The Tech Report now uses HTTPS across the board

This was a triumph!
I'm making a note here: Huge success!
It's hard to overstate my satisfaction.

… And if you have no idea where that's from, you should be ashamed of yourself. It is with utmost pleasure that we report that after today's downtime, The Tech Report supports HTTPS connections across the entire site. If you have no idea what that means, then take notice of the green padlock icon in your address bar and know that that's a Good Thing.

Although a simple icon isn't much to talk about, this was quite a big production behind the scenes. As it turns out, "just changing the links" isn't something that is as quickly accomplished as it is described, and doing HTTPS like we wanted required some meaty server software upgrades, something that complicated matters further. At least we got performance improvements and serious RAM savings out of this work—all so we can serve you gerbils better, of course.

We also tried our best to avoid mixed content warnings in the main site. That is, if you're visiting a secure page that contains images or other elements that aren't secure, browsers will let you know about it, or at least not show the padlock icon indicating full security. Seeing as we have articles dating back the better part of two decades, we took some measure to make sure that at least the vast majority will show up as fully secure in the browser.

By the way, you may be thinking something along the lines of "gosh, but people have been logging in insecurely, and what about the subscriptions?" Let it be known that our forums, user logins, and subscriptions pages were already secured with HTTPS—that protection simply didn't extend to the main site until now.

Everything is looking okay for now, but there might be a gremlin or two somewhere. If you spot a mixed-content page in the main site, or if you come across any oddities, let us know. We're also interested to know how the site speed feels—same, better, or (hopefully not) worse. Let us know in the comments section, and enjoy your green padlocks.

Comments closed
    • strangerguy
    • 2 years ago

    Dat S.

    • JDZZL
    • 2 years ago

    Hooray for security, lots of work and not much visible payoff but thanks for getting it done!

    • tanker27
    • 2 years ago

    GAH FINALLY!

    /snark πŸ˜›

    • mongoosesRawesome
    • 2 years ago

    Nice work! Any chance for a full write up of what went into making this happen?

      • usernam3
      • 2 years ago

      + why you didn’t go with free (and just fine for the site) letsencrypt CA but rather opted for godaddy?

        • Jigar
        • 2 years ago

        I agree, i am confused with Techreport’s decision here, they went with Domain validated certificate and for that letsencrypt would have been same (its free compare to Godaddy). Yes it would make more sense for them to go with Godaddy if they went with Organisation validated certificate, but thats not the case here.

          • UberGerbil
          • 2 years ago

          Does GoDaddy support Let’sEncrypt? The website I do for a charity had to change hosting plans (same host, different plan) to get that support, so it’s also possible their hosting didn’t allow it?

            • Jigar
            • 2 years ago

            Any hosting provider can support any CA authority’s SSL certificate.

          • morphine
          • 2 years ago

          Guys, I don’t get why you’re all hung up on the Godaddy certificate heh. A cert is a cert, unless the CA has some sort of issue, which is not the case here.

          And I wouldn’t use Letsencrypt for the main site (we use them on the dev instances) because the certs last 90 days and need to be periodically renewed. Or, at least, not when regular SSL certs are affordable.

            • DancinJack
            • 2 years ago

            +1

            • chuckula
            • 2 years ago

            I have some big problems with Letsencrypt because they push the incorrect agenda that merely because a certain data connection is “encrypted” in-flight that means that the data connection is “secure”.

            By handing out certificates like candy they basically let [i<]anybody*[/i<]produce an encrypted connection that fools people into thinking it's "secure" merely because when you try to snoop on the data in flight it looks encrypted. Once again repeating the age-old fallacy that "OMG ENCRYPTED" is the same thing as "magically secure". * Where "anybody" pretty much includes criminals or even the OMG EVIL NSA WHO SPIES ON YOU NIGHT AND DAY BECAUSE THEY DON'T HAVE ANYTHING BETTER TO DO! Because encrypting data in-flight buys you very little real "security" when the certificate system is so loosy goosy that damn near anybody could be on the other end of the connection and you really don't know that they are legit.

      • morphine
      • 2 years ago

      We probably won’t post a full writeup, but let’s just say that this move involved updating some server software, which led us fairly deep into Linux dependency hell. And as anyone that’s ever managed a web server will tell you, [i<]any[/i<] software change will cause issues, no matter how "backwards compatible" everything claims to be.

        • chuckula
        • 2 years ago

        Are you using Centos or another major commercial distro?
        Did you need to deal with non-standard package versions that aren’t just a part of the default distro?

          • morphine
          • 2 years ago

          Yes and yes, though we’re not using just any random repo.

            • chuckula
            • 2 years ago

            I feel your pain. I try to stick to the vanilla packages whenever possible but I have had situations where I’ve had to manually compile servers + associated libraries to do some non-standard operations and it’s often a giant PITA.

        • MOSFET
        • 2 years ago

        With all the questions and curiosity on the topic, a sanitized write-up sounds like a good idea. Of course, I would be on the reading end of it, and I realize that well-written articles don’t write themselves.

          • Ummagumma
          • 2 years ago

          It would be interesting to hear how the TR staff are dealing with the added load of SSL encryption/decryption on any web server /web site implementation.

          There are many ways to handle that task and I would be interested in reading which approach TR selected and why.

            • chuckula
            • 2 years ago

            Step 1: Upgrade to EPYC!

            Step 2: THERE IS NO STEP 2!

        • Jigar
        • 2 years ago

        Generating CSR and updating server settings including new cipher suits setup is tough job for first timer. I agree.

        EDIT: BUT BUT scoring an “A” in Qualsys Lab test – Awesome.

    • Sahrin
    • 2 years ago

    Good because a few months ago I got the web clap while reading a particularly steamy CPU review on TR.

    • JoeKiller
    • 2 years ago

    Thank you for supporting our privacy.

      • Jigar
      • 2 years ago

      Thank you for using SSL *wink* / NSA

    • derFunkenstein
    • 2 years ago

    Great work. I haven’t found anything broken over the last day or so, and using HTTPS is always a good thing.

    • UberGerbil
    • 2 years ago

    It’s too bad that protocol-relative URLs (ie //foo/bar rather than [url<]http://foo/bar[/url<] or [url<]https://foo/bar)[/url<] didn't get more strongly promoted and better supported in page-building software back in the day; it would've made this whole transition much easier.

      • morphine
      • 2 years ago

      True, and legacy code is a PITA.

    • dragmor
    • 2 years ago

    [url<]https://jobs.techreport.com/[/url<] has a bad certificate. Wrong domain.

      • DancinJack
      • 2 years ago

      The cert is for jobthread.com it appears. Get on it, Bruno! (kidding)

      • derFunkenstein
      • 2 years ago

      bump – Chrome doesn’t want me to go to that site, so it’s probably not seeing the traffic it should otherwise.

        • morphine
        • 2 years ago

        [i<]Ackshually[/i<], we were about to remove that link in the menu bar, as the partnership is no longer in place. This is as good a time as any. Poof, it's gone.

          • derFunkenstein
          • 2 years ago

          I stand corrected – it was seeing [i<]more[/i<] traffic than it should. LOL

    • Chrispy_
    • 2 years ago

    Sweet.

    I run a WordPress intranet; It’s useful, large and pretty but it’s also effortlessly awful and I know it. Here’s the worst part – I couldn’t be bothered to make a new VM so it’s on IIS and MySQL.

    Staying on top of how to keep a public-facing external website secure is a lot of work, so I’m glad
    you guys are looking out for us.

    • zzing123
    • 2 years ago

    Well done!

    A couple of other things just to fine tune the HTTPS though, according to your SSL Labs report: [url<]https://www.ssllabs.com/ssltest/analyze.html?d=techreport.com&s=96.126.115.201[/url<] 1. Seriously, GoDaddy 4 TR?! We'll just rib you for that. 2. Add support for TLS 1.3, even though it's still a beta spec. Well done for choosing TLS-only connections though. 3. Remove the 3 cipher options using DES/3DES, because they're not going to break compatibility with old browsers and help no one: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA 4. Add HTTP/2 functionality in Apache (https://httpd.apache.org/docs/2.4/howto/http2.html), so we can get techpr0n down more efficiently.
    5. Your HSTS config is 30 days – this is best removed until you are *very* confident about all your links being modified to HTTPS, then add the cookie for 180 days.

      • DancinJack
      • 2 years ago

      So, you wanna pay for it? πŸ™‚

      • dragosmp
      • 2 years ago

      +1

      I have to add, godaddy, dang what a missed opportunity. Luckily there are ways to migrate from them quite painlessly, so I can only hope as little as of your cash as possible would flow to their accounts.

      • morphine
      • 2 years ago

      1) As I posted in another comment, a certificate is a certificate πŸ™‚
      2) It’s not time for that yet. It’s tricky enough to get negotiation and ciphers right as it is.
      3) Under review for some point in the future.
      4) We do have HTTP/2 support, but the protocol negotiation depends on OpenSSL, and the distro we’re using is stuck on an older (but patched) version. It’ll change at some point in the future, again.
      5) You mean 30 [i<]seconds[/i<] πŸ™‚

    • Klimax
    • 2 years ago

    Reminder for RSS users: Don’t forget to switch from Feedburner to Techreport’s own RSS service. (Otherwise initial URL is without HTTPS)

    • mcarson09
    • 2 years ago

    I’m glad you got it done, but I’m saddened that it took so long. You guys also picked a good time to do it though.

      • just brew it!
      • 2 years ago

      At least the login page and forums have been secure for a good while. As noted in the article, this just extends it to the rest of the site.

      If I had to guess, it was probably starting to hurt traffic (and ad revenue). Google has been de-prioritizing non-HTTPS pages in their search results for a while.

    • jackbomb
    • 2 years ago

    Welp, time to get off of IE 5.5.

      • dragosmp
      • 2 years ago

      I advise FF 52esr

      /s or not – XP is still a perfectly good OS

        • bthylafh
        • 2 years ago

        No, no it is not. The only exception is if your XP machine is completely cut off from any network.

      • Jigar
      • 2 years ago

      What ? That’s the most secure Browser ever. Hackers get confused when they face old school browsers. /s

    • tsk
    • 2 years ago

    Any plans to update the site and clean up the interface a bit?
    All the tabs you really need is ‘Reviews’ ‘ News’ ‘Forum’ ‘About Us'(This particular tab is in special need of an update)

      • mcarson09
      • 2 years ago

      You sound like you are volunteering. I like the layout as it is really. Did you ever see that train wreck of a site called Engadget after the latest redesign? Don’t mistake functional with out of date.

        • just brew it!
        • 2 years ago

        Yeah, the Ars redesign really sucked too. It sucked less after they re-designed the re-design.

        • derFunkenstein
        • 2 years ago

        I also like the layout as it is. I’m hardly a designer or even have much of an eye for design, but I’d go for more straight edges and less rounded-ness. Probably nothing more than a couple CSS tweaks. But at that point, why bother?

        • EzioAs
        • 2 years ago

        THG totally put me off when they redesigned 5-6 years ago. The guys at TPU are pretty good with their updates though because they did it incrementally.

    • Scolasticus
    • 2 years ago

    Enjoying the green padlocks. Accessing from New Zealand, possibly the site is a bit snappier in loading. Yes, testing with a few more pages I think it is faster. The banner adds on the right are usually the last to open, but that is only about 1 sec after the rest of the page.

      • just brew it!
      • 2 years ago

      At least some (if not all) of those are likely being served by a 3rd party ad network.

    • The Dark One
    • 2 years ago

    Thank you, TR!

    • DragonDaddyBear
    • 2 years ago

    Wonderful job. We put all of our business partners though ssl tests before we do contracts and what not as part of our rush assessment. Rarely do they earn a top score as you have. Well done! Here is the proof. [url<]https://www.ssllabs.com/ssltest/analyze.html?d=techreport.com[/url<]

      • morphine
      • 2 years ago

      We’d earn a higher score if we didn’t “have” to support older browsers. But c’est la vie.

        • mcarson09
        • 2 years ago

        Well nobody should be using internet explorer.

          • K-L-Waster
          • 2 years ago

          True… but nobody should be smoking, crashing into telephone poles, or listening to Justin Bieber either…

            • Redocbew
            • 2 years ago

            Listening to Justin Bieber is way worse than using IE.

          • dragosmp
          • 2 years ago

          And yet, after 20 years of avoiding it, I am now – yes corporate policy. IE with no privacy options, just endlessly freezing to load trackers is a horrible experience on most sites, TR is okay; still, if you expose yourself to downgrade attacks just to allow for IE, maybe it’s not the best idea.

    • ronch
    • 2 years ago

    The Next Big Thingβ„’ is here.

    • bthylafh
    • 2 years ago

    Well done, bravo zulu.

    • chuckula
    • 2 years ago

    Here’s the last message from the old website: [quote<] Daisy, Daisy, give me your answer do. I'm half crazy all for the love of you. It won't be a stylish marriage, I can't afford a carriage. But you'll look sweet upon the seat of a bicycle built for two. [/quote<]

      • Ummagumma
      • 2 years ago

      Where is David Bowman when you need him?

    • TwoEars
    • 2 years ago

    Seems alright: [url<]https://www.sslshopper.com/ssl-checker.html#hostname=https://techreport.com/news/32878/the-tech-report-now-uses-https-across-the-board[/url<] Have some cake.

      • tacitust
      • 2 years ago

      The cake is a lie.

    • nanoflower
    • 2 years ago

    I didn’t recognize the opening phrase without the music behind it. Also not said with the robotic voice. πŸ˜‰ Finally there was no mention of cake. πŸ™

    Congratulation on the switch over. I’m quite aware of how much work can be involved.

      • Neutronbeam
      • 2 years ago

      Phffffffffft! And you call yourself a gamer! I bet your Zelda tattoo completely washes off!

        • nanoflower
        • 2 years ago

        Zelda? What pray tell is that? An old girl friend’s name? πŸ˜‰

    • Forge
    • 2 years ago

    All humans report to the testing station for debugging and washing.

      • LostCat
      • 2 years ago

      Maybe I want to bug and dewash instead.

      Awesome work on that note, whoever’s to blame!

      • mcarson09
      • 2 years ago

      Pull my finger!

Pin It on Pinterest

Share This