topic Re: I hate dynamic avatars in Community Site Feedback

Dynamic avatars HTTP vs HTTPS

Anonymous — Wed, 01 Jun 2016 11:28:31 GMT

Can @jaread83 now move the community avatars to use HTTP instead of HTTPS, so that @Chris's uncached avatar doesn't take 3.7 seconds to download ?

[10:37:29.272] GET https://community.plus.net/t5/image/serverpage/image-id/27i739A9B9D4F4E96C3/image-dimensions/64x64?v=v2 [HTTP/1.1 304 Not Modified 3705ms]

Or is the method of serving files another inaccessible feature of the Lithium platform ?

Why on earth are avatars encrypted ?

Re: I hate dynamic avatars

Oldjim — Wed, 01 Jun 2016 10:11:42 GMT

perhaps because some browsers gripe about mixed http and https

Re: I hate dynamic avatars

Anonymous — Wed, 01 Jun 2016 10:15:16 GMT

If that is the case, then make this entire forum HTTP only, and use HTTPS for the login page.

There is no need for a fully public forum to be entirely encrypted.

Re: I hate dynamic avatars

jaread83 — Wed, 01 Jun 2016 10:46:49 GMT

Going OT here @Anonymous but changing the protocol isn't something that I can do. I looked into it on the Lithium community and they give an explanation as to why content is served over with SSL:

One thing to keep in mind is that every browser reacts differently when a secured page contains non-secured content, which is known as a mixed content warning. Internet Explorer will block the non-secured content on the page and display a message giving the user the option to continue blocking the non-secured content or allow it. Firefox 22 and under display non-secured content and display no error or options, but Firefox 23+ now block all non-secured content on the page. Chrome, like Firefox 23+, completely blocks all non-secured content and provides the user with no option to unblock it.

How bad this is really depends on what you have on your community that isn't secured. If your login page has styling or content that's non-secured, that could present a problem that prevents users from being able to authenticate. In order to avoid these issues you'll want to ensure all of your hard-coded links in the admin and studio are either using relative paths or are hard-coded to use HTTPS. If you have external references, you'll need to ensure wherever they're hosted has SSL so you can use a secured link (e.g.: if you're referencing external assets from http://www.google.com/ you need to use https://www.google.com/, which will only work if the external site itself has SSL).

So what is your reasoning for wanting the site to be served up over unsecure HTTP protocol? If its the speed, I have tested with a throttled connection and I can get the homepage in 4 seconds, after caching it loads in under 2 seconds and this is with a throttled connection to 2mb DSL.

Re: I hate dynamic avatars

Anonymous — Wed, 01 Jun 2016 11:19:47 GMT

Several reasons -

It seems to take an awful amount of CPU time to render these web pages on my relatively old and low powered machines, presumably because the browser has to unnecessarily decrypt EVERYTHING. This must be a very compute intensive task - especially with dozens of page elements to process.

If the page elements were HTTP then the decryption processing would be eliminated.

I use multiple and varied machines on my network, so use a network level HTTP caching proxy to dramatically improve the apparent performance of my slow rural ADSL connection.

Using HTTPS only means that network level caching in rendered useless.

Using HTTPS bypasses some anti-virus and anti-malware tools.

Using HTTPS effectively means that your browser is connecting with a 'trusted' network and by definition the content can be trusted to be safe. However the Plusnet forum contains user provided content such as images, which could be maliciously infected by the user, uploaded to the forum, then served as 'trusted' as part of a forum webpage.

By using HTTP for forum pages would mean that ALL content on those pages CAN be checked by local anti-virus and anti-malware tools - because the content is exposed and not hidden in encryption (which makes the file content invisible).

My benchmark is eBay, which is mostly HTTP, is much more complex than this forum to render, and takes about a fifth of the time to build a page, works with my HTTP caching, and doesn't have issues with mixed HTTP/HTTPS content.

Re: I hate dynamic avatars

jaread83 — Wed, 01 Jun 2016 11:24:36 GMT

I have requested that these posts are moved over to a new thread as we are going way OT here.

Re: I hate dynamic avatars

Chris — Wed, 01 Jun 2016 11:27:17 GMT

I use multiple and varied machines on my network, so use a network level HTTP caching proxy to dramatically improve the apparent performance of my slow rural ADSL connection.

As the posts about the slowness aren't commonplace, are you at all able to test with a direct connection to the router excluding any other network devices such as the proxy?

Re: I hate dynamic avatars

Anonymous — Wed, 01 Jun 2016 11:37:51 GMT

A month ago I did try a connection which bypassed my non-typical network features (such as the HTTP caching proxy, firewall, DNS server, etc), the result was at best the same and was typically two seconds slower.

I will also re-iterate, that it is ONLY this forum website that has caused me ANY issues like this, in the three or four years that I have been using my current network configuration.

Re: I hate dynamic avatars

30FTTC06 — Wed, 01 Jun 2016 12:41:04 GMT

I dont cache anything on this test machine. but I do use host file blocking network wide.

I think you will find ebay takes 11 odd seconds to load and connect/wait times are longer too!

Re: I hate dynamic avatars

Strat — Wed, 01 Jun 2016 12:55:10 GMT

Moderators Note

Off topic posts split to their own thread.

Re: I hate dynamic avatars

Anonymous — Fri, 03 Jun 2016 15:09:19 GMT

jaread83 wrote:

There are reasons why HTTPS is being used and all plus.net websites have moved (or are in the process of moving) over to that protocol. I could get an official statement from our IT security team or the community team to get a proper explanation as to why this is but as it stands we will not be moving back over to HTTP.

I would be interested to hear the official reasoning for making this forum and main Plusnet website unnecessarily take in the order of FIVE times longer to load, than it used to with HTTP.

The now noticeable sluggishness of the main Plusnet website is disappointing (when it used to be perfectly fine) but at least it isn't really much of an interactive website compared to this forum where the HTTPS latency is near unbearable on slow high latency rural 20CN ADSL.

Re: I hate dynamic avatars

VileReynard — Fri, 03 Jun 2016 18:35:23 GMT

Why does a public forum require https security?

Re: I hate dynamic avatars

Anonymous — Fri, 03 Jun 2016 20:02:10 GMT

So you can't be subjected to a man in middle attack and have your password stolen.

Re: I hate dynamic avatars

Anonymous — Fri, 03 Jun 2016 20:04:47 GMT

which is fine on the LOGIN page, but unnecessary on ALL the rest of the website !

Re: I hate dynamic avatars

Anonymous — Mon, 06 Jun 2016 08:31:41 GMT

@Anonymous - Nope, sorry I would have to disagree there. A secure login is reassuring but if the HTTPS were removed from that point forward while you were doing your online banking how confident would you be in using it?

Yes I know what you're thinking, that's a bank totally different, but is it? A lot of sites use hidden form fields and cookies that contain sensitive data in order to maintain session state with the user and the server and it is in the users interest that this data be transferred in an encrypted manner (HTTPS).

P.S. Have a look at the source of this page.

Re: I hate dynamic avatars

Anonymous — Mon, 06 Jun 2016 09:49:20 GMT

I don't disagree that there is a time and a place for using HTTPS, what I do have an issue with is that HTTPS handshaking takes 4 to 10 times longer to transfer than normal HTTP. Therefore if you are unfortunate enough to be stuck on a slow and high latency 20CN ADSL connection (like me), then navigating an entirely HTTPS website is like browsing in treacle.

It is possible to make entirely HTTPS website performance faster, by doing clever ticks keeping sessions open, etc, but those tricks work better with more static websites, and are much more difficult to achieve on webpages which contain high percentages of dynamic content. Where it becomes an issue, is where there are a succession of HTTPS fetches, each taking a long time to transfer (because of multiple HTTPS handshakes * latency) so the overall effect is that the page takes a long time to build.

If it "is in the users interest that this data be transferred in an encrypted manner (HTTPS)", then what is there on this public forum (other than logging in, and possibly the user settings) which need to be hidden (during browsing) which doesn't appear in the public domain that any old Tom, Dick, Harry, or NSA can see by simply using their web browser ?. If you look at eBay for example, that is a much more complex website than this, they only use HTTPS for pages which need to be secure, but for most of the time such as looking for items or viewing your private watch list, those pages are HTTP and page loading or refreshing is very fast. Our previous forum was HTTP with a secure login, that was also fast, and there were no issues with user privacy back then.

If all entirely HTTPS websites had such dire page loading times as this, then I would accept that nothing could be done. But the fact is that I visit such pages all the time, and while they are slightly slower to load, they are not so slow as to cause the slightest frustration, after all that is the nature of using the internet - some sites are blazing fast and others take a little while to load. With this forum though, there are frequent times when I have to remember to count to twenty before pressing the next button, because the page load hasn't completed in the background, and the page suddenly reformats and the buttons move or the cursor is no longer in the box where I had started typing. It is ONLY this website which causes me these issues, so what can Plusnet do to make this forum usable to all their customers ?.

Re: I hate dynamic avatars

VileReynard — Mon, 06 Jun 2016 13:09:15 GMT

I wonder what the performance is like for the very few people who actually use the site over a mobile 3G connection?

(I don't actually know what 3G means as I don't have a mobile).

Re: I hate dynamic avatars

Anonymous — Mon, 06 Jun 2016 13:12:00 GMT

@VileReynard - 3G simply means 3rd Generation of the protocol used on the phones, so as it gets better we've now moved to 4G.

Re: I hate dynamic avatars

jaread83 — Mon, 06 Jun 2016 13:32:36 GMT

I use my mobile 3G and 4G connection on this community with no problems at all. 3G connection is a bit slow and I get 1 bar of connection when I am at home (thanks Three /s) but the community still loads quite quickly even under those circumstances.

Re: I hate dynamic avatars

Anonymous — Mon, 06 Jun 2016 13:53:54 GMT

@jaread83 - I think you and I both know that you can take what a mobile phone's 'signal meter' says with a bit more than a pinch of salt.