Bug #7235
closedCan't access sites
0%
Description
I am getting an SSL error when trying to access any site on the commons, e.g., http://dev.commons.gc.cuny.edu. My browser says that the certificate is invalid. If I add a security exception and proceed, no matter from which site I am trying to access, the contents of the page seems to be something to the extent of "The Barry S. Brook Center For Music Research And Documentation."
Updated by Matt Gold over 7 years ago
Hi Raffi,
Sorry for the late response. This issue (a server configuration error) should be fixed now; please let us know whether the issue is solved for you.
Updated by Raffi Khatchadourian over 7 years ago
Matt Gold wrote:
Hi Raffi,
Sorry for the late response. This issue (a server configuration error) should be fixed now; please let us know whether the issue is solved for you.
No problem, Matt. But, why are these sites being served over HTTPS? What is the sensitive information that is being transferred? Of course, I understand that forms asking for passwords need to be posted via HTTPS but why the entire site in general?
Using HTTPS unnecessarily not only wastes computational resources on the server but also negatively affects SEO.
Updated by Matt Gold over 7 years ago
- Status changed from New to Assigned
Hi Raffi. Central IT now requires that any CUNY website containing a login form be served over https. Since the sitewide header (the black band at the top of the CAC) includes a log-in mechanism, we are required to server over https.
Updated by Raffi Khatchadourian over 7 years ago
Matt Gold wrote:
Hi Raffi. Central IT now requires that any CUNY website containing a login form be served over https. Since the sitewide header (the black band at the top of the CAC) includes a log-in mechanism, we are required to server over https.
Thanka, Matt. But, shouldn't only the POST sent when the login form is submitted be over HTTPS? Why would the form itself (i.e., the text boxes) need to be secured?
Updated by Boone Gorges over 7 years ago
Using HTTPS unnecessarily not only wastes computational resources on the server but also negatively affects SEO.
Our eventual goal is to serve all content over SSL/TLS. Browsers will increasingly enforce this policy, by disabling various features and showing scary notices for non-secure pages. See https://https.cio.gov/everything/ for a helpful overview of why HTTPS everywhere is a good policy.
Updated by Raffi Khatchadourian over 7 years ago
Boone Gorges wrote:
Using HTTPS unnecessarily not only wastes computational resources on the server but also negatively affects SEO.
Our eventual goal is to serve all content over SSL/TLS. Browsers will increasingly enforce this policy, by disabling various features and showing scary notices for non-secure pages. See https://https.cio.gov/everything/ for a helpful overview of why HTTPS everywhere is a good policy.
Ah, okay. Thanks for the clarification, Boone.
Updated by Boone Gorges over 7 years ago
- Status changed from Assigned to Resolved
- Target version set to Not tracked