(RESOLVED) Will it ever be implemented? HTTPS
Discussion
James Drake said:
Regarding how straight forward the implementation is, I have absolutely no idea. Also, I'd suggest that gathering information on Web Development from a motoring forum is perhaps an inefficient way to educate yourself on the subject to a degree that you feel that you can draw conclusions like this.
One does not need to possess a degree in web development to know that it doesn't take 12+ months to implement https on a website.I notice you avoided my question about who is the current Head Developer. Rather than continually referring to the generic "development team" wouldn't it be better to have the Head Developer respond to the members' concerns right here in this thread and explain to us why 11 months on since the move to https was started (see RacingPete's post from 24 February 2016 in this thread : "We are currently, and have been, working on a project to move the whole site to HTTPS") it still has not been implemented.
Why is no-one being held accountable and why are no heads rolling?
James FWIW I don't really care about the HTTPS issue simply because I'm savvy enough not to entrust you with any sensitive info.
The fascinating bit here is the communication which seems to be either non-existent or "defensive" to be charitable when it does come.
Honestly, the replies don't reflect especially well on Haymarket.
The fascinating bit here is the communication which seems to be either non-existent or "defensive" to be charitable when it does come.
Honestly, the replies don't reflect especially well on Haymarket.
All that jazz said:
11 months on since the move to https was started (see RacingPete's post from 24 February 2016 ...
Even March 2015 or before - see the "not before" date on the wildcard certificate the PH server is currently offering (somewhat uselessly though as it redirects to http in curiously adhoc places and suffers mixed content warnings).SonicShadow said:
Fair enough, I mean it's not like you've had years to sort this out or anything!
No arguments from me on this. As I've already said:James Drake said:
.....we can agree on the fact that HTTPS should have been prioritised and should have been implemented ages and ages ago.....
Not sure what else I can say as we're going around in circles.All that jazz said:
I notice you avoided my question about who is the current Head Developer. Rather than continually referring to the generic "development team" wouldn't it be better to have the Head Developer respond to the members' concerns right here in this thread and explain to us why 11 months on since the move to https was started (see RacingPete's post from 24 February 2016 in this thread : "We are currently, and have been, working on a project to move the whole site to HTTPS") it still has not been implemented.
I just didn't answer as I don't see how it will resolve the situation any further. I'd really like the development team to be more involved in the forums and have requested it several times as I believe it was better when we had Pete to respond to technical questions. Sadly they're not all that keen.All that jazz said:
Why is no-one being held accountable and why are no heads rolling?
Are they not?b
hstewie said:
hstewie said: the communication which seems to be either non-existent or "defensive" to be charitable when it does come.
I'm not quite sure how you can say the communication is either non existent or defensive. Whilst we've been inconsistent with replying, we've have been involved in this thread since it started. Any lack of replies are - as I've already said - purely down to a lack of information to share. And as for being defensive, you can't haven't read what I've said.You want answers but then are annoyed when we have no answers to give you. You what honesty but you do not recognise candour. I'm not sure how we can really move forwards to be honest as we're clearly damned if we do and damned if we don't.
I think the issue is James that people want to see a resolution.
This thread & the phonesafe thread are both issues which should be addressed, but the impression people get is that no-one is bothered about them.
"You know if it was advertising revenue's it'd be fixed overnight" - Is probably not too far from the truth.
That may not be your fault - this issue due to the developers & the other no doubt down to the advertising team - neither of whom you have direct control over.
Unfortunately you are the corporate face of PH - the person the users can talk to, shout at or blame.
The responses & admissions seem to amount to "yes I agree with you all, but there's nothing I can do about it" the users have no-one else to complain to so we keep coming back at you.
As an aside - I do think communication & responses have been much better in the past - without mentioning names , there was always a corporate rep on the forums & also a community manager who seemed to provide more complete updates & progress reports. (They may or may not have been accurate but people felt they were getting the detail?) maybe?
This thread & the phonesafe thread are both issues which should be addressed, but the impression people get is that no-one is bothered about them.
"You know if it was advertising revenue's it'd be fixed overnight" - Is probably not too far from the truth.
That may not be your fault - this issue due to the developers & the other no doubt down to the advertising team - neither of whom you have direct control over.
Unfortunately you are the corporate face of PH - the person the users can talk to, shout at or blame.
The responses & admissions seem to amount to "yes I agree with you all, but there's nothing I can do about it" the users have no-one else to complain to so we keep coming back at you.
As an aside - I do think communication & responses have been much better in the past - without mentioning names , there was always a corporate rep on the forums & also a community manager who seemed to provide more complete updates & progress reports. (They may or may not have been accurate but people felt they were getting the detail?) maybe?
dmsims said:
James why can't you get this done?
If you mean me personally, I'm not a web developer. If you mean PH generally, it is being done.dmsims said:
Who is "stopping" it from being done ?
I don't believe there is any one person from physically "stopping it" from being done, unless there is something you know that I don't?dmsims said:
Why won't they do it ?
I think they will, but just not when we'd have liked it to be done.dmsims said:
You can waste loads of development on a badly designed and frankly crap new "test" home page - it's bizarre beyond belief
I have no idea if the homepage was prioritised over the HTTPS implementation or if there was another factor involved.James Drake said:
Not sure what else I can say as we're going around in circles.
Yes we are going round in circles, because yours answer to the problem is "yes, i gave the developers a kick and they are working on it".... Simply isn't a good enough. Especially over the length of time that this glaring security hole has been an issue.Either commit to fixing it or commit to failure.
Ok, Priz, I'm sure you're aware that passive info gathering is all cool. As soon as you turn it into actively using tools and skills, that is 'A person is guilty of an offence if he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised' you're basically breaking the CMA 1990. I'm sure you know this though.
One can do it of course, and I imagine it has already been done, but telegraphing it is not wise.
Unless, of course, you've been officially engaged by Haymarket to do such a thing. *hint hint*
Edited by Jack Mansfield on Wednesday 25th January 12:02
They DO make it quite easy to deploy HTTPS when you stick the whole lot behind an ELB tho. They even generate the SSL cert for free. I can only imagine that it must be related to the adverts. (That being said, I don't use the ELB as I am 99% sure it caches content despite it being stated that it doesn't. So for me, deploying SSL certs was a bit more involved as I had to do it the 'old fashioned way' and manually install a cert on each instance)
Edited by Jack Mansfield on Wednesday 25th January 12:02
Tonsko said:
Ok, Priz, I'm sure you're aware that passive info gathering is all cool. As soon as you turn it into actively using tools and skills, that is 'A person is guilty of an offence if he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised' you're basically breaking the CMA 1990. I'm sure you know this though.
One can do it of course, and I imagine it has already been done, but telegraphing it is not wise.
Unless, of course, you've been officially engaged by Haymarket to do such a thing. *hint hint*
Indeed - i wont be doing anything to jeopardise my freedom. but Haymarket did ask me to look in to just how fesable such an "attack" would be... didnt they?One can do it of course, and I imagine it has already been done, but telegraphing it is not wise.
Unless, of course, you've been officially engaged by Haymarket to do such a thing. *hint hint*
feef said:
They DO make it quite easy to deploy HTTPS when you stick the whole lot behind an ELB tho. They even generate the SSL cert for free. I can only imagine that it must be related to the adverts. (That being said, I don't use the ELB as I am 99% sure it caches content despite it being stated that it doesn't. So for me, deploying SSL certs was a bit more involved as I had to do it the 'old fashioned way' and manually install a cert on each instance)
I dont think they are even using ELB. Everything points to EC2... i just hope they have RDS in the background.Adverts are not linked to the logins, i think there issues are around the inability to split out the logins from the adverts. A poorly coded site will only provision for an "all or nothing" approach to https.
Dirty solution : Layer 7 load balancer.
0000 said:
If there's something the development team are struggling with, perhaps they could ask for help here?
Not saying it can't be done only that, from the outside, none of us know how complex changing it might be. Who knows, it could be a done with a couple of sed scripts, or it could need many pages reviewing individually ( as I've been doing for what seems like forever with the systems I've been working on).rscott said:
Without knowing the inner details of how current content is created (hardcoded urls, etc) it's not possible for someone to definitively state what's involved in changing the entire site to use https.
It doesn't really matter what the detail is. Even if they're hardcoded URLs everywhere that's trivial to fix. They could even just do the login page first.I even suggested they should have done just the login page..
James Drake said:
SonicShadow said:
Fair enough, I mean it's not like you've had years to sort this out or anything!
No arguments from me on this. As I've already said:James Drake said:
.....we can agree on the fact that HTTPS should have been prioritised and should have been implemented ages and ages ago.....
Not sure what else I can say as we're going around in circles.All that jazz said:
I notice you avoided my question about who is the current Head Developer. Rather than continually referring to the generic "development team" wouldn't it be better to have the Head Developer respond to the members' concerns right here in this thread and explain to us why 11 months on since the move to https was started (see RacingPete's post from 24 February 2016 in this thread : "We are currently, and have been, working on a project to move the whole site to HTTPS") it still has not been implemented.
I just didn't answer as I don't see how it will resolve the situation any further. I'd really like the development team to be more involved in the forums and have requested it several times as I believe it was better when we had Pete to respond to technical questions. Sadly they're not all that keen.James Drake said:
All that jazz said:
Why is no-one being held accountable and why are no heads rolling?
Are they not?James Drake said:
I'm not quite sure how you can say the communication is either non existent or defensive. Whilst we've been inconsistent with replying, we've have been involved in this thread since it started. Any lack of replies are - as I've already said - purely down to a lack of information to share. And as for being defensive, you can't haven't read what I've said.
You want answers but then are annoyed when we have no answers to give you. You what honesty but you do not recognise candour. I'm not sure how we can really move forwards to be honest as we're clearly damned if we do and damned if we don't.
You're the Head of the Community so it's up to you to get the info requested and pass it on. Saying that you can't pass it on to the community because the devs are being evasive and fobbing you off with "soon" is not something you should accept. You should be going to whoever the top gaffer is for both departments and saying "hey, I'm sick of getting a sYou want answers but then are annoyed when we have no answers to give you. You what honesty but you do not recognise candour. I'm not sure how we can really move forwards to be honest as we're clearly damned if we do and damned if we don't.
t ton of grief over this, when aren't you putting a rocket up the arse of the Head Dev to get answers on when this is going to be complete, or better still get him to answer the members directly in the thread so he can take the heat instead of me". If that ruffles some feathers then so be it.Your Linked-In profile says "I'm a results motivated individual" so let's see some results, James!
rscott said:
Not saying it can't be done only that, from the outside, none of us know how complex changing it might be. Who knows, it could be a done with a couple of sed scripts, or it could need many pages reviewing individually ( as I've been doing for what seems like forever with the systems I've been working on).
I even suggested they should have done just the login page..
I even suggested they should have done just the login page..
The other possibility is that the current crop of developers aren't actually capable of doing it...
Anyway I suggest everyone with a concern Emails data.protection@haymarket.com
Haymarket said:
11 REPORTING OF SECURITY VULNERABILITIES
Haymarket Media Group Ltd is committed to the privacy, safety and security of our customers. If you discover a potential security vulnerability, we would appreciate it if you could report it just to us in a responsible manner. Please email us at data.protection@haymarket.com and we will respond to you as soon as possible. This provides us with an opportunity to work with you and quickly address and resolve any issue. Publicly disclosing a potential vulnerability could put the wider community at risk, and therefore we encourage you to come to us first. We’ll keep you informed as we move forward with our investigations.
Lack of SSL is definitely a potential security vulnerability.Haymarket Media Group Ltd is committed to the privacy, safety and security of our customers. If you discover a potential security vulnerability, we would appreciate it if you could report it just to us in a responsible manner. Please email us at data.protection@haymarket.com and we will respond to you as soon as possible. This provides us with an opportunity to work with you and quickly address and resolve any issue. Publicly disclosing a potential vulnerability could put the wider community at risk, and therefore we encourage you to come to us first. We’ll keep you informed as we move forward with our investigations.
Tonsko said:
Probably already been posted, but PH has a week before Chrome starts wailing at you.
Even more reason to get it sorted this week then as the aggro in this thread will increase ten fold once Chrome starts doing that.I bet James will be soon wishing he hadn't volunteered for the Head of Community role, if not already
.In the basement of Haymarket towers (where I assume PH is run from) next week.
Management to website developers... " OK guys, this has gone beyond a joke! It's taken almost a year since this HTTPS situation was highlighted and there's an angry mob out there messaging management in the website feedback forum hourly, we don't have time to keep trying to pacify them! Do something about it and do it now!"
1/2 hour later, Website developers response... " It's OK chief, we've implemented a solution to the problem!"
Management.. "Really? Well done! In layman's terms, how did you fix it?"
Website developers... "We closed down the Website feedback forum!"
Management...
Management to website developers... " OK guys, this has gone beyond a joke! It's taken almost a year since this HTTPS situation was highlighted and there's an angry mob out there messaging management in the website feedback forum hourly, we don't have time to keep trying to pacify them! Do something about it and do it now!"
1/2 hour later, Website developers response... " It's OK chief, we've implemented a solution to the problem!"
Management.. "Really? Well done! In layman's terms, how did you fix it?"
Website developers... "We closed down the Website feedback forum!"
Management...
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff