The website uses HTTP instead of HTTPS by default
Closed this issue · 6 comments
When I click on the site on Google it uses HTTP by default even though replacing it with HTTPS manually works. I'm on the latest version of Firefox if that matters.
This results in a large 'This site isn't secure' pop-up on other browsers which isn't a good look for something as low-level as a terminal emulator
Context is often very important, esp. if you want others to understand your issue:
- What are you talking about?
- Which site are you referring to?
- What does this site have to do with a terminal emulator?
- How does not using HTTPS make it looking bad?
And if you are interested, I also have a few random remarks on common HTTPS misconceptions:
- Not using HTTPS does not make a website insecure per se. If a browser states it like that, it is wrong.
- Not every website needs HTTPS, esp. smaller pure informational sites dont need it.
- HTTPS does not come for free, its encryption is a major cost factor for servers and creates high power consumption.
I know that google lobbies for HTTPS for years now, but plz dont follow it blindly. Use encryption where it is useful and actually secures something worth. For everything else it is waste of resources.
(Mind you - the fact that google lobbies for HTTPS that much, while also preventing proper end-to-end email encryption, speaks for itself...)
Context is often very important, esp. if you want others to understand your issue:
- What are you talking about?
- Which site are you referring to?
- What does this site have to do with a terminal emulator?
- How does not using HTTPS make it looking bad?
And if you are interested, I also have a few random remarks on common HTTPS misconceptions:
- Not using HTTPS does not make a website insecure per se. If a browser states it like that, it is wrong.
- Not every website needs HTTPS, esp. smaller pure informational sites dont need it.
- HTTPS does not come for free, its encryption is a major cost factor for servers and creates high power consumption.
I know that google lobbies for HTTPS for years now, but plz dont follow it blindly. Use encryption where it is useful and actually secures something. For everything else it is waste of resources.
(Mind you - the fact that google lobbies for HTTPS that much, while also preventing proper end-to-end email encryption, speaks for itself...)
I'm referring to the site of the repo the issue is in, aka xtermjs.org and the fact that it doesn't redirect to HTTPS by default. I think it's pretty obvious what the site has to do with the repo given that it's literally linked at the top. Not using HTTPS makes it look bad because browsers make it seem that way. I know that HTTP isn't inherently insecure, especially since there's no real data transfer, but it's still not a good look for people who don't know as much. HTTPS is free if you use Let's Encrypt (and you would know if you read my issue that xterm already has SSL certs) and I highly doubt the claim that it consumes power, source on that please.
Sorry, we get all sorts of weird issue report from peeps, so it was not obvious to me, that you are referring to xtermjs.org.
For me it opens the HTTPS version automatically in chrome and firefox, but I can force it to use HTTP only by removing the "s", thus HSTS is prolly not set. The website is on github.io, idk if it allows us to change that setting.
Well xtermjs.org is one of those sites, which does not win anything with HTTPS, it does not deal with sensitive data by any means, as it is just an nicer way to present API docs. Dont get me wrong, we actually take security very serious (see https://xtermjs.org/docs/guides/security/), but a false flag is still a false flag. And ppl scared away by that are prolly not the right audience to tamper with a terminal in HTML, if they cannot differenciate in basic security aspects.
... I highly doubt the claim that it consumes power...
What? Ofc it drains power, nothing comes for free in computing, esp. if it involves complex math equations. You can test that yourself - do a load test in HTTP and HTTPS on an otherwise resting machine and you will see differences in latency, throughput (or requests/s) and overall system load. Which means admins have to scale to more or bigger machines earlier. Since AES-NI it is not as bad as it used to be, but that trades an almost restored throughput with higher power consumption of the additional silicone. On mobile devices/IoT the encryption stack is a major reason for battery drain.
source on that please.
Dude this is not twitter, if you dont know about it, it is not my responsibility to educate you. Ah whatever:
huh that's weird, it does use HTTPS by default on Chromium but not FF. Maybe I messed something up
Thanks for pointing it out, I flipped the switch to enforce https:
It might need another change to land before that is enforced but it should happen at some point soon.