Bug #7235
closed
Added by Raffi Khatchadourian almost 8 years ago.
Updated almost 8 years ago.
Description
I am getting an SSL error when trying to access any site on the commons, e.g., http://dev.commons.gc.cuny.edu. My browser says that the certificate is invalid. If I add a security exception and proceed, no matter from which site I am trying to access, the contents of the page seems to be something to the extent of "The Barry S. Brook Center For Music Research And Documentation."
Hi Raffi,
Sorry for the late response. This issue (a server configuration error) should be fixed now; please let us know whether the issue is solved for you.
Matt Gold wrote:
Hi Raffi,
Sorry for the late response. This issue (a server configuration error) should be fixed now; please let us know whether the issue is solved for you.
No problem, Matt. But, why are these sites being served over HTTPS? What is the sensitive information that is being transferred? Of course, I understand that forms asking for passwords need to be posted via HTTPS but why the entire site in general?
Using HTTPS unnecessarily not only wastes computational resources on the server but also negatively affects SEO.
- Status changed from New to Assigned
Hi Raffi. Central IT now requires that any CUNY website containing a login form be served over https. Since the sitewide header (the black band at the top of the CAC) includes a log-in mechanism, we are required to server over https.
Matt Gold wrote:
Hi Raffi. Central IT now requires that any CUNY website containing a login form be served over https. Since the sitewide header (the black band at the top of the CAC) includes a log-in mechanism, we are required to server over https.
Thanka, Matt. But, shouldn't only the POST sent when the login form is submitted be over HTTPS? Why would the form itself (i.e., the text boxes) need to be secured?
Using HTTPS unnecessarily not only wastes computational resources on the server but also negatively affects SEO.
Our eventual goal is to serve all content over SSL/TLS. Browsers will increasingly enforce this policy, by disabling various features and showing scary notices for non-secure pages. See https://https.cio.gov/everything/ for a helpful overview of why HTTPS everywhere is a good policy.
Boone Gorges wrote:
Using HTTPS unnecessarily not only wastes computational resources on the server but also negatively affects SEO.
Our eventual goal is to serve all content over SSL/TLS. Browsers will increasingly enforce this policy, by disabling various features and showing scary notices for non-secure pages. See https://https.cio.gov/everything/ for a helpful overview of why HTTPS everywhere is a good policy.
Ah, okay. Thanks for the clarification, Boone.
- Status changed from Assigned to Resolved
- Target version set to Not tracked
Also available in: Atom
PDF