12

Shouldn't there be a HTTP -> HTTPS redirect on all Stack Exchange sites?

I am using the HTTPS Everywhere add-on in Chromium, so I am unaffected, but I don't get it.

I see we have a certificate issued from DigiCert SHA2 High Assurance Server CA, which must have cost something.

Moreover, we use good configuration, which someone must have taken care of, why not use the effort that has been put into it.

I am curious as to what exactly is the problem here?

7
  • 2
    There is still some mixed content left, like images that users embedded using http:// links. SE developers have been converting these, and this work is ongoing, as Nick Craver tweeted several hours ago. Commented Nov 24, 2016 at 7:01
  • @zaq Mixed content is usually no problem, if not having set strict Content-Security-Policy. Commented Nov 24, 2016 at 7:36
  • @VlastimilBurian incorrect - I don't know offhand about Safari/Opera (although Safari at least lags behind everything else in terms of standards support... sigh) but Chrome, Firefox and I think IE all block mixed passive content and will probably eventually block mixed active content too. Commented Nov 28, 2016 at 7:14
  • Wildcard certificates don't support ..stackexchange.com, needed for meta.unix.stackexchange.com Commented Dec 3, 2016 at 23:08
  • 1
    @strugee It's the other way around, mixed active content from HTTPS to HTTP is blocked by default (at least in Firefox) and blocking mixed passive content is an option. Commented Dec 5, 2016 at 16:16
  • @MichaelKjörling whoops! must've gotten the two mixed up somehow. nice catch. Commented Dec 8, 2016 at 0:22
  • Actually, when a subdomain of a subdomain needs SSL, like meta.unix.stackexchange.com this is a big topic security.stackexchange.com/a/10544/82570 Commented Dec 9, 2016 at 10:06

1 Answer 1

Reset to default
12

Stack Exchange has a lot of mixed content which is blocked by modern browsers' Mixed Content Blocker implementations. Ref Firefox, Chrome, IE/Edge, W3C editor's draft.

As pointed out in question comments, Nick Craver tweeted recently that the conversion work is close to being done. He also has a much older post detailing why turning on HTTPS is so complicated (and thus has taken so long) for Stack Exchange.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.