OzBargain going for HTTPS-only

scotty on 10/12/2013 - 00:30
Last edited 10/12/2013 - 11:13

Just pushed up an update to our backend. One of the key change in this update is to make the whole-site HTTPS-only. Which means,

  • OzBargain is now on URL https://www.ozbargain.com.au
  • All the http:// links will be redirected to https://

While we do try to keep all the resources on the site HTTPS including images, Javascript, etc, there still exist some issues that might not always give you a nice green padlock on your browser's address bar:

  • Some embedded images in the post might not be on HTTPS.
  • Some ads served via Google's DFP might not be on HTTPS.

Please report here if you encounter other related issues.

Edit: Just in case someone is wondering why we moved to HTTPS-only

  • With HTTPS, your web-browser negotiates a session key with OzBargain web server, and all the packets transmitted (HTML page, images, your username / password, etc) are encrypted with that session key. Men-In-The-Middle that capture those packets would not be able easily decrypt to get the clear-text information. For example if you are on open WiFi hotspot, other people on the same AP won't be able to capture your OzBargain password and session token.

  • With HTTPS, you can also identify whether OzBargain web-server is presenting a certificate that has been signed by a trusted authority. So if your DNS has been spoofed and someone sent you to a different website claiming to be OzBargain, it would not be able to provide the same signed certificate. So now you know OzBargain is HTTPS-only, and if you do happen to come to www.ozbargain.com.au that does not happen to have a padlock in the location bar — something fishy might be going on.

  • Internet is progressively moving to a HTTPS-only world. Google, Facebook and many other services are all on HTTPS, and SPDY / HTTP2.0 protocol would always require HTTPS.

No. It has nothing to do with "tracking".

Site Discussion

Comments

  • XCelR8 on 10/12/2013 - 00:52

    Just for a beginner here, what are the benefits of going https?

    I found this:http://stackoverflow.com/questions/6498419/is-there-any-advantages-to-using-http-over-https
    but it didnt really help me

    • ysrb on 10/12/2013 - 02:15
      +3

      It's for security. If you are in http (non https), any thing you send within the browser, the data is sent as clear text and someone who can sniff your network will be able to see the values that you sent.
      For example, if you login to OzB, your username and password will be in clear text in the wire (or network).
      Using https, it will encrypt those values.
      Hope it helps

      • XCelR8 on 11/12/2013 - 02:11

        Thanks most appreciated!

  • wa01 on 10/12/2013 - 04:21
    -7

    SSL only?
    Well that's it for me. I wont be back again!
    PhD & undergrad in CompScience (Murdoch). IT certs. Etc. Cant go into pages of detail on this subject but…

    Ssl means guaranteed (highest-paid) tracking. Impossible for visitor to stay anonymous ect.
    Don't know your precise motives but this may risk your continued success.
    I believe a terrible move from a popular website, should have reserched more / consulted. Or it's just malignant greed.

    Anyway all links to this website will be removed permanently. Bye.

    • scotty on 10/12/2013 - 05:52
      +4

      My sarcasm detector is broken on this one…

    • _Bruce_ on 10/12/2013 - 06:55
      +4

      Cant go into pages of detail on this subject but

      Because the tin foil hat police will take you away? Really crazy part is you seem to think that HTTP is in any way better.

    • Speckled Jim on 10/12/2013 - 08:54

      Get the NoScript plugin. Problem solved.

    • ddxsamx on 10/12/2013 - 10:42

      Toodles! :)

  • foobar on 10/12/2013 - 04:51

    I've been using HTTPS for quite some time now and the only thing I've noticed not working is productreview related which I reported a while ago. Moocher looked into it and it turned out that productrevews cert had expired meaning it was out of your control anyway.

    Other than that, as far as I can see, it's all working fine.

  • _Bruce_ on 10/12/2013 - 06:56

    Great move, thank you very much.

  • Moderatormoocher on 10/12/2013 - 08:50

    Newsletter subscribers for the AM slot may be wondering where this morning's newsletter is. Due to a configuration setting being left at HTTP (my bad), the newsletter notification batch for this morning failed to run. Unfortunately it may affect site performance to run it this late. The setting has been updated and things and the midday slot should be working.

  • leyton01 on 10/12/2013 - 11:47

    Would this possibly kill the new deals RSS for some as well? (Another thread started on this - wondering if this might be the cause)

Login or Join to leave a comment
Login Join