download updates via HTTPS

darix · May 14, 2018, 10:12am

With the rise of Letsencrypt there is no excuse not to anymore. given that this is basically downloading code that will be executed on the users computer, this should really come over a secure connection.

@patdavid and me an help you with LE questions. (others probably too)

David_Tschumperle · May 14, 2018, 11:02am

Sounds like a good idea.
I’m totally unfamiliar with how these things work actually. What would it imply ? How do you see the thing working ?

andabata · May 14, 2018, 11:06am

As you are running apache on gmic.eu. Just use certbot to setup https + letsencrypt. Certbot is included in most distributions.

It should be relative painless to switch to https.

David_Tschumperle · May 14, 2018, 11:09am

I admit I’m using a not-so-expensive external hosting service for gmic.eu, so I cannot tweak the web server as I want.
I’ll see what they offer, and if this service is available in my hosting contract.

darix · May 14, 2018, 11:16am

We use dehydrated for discuss.pixls.us.

darix · May 14, 2018, 11:19am

Maybe your webhoster offers LetsEncrypt integration already. I mean it doesn’t cost them much to add that.

Also how does an user verify that the file on that webhoster is unmodified and really still what you uploaded?

David_Tschumperle · May 14, 2018, 1:05pm

OK, so finally, it seems the web server is already configured for https connexions.
I’ll simply force the update file to use a https:// address instead of a http:// one.

andabata · May 14, 2018, 1:23pm

Maybe just redirect the whole http://gmic.eu to https://gmic.eu

darix · May 14, 2018, 1:24pm

+1

and if you can HSTS header.

David_Tschumperle · May 14, 2018, 1:25pm

Yes, that is what I’m doing right now.
And it seems to work so far.

Don’t know what this thing is, so please elaborate

darix · May 14, 2018, 1:28pm

For apache:

# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"

For nginx:

add_header Strict-Transport-Security max-age=15768000;

With this header in the SSL vhost … the client will go directly to the https site for the configured time, if it has been there once.

So even if you type http://gmic.eu/ it will load the https site.

David_Tschumperle · May 14, 2018, 1:29pm

Ah ok ok.
Don’t know how I can do this with my hosting service, but I will check.

darix · May 14, 2018, 1:31pm

One important bit to check when you force the site to https:

links to local and 3rd party resources have to use https as well.

so either always use

https://somehost/somepath

or

//somehost/somepath

The 2nd syntax will reuse the same protocol type as the current page.

David_Tschumperle · May 14, 2018, 1:43pm

Looks like this thing is working too Thanks !