cancel
Showing results for 
Search instead for 
Did you mean: 

Dynamic avatars HTTP vs HTTPS

Anonymous
Not applicable

Dynamic avatars HTTP vs HTTPS

Can @jaread83 now move the community avatars to use HTTP instead of HTTPS, so that @Chris's uncached avatar doesn't take 3.7 seconds to download ?

[10:37:29.272] GET https://community.plus.net/t5/image/serverpage/image-id/27i739A9B9D4F4E96C3/image-dimensions/64x64?v=v2 [HTTP/1.1 304 Not Modified 3705ms]

Or is the method of serving files another inaccessible feature of the Lithium platform ?

Why on earth are avatars encrypted ?

20 REPLIES 20
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: I hate dynamic avatars

perhaps because some browsers gripe about mixed http and https

Anonymous
Not applicable

Re: I hate dynamic avatars

If that is the case, then make this entire forum HTTP only, and use HTTPS for the login page.

 

There is no need for a fully public forum to be entirely encrypted.

jaread83
Community Gaffer
Community Gaffer
Posts: 3,438
Thanks: 2,336
Fixes: 81
Registered: ‎22-02-2016

Re: I hate dynamic avatars

Going OT here @Anonymous but changing the protocol isn't something that I can do. I looked into it on the Lithium community and they give an explanation as to why content is served over with SSL:

One thing to keep in mind is that every browser reacts differently when a secured page contains non-secured content, which is known as a mixed content warning. Internet Explorer will block the non-secured content on the page and display a message giving the user the option to continue blocking the non-secured content or allow it. Firefox 22 and under display non-secured content and display no error or options, but Firefox 23+ now block all non-secured content on the page. Chrome, like Firefox 23+, completely blocks all non-secured content and provides the user with no option to unblock it.

How bad this is really depends on what you have on your community that isn't secured. If your login page has styling or content that's non-secured, that could present a problem that prevents users from being able to authenticate. In order to avoid these issues you'll want to ensure all of your hard-coded links in the admin and studio are either using relative paths or are hard-coded to use HTTPS. If you have external references, you'll need to ensure wherever they're hosted has SSL so you can use a secured link (e.g.: if you're referencing external assets from http://www.google.com/ you need to use https://www.google.com/, which will only work if the external site itself has SSL).

So what is your reasoning for wanting the site to be served up over unsecure HTTP protocol? If its the speed, I have tested with a throttled connection and I can get the homepage in 4 seconds, after caching it loads in under 2 seconds and this is with a throttled connection to 2mb DSL.

Frontend Web Developer | www.plus.net

If you have an idea to improve the community, create a new topic on our Community Feedback board to start a discussion about your idea.

Anonymous
Not applicable

Re: I hate dynamic avatars

Several reasons -

 

It seems to take an awful amount of CPU time to render these web pages on my relatively old and low powered machines, presumably because the browser has to unnecessarily decrypt EVERYTHING.  This must be a very compute intensive task - especially with dozens of page elements to process.

If the page elements were HTTP then the decryption processing would be eliminated.

 

I use multiple and varied machines on my network, so use a network level HTTP caching proxy to dramatically improve the apparent performance of my slow rural ADSL connection.

Using HTTPS only means that network level caching in rendered useless.

 

Using HTTPS bypasses some anti-virus and anti-malware tools.

Using HTTPS effectively means that your browser is connecting with a 'trusted' network and by definition the content can be trusted to be safe.  However the Plusnet forum contains user provided content such as images, which could be maliciously infected by the user, uploaded to the forum, then served as 'trusted' as part of a forum webpage.

By using HTTP for forum pages would mean that ALL content on those pages CAN be checked by local anti-virus and anti-malware tools - because the content is exposed and not hidden in encryption (which makes the file content invisible).

 

My benchmark is eBay,  which is mostly HTTP, is much more complex than this forum to render, and takes about a fifth of the time to build a page, works with my HTTP caching, and doesn't have issues with mixed HTTP/HTTPS content.

jaread83
Community Gaffer
Community Gaffer
Posts: 3,438
Thanks: 2,336
Fixes: 81
Registered: ‎22-02-2016

Re: I hate dynamic avatars

I have requested that these posts are moved over to a new thread as we are going way OT here.

Frontend Web Developer | www.plus.net

If you have an idea to improve the community, create a new topic on our Community Feedback board to start a discussion about your idea.

Chris
Legend
Posts: 17,724
Thanks: 600
Fixes: 169
Registered: ‎05-04-2007

Re: I hate dynamic avatars

I use multiple and varied machines on my network, so use a network level HTTP caching proxy to dramatically improve the apparent performance of my slow rural ADSL connection.

As the posts about the slowness aren't commonplace, are you at all able to test with a direct connection to the router excluding any other network devices such as the proxy?

Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.
Anonymous
Not applicable

Re: I hate dynamic avatars

A month ago I did try a connection which bypassed my non-typical network features (such as the HTTP caching proxy, firewall, DNS server, etc), the result was at best the same and was typically two seconds slower.

 

I will also re-iterate, that it is ONLY this forum website that has caused me ANY issues like this, in the three or four years that I have been using my current network configuration.

30FTTC06
Pro
Posts: 2,286
Thanks: 108
Fixes: 4
Registered: ‎18-02-2013

Re: I hate dynamic avatars

I dont cache anything on this test machine. but I do use host file blocking network wide.

I think you will find ebay takes 11 odd seconds to load and connect/wait times are longer too!Screenshot-18.pngScreenshot-17.png

Strat
Community Veteran
Posts: 31,320
Thanks: 1,609
Fixes: 565
Registered: ‎14-04-2007

Re: I hate dynamic avatars

Moderators Note

Off topic posts split to their own thread.

Windows 10 Firefox 109.0 (64-bit)
To argue with someone who has renounced the use of reason is like administering medicine to the dead - Thomas Paine
Anonymous
Not applicable

Re: I hate dynamic avatars

jaread83 wrote:

There are reasons why HTTPS is being used and all plus.net websites have moved (or are in the process of moving) over to that protocol. I could get an official statement from our IT security team or the community team to get a proper explanation as to why this is but as it stands we will not be moving back over to HTTP.

I would be interested to hear the official reasoning for making this forum and main Plusnet website unnecessarily take in the order of FIVE times longer to load, than it used to with HTTP.

The now noticeable sluggishness of the main Plusnet website is disappointing (when it used to be perfectly fine) but at least it isn't really much of an interactive website compared to this forum where the HTTPS latency is near unbearable on slow high latency rural 20CN ADSL.

VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: I hate dynamic avatars

Why does a public forum require https security?

"In The Beginning Was The Word, And The Word Was Aardvark."

Anonymous
Not applicable

Re: I hate dynamic avatars

So you can't be subjected to a man in middle attack and have your password stolen.

Anonymous
Not applicable

Re: I hate dynamic avatars

which is fine on the LOGIN page, but unnecessary on ALL the rest of the website !

Anonymous
Not applicable

Re: I hate dynamic avatars

@Anonymous - Nope, sorry I would have to disagree there. A secure login is reassuring but if the HTTPS were removed from that point forward while you were doing your online banking how confident would you be in using it?

Yes I know what you're thinking, that's a bank totally different, but is it? A lot of sites use hidden form fields and cookies that contain sensitive data in order to maintain session state with the user and the server and it is in the users interest that this data be transferred in an encrypted manner (HTTPS).

P.S. Have a look at the source of this page.