...
 

Everything's going peachy as I set up my Let's Encrypt certificate, set up Apache on port 443, and start progressively changing references...

Then I discover that one of the affiliate programs I use only supports HTTP. :(

It's inlined content (IFRAME) so there's really no option but to accept that it's going result in a broken padlock on most browsers.

http://thsrv.com/p/firefox_broken_inline_http.png

Anyone else had the same problem when switching to HTTPS?

Well this is fun.

Program 1 - doesn't support HTTPS at all.
Program 2 - server running on port 443, but certificate is for a different domain. :helpme

I've not had much luck with contacting either program in the past but I've given it a go anyway.

PHP redirects link to your site and redirect

Eh?.....

Site.com/go/affiliate/

In the affiliate folder, create index.php that redirects a header to your sponsor.

Won't work. It's necessary to IFRAME HTML or inline images from the program's site. That's what is breaking things.

Got the same issue with a VR video embed from one of the sponsors, they offer only HTTP.

I'm so so sorry. I totally misread some of your question!

html - How to allow http content within an iframe on a https site - Stack Overflow

The best solution I created is to simply use google as the ssl proxy... Tested and works in firefox.

Other Methods:

Use a Third party such as embed.ly (but it it really only good for well known http APIs).
Create your own redirect script on an https page you control (a simple javascript redirect on a relative linked page should do the trick. Something like: (you can use any langauge/method)

https://mysite.com That has a iframe linking to...

https://mysite.com/utilities/redirect.html Which has a simple js redirect script like...

document.location.href ="http://thenonsslsite.com";
Alternatively, you could add an RSS feed or write some reader/parser to read the http site and display it within your https site.
You could/should also recommend to the http site owner that they create an ssl connection. If for no other reason than it increases seo.
Unless you can get the http site owner to create an ssl certificate, the most secure and permanent solution would be to create an RSS feed grabing the content you need (presumably you are not actually 'doing' anything on the http site -that is to say not logging in to any system).

The real issue is that having http elements inside a https site represents a security issue. There are no completely kosher ways around this security risk so the above are just current work arounds.

Note, that you can disable this security measure in most browsers (yourself, not for others). Also note that these 'hacks' may become obsolete over time.

LOL. Thanks Google for forcing everyone to waste time with https even when we aren't transmitting anything that requires security.

That's the stupidest boneheaded fucking statement I've ever fucking read in my entire fucking life. Congratulations on being a dip shit.

this is EXACTLY what i mentioned in the other thread about https.
you will have a problem with all links and includes what are NOT on https.

so if you have NO FORM on your page where users have to send data (like email or personal information) i would not recommend to use https and i have NOT seen yet a site what suffers on that as long there are no forms in the page.

and i can tell you that i have analytics access to many sites what are receiving a few 100 thsd users per day from google.

No matter what you claim, a Secure site (using https) would always rank better than an unsecure site.

So if you want the extra edge in the race to page1, then you need to use all elements possible.

If you cant figure out how to run the site from HTTPS only, you are in for some trouble in the future.

That said, I still run many sites with no encryption, if its just for contact info or refference.

There's more important reasons to secure your site than having forms where users data is sent.

Educate yourself, and stop being a dipshit like shit for brains above.

so than tell me one or 2 of this reasons.

btw - i do not have to educate myself i do this for 20 years you twip and i have for sure more sites in the top position as you have ever seen.

so do what you want - i just tell you my experience but if you have a method to reach a position higher than no. 1 than you obviously know more then me.

Don't waste your time & energy Kittens is a new fake troll account.

Oh okay, you've been doing this for 20 years, so clearly you know what's good.

First and foremost, HTTPS protects your users. Posting a news update on a user forum may cost a dissident his life in an oppressive regime; A strict workplace may terminate employment based on an employee?s browsing activity; And of course, the Snowden affairs have clearly shown governments simply can?t get enough of this data. Using HTTPS makes it dramatically harder for these players to know what users are doing, and helps you maintain your most important responsibility ? your users trust.

Unencrypted content can easily be tampered. In addition, unencrypted pages are often in the path to secure ones. For instance, consider a shopping site where a product page is unencrypted, but the actual purchase flow uses HTTPS. A man-in-the-middle can change the unprotected product page, making the ?Add to Cart? button go to their evil copy of the website, and the browser (and user) will see no difference. If you only want your users to see the content you actually posted, and want their actions to always reach you, use HTTPS.

Roughly 18 years after its inception, HTTP/1.1 is finally getting refreshed. It?s successor, HTTP/2, has been officially completed in May (2015). HTTP/2 further evolves Google?s SPDY, and includes many significant improvements over HTTP/1.1, ranging from request multiplexing to header compression to server-side push. For compatibility reasons, as well as a desire to make the web secure, browsers will only support HTTP/2 over HTTPS (the spec states encryption is optional). If you want to benefit from this evolution of the web ? you need to switch to HTTPS.

Criminals are not the only ones looking to make money of your site ? Internet and WiFi providers want in on it too. As many as 38% of WiFi proxies, ranging from giants like Comcast to smaller providers, inject their own ads on unencrypted pages. If ads are how you make money, know those ads may be hijacked, and your users will be none the wiser. If your website is not using ads? Your users may see some anyway, and blame you for it. Use HTTPS to prevent such tampering and protect your revenue & brand.

HTTPS aims to protect your privacy, including not sharing with others what you?re browsing. Imagine you browse https://secret.com/HelloKitty/ and click a link to the unencrypted http://other.com/. If the request to other.com included the URL in a Referer (sic) header, anyone listening (as well as other.com) would know of your love for the little not-a-cat. To avoid such a violation, browsers do not send a Referer header when navigating from HTTPS to HTTP (unless explicitly overridden using a Referrer Policy). As more websites switch to HTTPS, staying on HTTP would hurt your insight into where your visitors are coming from.

Just to name a few.

did you really read what i wrote ????

you really do not have to explain me the advantages of https but you hopefully do not want to explain me also that EVERY link or include in a website is already on https ?

how many trafficexchanges you have seen i.e. WITH https ?
how many adservers are NOT using https?
how many counters?
how many dynamic advertisements from sponsors?

it can be easy to change yourself to https but it is a mess if you want to change ALL what might be included. so IT DEPENDS on the website if that makes sense now or not.

practically it WILL BE an issue in a not so far future but til THAN a website on http what does not have any 2way communication where personal data can be spied will not have a problem NOW.

ipv6 was possible already 10 years ago and WHY isn´t it standard til today?
its the SAME issue !!! you can not change the circumstances around you and THAT is my point.

but anyway - you brought me on a HUGE idea with another issue i need to resolve and that little kinky conversation helped me to find it.

thanks to you for that ;-)

XloveCam.com affiliate tools are 100% HTTPS
Lots of other sponsors have had to do the same.

Use sponsors that can support your change to HTTPS.

Clearly you didn't read anything I wrote.

Edit: idk

Hasn't been a totally clean switch either. I expected some odd behaviour here and there, but I've noticed quite a bit, even from browsers with common user agents that should support HTTPS 100%.

Here's some log entries. The last value is the port (HTTP=80, HTTPS=443).

There's browsers which switch without fuss, going from port 80 to 443 within a second:


There's browsers which are delayed for some reason, perhaps because of a user confirmation dialog? This IP had 22 seconds between the redirect (HTTP) and the content fetch (HTTPS) :


Then there's these browsers, which don't redirect to HTTPS, and they continue connecting to port 80, even though the referer suggests they're HTTPS capable:

Note he gave up for an hour, then tried again...

It's the latter case that concerns me, because it looks like they're no longer able to access the site at all. I ended up writing some extra scripting that only sends the 302 HTTP->HTTPS redirect once; if the browser continues to connect to port 80, it will fall back to permitting normal site access via HTTP.

So far around 19% of IPs have hit that fallback exception, which seems a very high number. :helpme

You got root on the server?

this is the way it is done

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
https://httpd.apache.org/docs/2.4/mod/mpm_common.html
Multiple Listen directives may be used to specify a number of addresses and ports to listen to. The server will respond to requests from any of the listed addresses and ports.

For example, to make the server accept connections on both port 80 and port 8000, use:
I added the Listen 443

that should* solve some of the problem -- I don't think that would redirect ALL requests to HTTPS/TLS 443
You don't want to use 301 redirection in a php script
or are you using an Apache .htaccess directive like Rewrite of Redirect Match

This is much simpler to do with Nginx


Configuring HTTPS servers


Code:

2 ways to do it in Nginx

? As per my above post I already have Apache listening on both port 80 and port 443. Exact same config, except the latter has the SSL directives.

I've also shown that unconditional HTTP->HTTPS redirection doesn't seem to work for a lot of people, which is why I added in the conditional redirect.

What's wrong with doing a redirection in a PHP script?

PHP is way too slow


Try this in the DocumentRoot .htaccess file

htaccess HTTPS / SSL Tips, Tricks, and Hacks

very good site and usually dead nuts right.

HTTPS is crap.

Have you actually used it at any time in the past 15 years? :winkwink:

The site is PHP based, so adding an extra few statements makes near zero difference to load time. HTTPS negotiation is the bottleneck here...

This is an unconditional redirect. As I've already mentioned above this does not seem to work for many browsers. I started with an unconditional redirect and noted that browsers were getting stuck on port 80, which is why I changed it to a "try once" HTTPS redirect, with fallback to plain HTTP if they continue to connect to port 80. Try doing that with htaccess :)

Server daemons are a lot faster than ALL interpreter languages -- good luck

What are the user-agents that are not accepting the redirects.
It is also possible that ad blockers may be a factor.
What percentage of browsers are a problem -- and do they matter?

If its 5% -- and obsolete --fuck em some people still tweak CSS3 for IE7 :laughing-
You post log entries that are incomplete and useless
How the fuck can I tell -- there are no user agents?

The only problem we have had with HTTPS/TLS is with the googlebot and ITS indexing -- Google is so full of shit.

Did you first try in .htaccess <= the fastest way or not?

Outgoing links don't have to be https, the only thing that will trigger a warning is when you include a non secure item (such as a js file or iframe/ad code or image). Any reputable ad network, counter, third party plugins, etc. offer https. If you use any sponsor, ad network, counter, js, etc. that doesn't in 2017 I would leave them asap, because they obviously don't take security seriously, so I wouldn't trust them with anything.

Just drop them. I would not trust my data with an affiliate program that doesn't even bother to set up https...

I fixed that for you :upsidedow

https://gist.github.com/medhi/25368643e33d650630cb

Maybe this will help -- it is 1 year old.

Looks like the redirect issue is mostly moot now - Google has picked up the 301, and is now referring people directly to the HTTPS URL.

No chance now of an automated fallback to HTTP, if a browser referred by Google decides (for whatever reason) that it doesn't like my Let's Encrypt certificate. :(

Guess I now need to be looking for port 443 connections that don't fully load the page...

A month later, and it's apparent that inlining a program's HTTP content on my HTTPS site is a serious problem.

Daily referrals to the webcam affiliate program dropped from 90-100, down to around 10. The drop happened immediately after I switched to HTTPS.

This is a massive decrease in leads, and potentially, my long term income from that program.

I'm going to have to set up some kind of HTTP->HTTPS proxy so that I can serve the content myself, because the program is too damn lazy/apathetic to spend a couple of hundred bucks on a certificate and set up HTTPS.

So think twice about switching to HTTPS "because Google told you to" :2 cents:

http://thsrv.com/p/leads_after_https.png

Graph showing the clear drop in leads right after switching to HTTPS.

Daily traffic on my own site has changed very little since the switch, but leads to the HTTP-only program have. :2 cents:

XloveCam/XloveCash affiliate tools are 100% HTTPS for some months now ...

Unfortunately, you may experience a SERPs problem while your website is being reindexed in HTTPS.

Barry uses the new "snowflake" https protocol. It's superior.
Na Barry I'm just busting. I hear you run a great program man. And you always have great tech input.
Duke

We went https by our old tech and he fucked us out of seo results, downtime, you name it. Had to have woj fix everything.
Ds

i don´t think so because the fall down was already before.
can be a victim of the last google update or someone who have copied the page.

@ rowan:

if you pm me the url i will have a look on it.

If there is anything in your site coding that relies on http header data you will have serious issues switching an http site to https. When you redirect incoming http traffic to the https site via .htaccess, the http header data is not retained.

Do you mean POST data? I log all HTTP headers, and I just looked at a couple of HTTP 301->HTTPS 200 sequences - all headers are preserved over the redirect, including the referer.

Google really sucketh dicketh. :2 cents:

i siwtched my site to https and traffic dropped 90% .
becuase google is stupid and treats http and https as 2 separate sites/entities. it takes time to get back to old position/rankings ...

lesson learned., https is not that important if you are not having members area or billing members.

majority top 10k alexa sites are still using http as preferred its not that they dont support https, but at least they are not doing 301 from http to https..

2 cents.

Problem for us is some sites we submit to, like the Hun have announced if you have not switched it may be a problem soon. If I understand their message correctly.

I submit to the HUN a lot and never received any notice from them on the https issue..Just went and check there rules again and I do not see anywhere in there about switching to https. Unless I'm not looking in the right place.

imho just enabling https doesnt hurt, but force redirecting one protocol to another does . i am talking about serp here and not direct traffic.

You realize HTTPS is now a form of SEO, right? Google favors HTTPS over non-HTTPS.

Has anyone made the transition from http to https: on Wordpress without any ranking drop? If so what plugin if any?

Thanks

The rankings for me go down, then come back up after re-indexing.

So I got the HTTPS proxy set up, which rewrites http:// references to go via the script (which is fetched via HTTPS) rather than the affiliate site (which is HTTP). The intent is to prevent the browser warning of insecure content, because my HTTPS page includes content from a HTTP URL.

Then I find that the affiliate program drops my refid from the HTML when my server fetches the content on behalf of the visitor, instead of the visitor's browser fetching it directly. My workaround does NOT work.

I've sent them 3 messages in the past 6 weeks and there's been no response.

Don't know whether to laugh, or cry. :Oh crap