Comments Locked

86 Comments

Back to Article

  • osteopathic1 - Monday, September 18, 2017 - link

    Great news.
    Also I earned $3,000 just by clicking on banners.....
    Just kidding, I guess even HTTPS cannot get rid of those people.
  • StormyParis - Monday, September 18, 2017 - link

    Hey ! I *want* my employer to know I'm reading AT, jigs up my tech cred !
  • DanNeely - Monday, September 18, 2017 - link

    They still do. The DNS lookup and Anandtech's IP are still done in the clear. They just can't see the contents of the page themselves unless their Big Brotherware setup includes installing a MITM certificate on your computer so they can scan all HTTPS traffic before it reaches your computer.
  • prophet001 - Monday, September 18, 2017 - link

    Your employer is already breaking the encryption at the firewall.
  • schizoide - Monday, September 18, 2017 - link

    That isn't possible, unless they installed a cert on his desktop of course.
  • DigitalFreak - Monday, September 18, 2017 - link

    It's called a proxy
  • Billy Tallis - Monday, September 18, 2017 - link

    A corporate proxy doesn't have the private keys necessary to third-party outside websites. They can only intercept if the client devices within the corporate network are configured to unconditionally trust the corporate proxy, which is accomplished by installing a certificate on those desktops. If you connect your personal machine through such a corporate network, the proxy's attempts to interfere will trigger scary warnings from your browser about the server preventing an invalid or untrusted certificate.
  • bcronce - Tuesday, September 19, 2017 - link

    You can't transparently proxy without installing a cert on the client otherwise your ISP/Government/whatever could trivially intercept HTTPS via a proxy.
  • jordanclock - Tuesday, September 19, 2017 - link

    As someone who manages firewalls with web filtering, I can tell you that unless you have a matching cert on both the proxy and the host, any attempts at deep packet inspection will result in every page giving a cert warning and breaking apps that use HTTPS.
  • prophet001 - Tuesday, September 19, 2017 - link

    Why would you think an employer wouldn't install a certificate on their own machines?

    Also, why would you expect an employer to allow unfettered access from anyone's random personal "questionable subject material consumption" machine?
  • ZeDestructor - Wednesday, September 20, 2017 - link

    Because my employer has a modicum of trust in their employees perhaps?
  • prophet001 - Wednesday, September 20, 2017 - link

    Bad idea.

    On average employees are far too ignorant of the hazards involved in the internet.
  • prophet001 - Wednesday, September 20, 2017 - link

    Not to mention that when they want you to think they're "suuuuper busieee!! and can't get to nuffinnn rn!!" they're really wasting time on facebook.

    -_-
  • ZeDestructor - Wednesday, September 20, 2017 - link

    Doesn't matter what the employee is doing as long as it's 1. not illegal and 2. gets the work done on time. I feel sorry that all your employers have been micromanaging asshats and that all your employees/colleagues can't be trusted to do the work they're paid to do within expected timeframes.
  • Azethoth - Tuesday, September 19, 2017 - link

    Even then, most browsers are starting to do certificate pinning, so good luck with that shitty MITM cert.

    At best the official corporate browser, hacked for surveillance, will work.
  • prophet001 - Tuesday, September 19, 2017 - link

    Is there something you don't want your employer to see?
  • nowayandnohow - Monday, September 25, 2017 - link

    We have.

    - Tech department
  • darwinosx - Monday, September 18, 2017 - link

    Those people are their because they pay Anandtech to be there.
  • damianrobertjones - Tuesday, September 19, 2017 - link

    Are they 'there', or they are somewhere else? After all their knowledge of the situation is vital.
  • schizoide - Monday, September 18, 2017 - link

    Question, if Google hadn't announced that they will negatively rank all unsecured sites, would you have gone to the effort to do this?
  • Ryan Smith - Monday, September 18, 2017 - link

    Yes. It's something I've wanted to do for a while now - and something we needed to do because of the user comment system. We actually planned to do this earlier in the year, but prototyping and some other factors changed our approach (and our timeline).
  • Threska - Monday, September 18, 2017 - link

    Not sure what the comment system has to do with HTTPS; maybe keeping ISPs from spying on our comments.
  • Ryan Smith - Monday, September 18, 2017 - link

    Because the comment system requires login credentials, which need to be passed over an encrypted connection.
  • schizoide - Monday, September 18, 2017 - link

    Well, I worked on sites with non-encrypted frontends and embedded secure comments, it isn't a problem. There's that wordpress comment plugin everybody hates, and Discourse will do it also.

    Not to detract from the importance of encrypting _everything_ for privacy's sake of course. And Google pagerank!
  • Gothmoth - Monday, September 18, 2017 - link

    hope some day you will make a decent comment system too.. because this one is a shame..
  • peevee - Tuesday, September 19, 2017 - link

    Or just switch to Disqus instead of reinventing the wheel. Not that a decent comment system is terribly hard to make (or hard at all), but this one and many others, even at large organizations, are so ridiculously poor... I don't know where they hire product managers for such features... day laborers' cites?
  • jimbo2779 - Tuesday, September 19, 2017 - link

    I understand the thinking that it would be good to have more controls over the comment section I actually don't care if these features aren't there. When you add media support you end up with a bunch of meme posting as opposed to the, generally, meaningful conversations that go on in this comment section.
  • Shlong - Wednesday, September 20, 2017 - link

    I had a friend who ran a fairly large site around 3-4 years ago. When he ran disqus, for decent controls they wanted him to pay $3,000 a month for enterprise software, the free version you get basic admin controls but he need the ones in the payment plan. He got rid of it with a quickness.
  • darwinosx - Monday, September 18, 2017 - link

    It's kind of funny anandtech thinks this is a thing when many sites did it a long time ago.
  • schizoide - Monday, September 18, 2017 - link

    Probably took them a ton of work, and they aren't making a huge deal out of it, just telling their community.
  • shabby - Monday, September 18, 2017 - link

    It's not just a check box feature you turn on and off?
  • Ian Cutress - Monday, September 18, 2017 - link

    "While today’s update is transparent at the user level, a lot of work was necessary on the backend to make this as seamless as possible and to make it work with third-party content (ads, JS libraries, etc)."
  • willis936 - Monday, September 18, 2017 - link

    I would love to know why it would take a ton of work. I know extremely little about site hosting and was able to get an autorenewing cert through acme easier than I got a php server running.
  • T.Duncan - Monday, September 18, 2017 - link

    For a simple site, https is easy. If you have ads or other content coming from other providers or from domains you don't control, then not so much. For a very detailed explanation of the fun that can be had, see https://nickcraver.com/blog/2017/05/22/https-on-st...
  • Ryan Smith - Monday, September 18, 2017 - link

    This is the first time I've seen that specific writeup, but yes, that's a rather apt summary of many of the things we had to account for. Local content wasn't too bad; it's the third-party content that made things interesting.
  • Threska - Monday, September 18, 2017 - link

    That was the same reason Arstechnica gave for not having HTTPS for non-paying customers.
  • Notmyusualid - Tuesday, September 19, 2017 - link

    +47,000.

    Good link / story.
  • Samus - Monday, September 18, 2017 - link

    Give credit where credit is due, AT is a small operation, even when considering their corporate arm. Most small business websites, especially those with less than 50 employees, and even those running complex databases, are still on HTTP. Most people only switch to HTTPS when implementing eCommerce.
  • FreckledTrout - Monday, September 18, 2017 - link

    TomsHardware still hasn't switched to HTTPS which I find rather ironic since they advocate its use and are pretty large tech site. Thanks for switching AT.
  • Wolfpup - Monday, September 18, 2017 - link

    Nice! Hey, doesn't hurt.
  • jjj - Monday, September 18, 2017 - link

    VigLink has an expired certificate, not sure it's not a time zone thing though.
  • meacupla - Monday, September 18, 2017 - link

    It's a nice upgrade, but the commenting on Anandtech is still very far behind other sites.

    Can I edit my comments? nope
    Can I quote/refer to specific comments? not really
    Do lengthy threads become split over multiple pages and also become difficult to decipher where it starts and ends? yep
  • Ryan Smith - Monday, September 18, 2017 - link

    "Can I edit my comments? nope"

    The inability to edit comments is intentional.
  • Threska - Monday, September 18, 2017 - link

    Hackaday does the same thing.
  • DanNeely - Monday, September 18, 2017 - link

    I understand that letting people edit comments well after the fact opens up a lot of potential abuse cases; but every second or third significant comment thread here has at least one person making followup replies to them-self a minute or two after first posting because they typoed or posted before completing, or etc. A limited window for editing would fix most of the problems with not having it at all, but still prevent people from editing in abusive content into comments after they've aged out of human inspection.
  • mkaibear - Tuesday, September 19, 2017 - link

    ...or, for example, a "show original" button which displays if the comment has been edited, or an automatic edit moderation policy (I mean how many comments does AT have on their articles - I think the max I've seen is 400 a day when we had a confluence of articles a few weeks ago), or any one of a number of different ways you can allow edits yet retain accountability for original content.

    ...or, y'know, just make sure you get it right first time. ;)
  • Chugworth - Monday, September 18, 2017 - link

    Excellent! We wouldn't want anyone to be eavesdropping on which tech news articles we're reading.
  • Threska - Monday, September 18, 2017 - link

    It's all that tech porn we all watch. ;-p
  • peevee - Monday, September 18, 2017 - link

    Mandatory HTTPS is a huge waste of computing resources, including battery life. You are not a bank.
  • extide - Monday, September 18, 2017 - link

    Ehh, pretty much all mobile SoC's do hardware encryption offload these days so it's really negligible.
  • schizoide - Monday, September 18, 2017 - link

    Yes, HTTPS is essentially free these days. It isn't 2004.
  • SteelRing - Monday, September 18, 2017 - link

    Gee, glad my comments are now protected and encrypted.... lol.... what's left for all those hackers out there now that anandtech is gone secure.... :P
  • kirsch - Monday, September 18, 2017 - link

    Finally!
    Now how about an EV certificate?
    https://en.wikipedia.org/wiki/Extended_Validation_...
  • erple2 - Tuesday, September 19, 2017 - link

    EV? This isn't a bank, the cost isn't worth it.
  • Arbie - Monday, September 18, 2017 - link

    Now if we can only get rid of the idiotic "pander panel" at the bottom. You know... titillating trash from around the web... The kind of thing Anandtech viewers are likely to want.
  • Ryan Smith - Monday, September 18, 2017 - link

    So it's a bit of a mixed blessing in the long run.

    AnandTech's philosophy for a long time has been that if we take, we must also give. So if the ads are made any "worse", then you guys need to get something out of it. It's what's allowed us to offer features such as print view, which has far fewer ads attached to it since it's a single page.

    Overall I would prefer not to have RevContent there. However it's what paid for this project, along with other projects to come. So I hope you guys feel like you're getting something from it.
  • Threska - Monday, September 18, 2017 - link

    Maybe Piratebay's bit-mining might be an alternative.
  • jospoortvliet - Tuesday, September 19, 2017 - link

    I find the revcontent stuff not too annoying. I do wonder, considering the stupidity of most ads, how they make money... ;-)
  • mapesdhs - Tuesday, September 19, 2017 - link

    Just please don't ever do what toms has done, their home page is now terrible, endless popup notifications, broken post voting, forum link busted, login is weird, etc.
  • ZeDestructor - Wednesday, September 20, 2017 - link

    I'd happily fork over a bit for a subscription instead of ads, FWIW.
  • WatcherCK - Monday, September 18, 2017 - link

    Like Hudson says " I feel safer already..."
  • HardwareDufus - Friday, September 22, 2017 - link

    Weird,
    WindowsCentral and TomsHardware launch complete Website redos this week... and AnandTech launches all encrypted all the time.

    The Connection? Purch! Handles Ad Revenue for all 3 sites. Folks, we've reached the end.
  • Gothmoth - Monday, September 18, 2017 - link

    wow and maybe in 3 years you are able to get a decent comment system.. you know one with editing function.....
  • mapesdhs - Tuesday, September 19, 2017 - link

    Ryan said this was intentional, but not why. Ryan, what's the rationale here? Is there evidence that whatever it is you want to prevent happens on other sites that do have editing? If so, can you cite some examples? I just hate posting stuff with typos. :D
  • NuclearMusic - Monday, September 18, 2017 - link

    This is great! Thanks Anandtech!
  • olivaw - Monday, September 18, 2017 - link

    Interesting that the certificate has many alternate subject names (below). Is it the provider or CDN that hold the private key?
    *.toptenreviews.com
    *.dignifyed.com
    *.laptopmag.com
    *.tomshardware.fr
    *.newsarama.com
    *.tomsguide.com
    *.tomshardware.de
    *.space.com
    *.buyerzone.com
    *.shopsavvy.com
    *.business.com
    *.tomsguide.fr
    *.businessnewsdaily.com
    *.livescience.com
    *.activejunky.com
    *.anandtech.com
    *.tomshardware.com
    *.tomsitpro.com
    *.tomshardware.co.uk
    *.purchxapp.com
    *.purch.com
    *.assets.purch.com
    purch.com
    www.purch.com
  • Olafgarten212 - Monday, September 18, 2017 - link

    These are all sites owned by Purch (Anandtech's Parent Company) so they are most likely using the same certificate for all of their sites.
  • Ryan Smith - Monday, September 18, 2017 - link

    Bingo.
  • FreckledTrout - Tuesday, September 19, 2017 - link

    Hopefully your sister site TH follows suite not only on HTTPS but some basic design decisions(should see what they switched to last week, ugh its fugly).
  • DanNeely - Monday, September 18, 2017 - link

    Probably not. EV certificates are - intentionally - a PITA to get. A normal cert just requires a basic automated check that you control the website. EV certs require extensive human in the loop checking to make sure that you work for/own the company that controls the web site and aren't a criminal gang impersonating the actual owners/administrators.
  • Threska - Monday, September 18, 2017 - link

    Maybe something CCleaner could have used?
  • IndianaKrom - Monday, September 18, 2017 - link

    Please tell us you aren't using the same Symantec root certificate that google is going to stop trusting in Chrome 66 around April 2018...
  • Ryan Smith - Monday, September 18, 2017 - link

    We are not using an affected certificate. Google is only distrusting certificates before June 1st, 2016. (Our certificate was issued on August 2nd, 2017)
  • DanNeely - Tuesday, September 19, 2017 - link

    Google has backed down a lot on the initial ban hammer; which would've forced all of Symantecs customers (and since they owned several of the biggest CAs that was a lot of sites) to find a new CA entirely. Symantec has sold its certs business to Digicert; who will be able to issue new certs for all of the remaining Symantec customer base by not later than December 1 of this year. That means that former Symantec customers will just need to expedite deploying new certs to keep their sites running.

    https://www.digicert.com/blog/digicert-to-acquire-...
    https://security.googleblog.com/2017/09/chromes-pl...
  • Tadashi130 - Monday, September 18, 2017 - link

    I'm glad this happened. Good job.
  • CharonPDX - Tuesday, September 19, 2017 - link

    Damn, no more browsing AnandTech on my Macintosh SE running Netscape Navigator 2.0.....
  • twotwotwo - Tuesday, September 19, 2017 - link

    Could be the placebo effect, could be the HTTP/2 and SPDY that are HTTPS-only, but it feels like stories load a tiny bit more snappily now!
  • jimbo2779 - Tuesday, September 19, 2017 - link

    Ryan, just an FYI; Images aren't loading on Windows Mobile 10.

    I know this probably makes up a vast majority of your userbase so figured you should be notified right away :)
  • jimbo2779 - Tuesday, September 19, 2017 - link

    I spoke too soon, they are showing now.
  • mark53916 - Tuesday, September 19, 2017 - link

    Nice thate you are HTTPS, but the "login form" is insecure according to Chrome running on Windows 7. The message even appears when you haven't actually clicked to login. This has been going on for more than a year.
  • mapesdhs - Tuesday, September 19, 2017 - link

    "thate" - typo! This is a crim against humonity, it wil guilt your soul forever, you'll never liv it down, SJWs will cry its hate speech, edit it out asap! Oh, wait... nevre mind... ;)

    Hmm, if AT had post editing & voting, not sure I'd bother much with toms anymore.
  • DanNeely - Tuesday, September 19, 2017 - link

    Caching problem? On Win7 Chrome and FF are both showing the logins for comments and the forum as secure for me.
  • Ryan Smith - Tuesday, September 19, 2017 - link

    "Caching problem?"

    That's my thought. We're configured to redirect all HTTP to HTTPS; it's not possible to even view the site in an insecure manner.
  • Toadster - Wednesday, September 20, 2017 - link

    i'm waiting till all Anandtech has full VPN connectivity :)
  • FourEyedGeek - Friday, September 22, 2017 - link

    Good work, I love the improvements to the comment section as well.
  • ballsystemlord - Saturday, September 30, 2017 - link

    I'm still getting a "this page only partially delivers https content message". Browser is firefox 55. Using the HTTPS everywhere plugin.

Log in

Don't have an account? Sign up now