HTTPS for login only

Support requests, bug reports, etc. go here. Dedicated servers / VDS hosting only
mbazdell
Bear Rating Trainee
Bear Rating Trainee
Posts: 17
Joined: 18 Nov 2013, 04:39
Location: Ontario, Canada
Contact:

HTTPS for login only

Postby mbazdell » 23 Mar 2015, 16:57

Hi All,

Has anybody here setup HTTPS for login only? Most of my feeds call content that isn't over HTTPS and that obviously causes issues. I'm just wondering if anybody has setup a way to login using HTTPS and then drop back to HTTP without any issues.

m0zes
Bear Rating Trainee
Bear Rating Trainee
Posts: 3
Joined: 17 Mar 2013, 00:46

Re: HTTPS for login only

Postby m0zes » 23 Mar 2015, 17:34

If you are worried about people sniffing your password from a non-ssl connection, you should be just as worried about people sniffing the auth-token from and existing connection. Either disable ssl, or tell the site ops to fix their problems.

Loading *content* into an ssl session from a non-ssl feed shouldn't be a problem, unless the operation isn't safe to begin with. No, you shouldn't be loading js from non-ssl sites in an ssl session.

JustAMacUser
Bear Rating Overlord
Bear Rating Overlord
Posts: 373
Joined: 20 Aug 2013, 23:13

Re: HTTPS for login only

Postby JustAMacUser » 23 Mar 2015, 17:41

As m0zes said. Mixed content shouldn't be too much of a problem. I wouldn't want it on a bank's web site, but if you're willing to go without SSL completely then mixed content is a step up as it will keep your auth cookies secure (which is nice if you're on public wifi, for example). If you want a completely secure connection, enable "cache images" for all your feeds then images will be served from your TT-RSS instance.

e: Oh, and you're from Canada. Cool, me too.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: HTTPS for login only

Postby fox » 23 Mar 2015, 18:01

>Most of my feeds call content that isn't over HTTPS and that obviously causes issues.

uhh no it doesn't? unless your browser is hilariously terrible and/or misconfigured

mbazdell
Bear Rating Trainee
Bear Rating Trainee
Posts: 17
Joined: 18 Nov 2013, 04:39
Location: Ontario, Canada
Contact:

Re: HTTPS for login only

Postby mbazdell » 23 Mar 2015, 18:49

fox wrote:>Most of my feeds call content that isn't over HTTPS and that obviously causes issues.

uhh no it doesn't? unless your browser is hilariously terrible and/or misconfigured


Perhaps you're right. Last time I tried was a bit more than a year ago so I'll give it another swing. I remember last time though that it caused issues with iframes and other embedded content.

dariottolo
Bear Rating Trainee
Bear Rating Trainee
Posts: 27
Joined: 05 Jul 2014, 18:57

Re: HTTPS for login only

Postby dariottolo » 17 Apr 2015, 18:50

JustAMacUser wrote:As m0zes said. Mixed content shouldn't be too much of a problem. I wouldn't want it on a bank's web site, but if you're willing to go without SSL completely then mixed content is a step up as it will keep your auth cookies secure (which is nice if you're on public wifi, for example). If you want a completely secure connection, enable "cache images" for all your feeds then images will be served from your TT-RSS instance.

e: Oh, and you're from Canada. Cool, me too.


I had the "mixed content" issue, even if I cached all images.

I was able to solve the problem by unchecking "Always display image attachments" and "Do not embed images" for all the feeds.

Hope it helps

Regards

JustAMacUser
Bear Rating Overlord
Bear Rating Overlord
Posts: 373
Joined: 20 Aug 2013, 23:13

Re: HTTPS for login only

Postby JustAMacUser » 17 Apr 2015, 20:50

Ahh.. You're right. Enclosures aren't cached. I forgot about that because I have a custom plugin that overrides how enclosures are handled.


Return to “Support”

Who is online

Users browsing this forum: No registered users and 6 guests