Seriously, this is not 1995. Why are we forced to http? Relative to bandwidth, https is practically no performance overhead now. Why are you not only not defaulting to https but actually forcing https back to http? You must be the only site left on the Internet that I know of that does this. I can think of no other site I visit that actually forces back to http.
Site doesn't allow https on all pages
This topic is locked from further discussion.
@life359 said:
Seriously, this is not 1995. Why are we forced to http? Relative to bandwidth, https is practically no performance overhead now. Why are you not only not defaulting to https but actually forcing https back to http? You must be the only site left on the Internet that I know of that does this. I can think of no other site I visit that actually forces back to http.
they have it enabled on their auth.gamespot sub domain for registering and logging in. it's just not been implemented across the gamespot domain, it's not an explicit redirect back to http. if you open up your dev console you can see a ton of hard coded http resources which shows this to be the case.
i don't know why exactly they haven't enabled it site wide but two questions / observations -
1. why is it so important to you? i.e. what sensitive data are you worried about submitting that needs encrypting?
2. you may not realise the difficulty in implementing it across a site as large as gamespot, which requires every single link to external files, either their own files or from third party sites they use (and that will be a ton), updated to be protocol agnostic i.e. remove the protocol. if there's a single third party site that doesn't support https or one rogue link that's hardcoded with http their certificate is invalidated. there's other complications beyond that too
What he said. : )
@Macutchi said:
@life359 said:
Seriously, this is not 1995. Why are we forced to http? Relative to bandwidth, https is practically no performance overhead now. Why are you not only not defaulting to https but actually forcing https back to http? You must be the only site left on the Internet that I know of that does this. I can think of no other site I visit that actually forces back to http.
they have it enabled on their auth.gamespot sub domain for registering and logging in. it's just not been implemented across the gamespot domain, it's not an explicit redirect back to http. if you open up your dev console you can see a ton of hard coded http resources which shows this to be the case.
i don't know why exactly they haven't enabled it site wide but two questions / observations -
1. why is it so important to you? i.e. what sensitive data are you worried about submitting that needs encrypting?
2. you may not realise the difficulty in implementing it across a site as large as gamespot, which requires every single link to external files, either their own files or from third party sites they use (and that will be a ton), updated to be protocol agnostic i.e. remove the protocol. if there's a single third party site that doesn't support https or one rogue link that's hardcoded with http their certificate is invalidated. there's other complications beyond that too
@Macutchi said:
@life359 said:
Seriously, this is not 1995. Why are we forced to http? Relative to bandwidth, https is practically no performance overhead now. Why are you not only not defaulting to https but actually forcing https back to http? You must be the only site left on the Internet that I know of that does this. I can think of no other site I visit that actually forces back to http.
they have it enabled on their auth.gamespot sub domain for registering and logging in. it's just not been implemented across the gamespot domain, it's not an explicit redirect back to http. if you open up your dev console you can see a ton of hard coded http resources which shows this to be the case.
i don't know why exactly they haven't enabled it site wide but two questions / observations -
1. why is it so important to you? i.e. what sensitive data are you worried about submitting that needs encrypting?
2. you may not realise the difficulty in implementing it across a site as large as gamespot, which requires every single link to external files, either their own files or from third party sites they use (and that will be a ton), updated to be protocol agnostic i.e. remove the protocol. if there's a single third party site that doesn't support https or one rogue link that's hardcoded with http their certificate is invalidated. there's other complications beyond that too
It is an explicit redirect back to http. I try to force https on any link and their site forces me back to https. So they're intentionally capturing https and redirecting back to http. Take this forum post. Try to go here:
https://www.gamespot.com/forums/bug-reporting-feedback-1000006/site-doesnt-allow-https-on-all-pages-33341345/
It's a 301 (redirect permanent) back to http. WHO DOES THAT? So they have https and disable it in purpose? What?
It doesn't matter why it's important to me. Your argument is analogous to "if you have nothing to hide then why do you care about privacy?"
Fixing hard coded http links is a search in replace in your code. http:// -> // (protocol relative links). If you're using a CMS where the links are in your database, well then s**t. I highly doubt GameSpot was written in Drupal.
If you are including content from a CDN that doesn't support https you don't use that CDN. Period.
What other complications are there? Serious question. Please enlighten me. I do this for a living. I've never come across any other issues enabling https other than bad developers including from CDNs using hard coded http:// links.
@life359: There are a variety of reasons this is challenging, but one of the biggest for us is that when you deal with the volume of bandwidth that we do (particularly for video), there is a significant difference in serving costs via CDN for https vs http. We have been working on re-negotiating our contract, and do hope to go to https in the future, but currently it's cost-prohibitive.
@life359 said:
It is an explicit redirect back to http. I try to force https on any link and their site forces me back to https. So they're intentionally capturing https and redirecting back to http. Take this forum post. Try to go here:
https://www.gamespot.com/forums/bug-reporting-feedback-1000006/site-doesnt-allow-https-on-all-pages-33341345/
It's a 301 (redirect permanent) back to http. WHO DOES THAT? So they have https and disable it in purpose? What?
sorry, what i meant was that it's not that they have https enabled and are purposely redirecting you back to http, they obviously don't have it enabled as you can see all the hard coded http links. to answer your question about "WHO DOES THAT" then the answer is tons of websites that don't have https enabled. it's not uncommon at all. and there's loads of substantially sized sites that don't even have those kind of precautions in place. try
https://uk.ign.com/ - security warning
https://www.giantbomb.com/ - kaboom
https://www.polygon.com - redirects back to http, like gamespot
you should know this if you're an experienced developer. i don't see why the need for all this surprise and hyperbole.
@life359 said:
It doesn't matter why it's important to me. Your argument is analogous to "if you have nothing to hide then why do you care about privacy?"
it really isn't.
@life359 said:
Fixing hard coded http links is a search in replace in your code. http:// -> // (protocol relative links). If you're using a CMS where the links are in your database, well then s**t. I highly doubt GameSpot was written in Drupal.
If you are including content from a CDN that doesn't support https you don't use that CDN. Period.
What other complications are there? Serious question. Please enlighten me. I do this for a living. I've never come across any other issues enabling https other than bad developers including from CDNs using hard coded http:// links.
if you do this for a living you should be at least be a bit more empathetic and less condescending / outraged. you should know all the complications and caveats of introducing https to a site of this size. thanks for the pro-tips of doing a quick find and replace in the codebase or not using CDNs that don't support it though, i'll have to try and remember those
there is a significant difference in serving costs via CDN for https vs http. We have been working on re-negotiating our contract, and do hope to go to https in the future, but currently it's cost-prohibitive.
If CDNs are charging more to serve content over https that's just ridiculous. That's gouging, plain and simple. Take your business elsewhere. I'm saddened to hear that slimy companies are doing this in an age where https is negligible overhead and SSL certs are free (Amazon ACM, Let's Encrypt for example).
@Macutchi
I originally wrote out a big long winded post but I've since edited it to delete.
Since you've started to be sarcastic (with your ending comment), I'm not going to continue a discourse with you.
@life359: thanks.
you've spared me from more great insight like
@life359 said:
If CDNs are charging more to serve content over https that's just ridiculous. That's gouging, plain and simple. Take your business elsewhere.
i'm sure the gamespot team will never have considered that and after reading it they'll all be like "oh yeah... we never thought about using a different CDN before, this guy's a genius."
so all they need to do is switch CDNs, which is obviously child's play for a site the size of this with as much content as they have, do a quick find and replace for hard coded http links and hey presto they'll be ssl compliant before you know it. it's a simple as that.
looking forward to more pearls of development wisdom from you
edit:
just seen your original response:
"So you've went out of your way to find other websites that have refused to get on board with proper https support?"
not at all. i literally chose the first three gaming websites i could think of that are similar to gs. two didn't have any preventative measures in place and the third does exactly what gamespot does. just to demonstrate why your original statement of "Why are you... forcing https back to http? You must be the only site left on the Internet that I know of that does this. I can think of no other site I visit that actually forces back to http" was a ridiculous thing to say.
at least gs actually have preventative measures in place because there are countless large scale sites that don't. if you'd been a bit more rational and simply asked why they don't have https enabled, instead of all the incredulity, condescension and hyperbole i wouldn't have resorted to sarcasm
Please Log In to post.
Log in to comment