Please enable HTTPS on osv.io

[hexagonrecursion]

Hello. Your website osv.io is unfortunately currently only available over an old insecure protocol (HTTP). Please make it available over a modern secure HTTPS protocol (HTTP over TLS).

Since 2016 anyone can get a free TLS certificate with automated renewals and no strings attached from a non-profit certificate authority Let's_Encrypt.

I know HTTPS is not perfect, but it is (to my knowledge) the best tool to protect the integrity of your website and the security of your users that is widely deployed today.

[nyh]

It turns out that http://osv.io/ is published by "github pages" from https://github.com/osv-io/osv-io.github.io and github does support https (see https://docs.github.com/en/pages/getting-started-with-github-pages/securing-your-github-pages-site-with-https).
With the current setup it does server HTTPS - see https://osv.io/ - but with a wrong certificate belonging to *.github.com instead of "osv.io".

I don't know why we have this problem - https://github.blog/2018-05-01-github-pages-custom-domains-https/ suggests that custom domains should automatically get the correct SSL certficiate. What could we have done wrong there?

By the way,

1. I don't seem to have write access to https://github.com/osv-io/osv-io.github.io or its configuration - @wkozaczuk do you have it? Can you please add me?
2. I don't have control over the osv.io DNS entries - to prove to "Let's Encrypt" that I own the domain. I don't know if I need it (the github documentation suggests I don't, if the IP address is already correctly set), but if I do, I wonder who has it. Maybe @wkozaczuk @tzach @dorlaor know.

[nyh]

Thanks to @dorlaor I now have write access to the osv-io project.

The settings page that I can now finally access told me that "your domain is not properly configured to support HTTPS", but didn't explain what the problem is. https://nikhilshares.medium.com/publishing-github-page-website-on-a-custom-domain-with-https-enforcement-c034e1e53415 solved the mystery:

If you have published site before June 2016 and you’re using an A record that points to 192.30.252.153 or 192.30.252.154, you’ll need to update your DNS settings for your site to be available over HTTPS or served with a Content Delivery Network.

And sure enough, this is exactly what our osv.io DNS entries point to :-)

I think what we need to do is to remove these A entries, and instead have a single CNAME entry, to osv-io.github.io

@dorlaor, who can modify the DNS of osv.io?

[wkozaczuk]

Based on the search ( https://www.domain.com/whois/whois/?utm_source=google&utm_medium=genericsearch&gclsrc=aw.ds&gclid=EAIaIQobChMI5rmHmKHm9AIV9AaICR0LUQFbEAAYBSAAEgL6XPD_BwE&search=osv.io) the provider is https://www.101domain.com/.

…

On Wed, Dec 15, 2021 at 3:56 AM nyh ***@***.***> wrote: Thanks to @dorlaor <https://github.com/dorlaor> I now have write access to the osv-io project. The settings page that I can now finally access told me that "your domain is not properly configured to support HTTPS", but didn't explain what the problem is. https://nikhilshares.medium.com/publishing-github-page-website-on-a-custom-domain-with-https-enforcement-c034e1e53415 solved the mystery: If you have published site before June 2016 and you’re using an A record that points to 192.30.252.153 or 192.30.252.154, you’ll need to update your DNS settings for your site to be available over HTTPS or served with a Content Delivery Network. And sure enough, this is exactly what our osv.io DNS entries point to :-) I think what we need to do is to remove these A entries, and instead have a single CNAME entry, to osv-io.github.io @dorlaor <https://github.com/dorlaor>, who can modify the DNS of osv.io? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1181 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABINEIJK6ZSEP2FVWSM4Y23URBJ23ANCNFSM5KCX5X7A> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[nyh]

Ok, https://osv.io/ now works.

To fix it I needed to set the A records of osv.io to the same ones as osv-io.github.com (unfortunately it's not possible to set a CNAME on apex domain, and our DNS provider doesn't support ANAME or ALIAS), and then it was necessary to remove in github page's setting the "osv.io" domain name and re-create it, which caused (about an hour later) the SSL certificate to be created. It now works.

There's one problem remaining: https://osv.io/ looks bad. At first glance, it looks like the CSS comes from http://, and this is not allowed. We need to use relative paths, or alternatively always pick up the CSS from https://, not http://.

[nyh]

Ok, after I removed a silly and unnecessary <base href="..."> from the header, https://osv.io/ now looks completely normal, so I'm closing this issue.

There's still room for improvement - my browser still tells me some of the images on the page are not retrieved with HTTPS. We can fix this later. I can't make heads or tails from the "Jekyl" system used to build this site, or even understand who runs it (github?)...

[nyh]

Ok, I fixed the last remaining HTTP request on the main page (a dead image from the Mikelangelo project), and now https://osv.io/ fully works, without warnings.

Here's one remaining problem: The _config.yml lists url: http://osv.io and most of the links of the site use this and absolute URLs - instead of relative links as they should. I think the fix should be to use relative links, not changing this "url". Anyway, I don't know enough Jekyll to start fixing it and in particular, I don't know how to test my changes before making them live on the site. In any case, this site probably needs a much bigger overhaul than just making the links better, so I'l leaving this for now.

[wkozaczuk]

@nyh I will try to fix some of these issues.