Three.js: Https for webpage

What are the benefits of https in this case?

• using threejs.org as a cdn from an https site (cant go https->http), though there are better solutions for that
• the main one is man-in-the-middle protection. If you visit any http website, someone can mess with the website, insert trackers, etc. My ISP has been known to do this. Welcome to dystopia :skull: ! We should consider the http web deprecated.

My ISP has been known to do this. Welcome to dystopia :skull: !

Yep, all HTTP sites get tampered with by many ISPs today. And occasionally, weaponized by a nation state! It's a nightmare out there -- a nightmare HTTPS puts to an end. :)

HTTPS doesn't solve every ill, but it removes the ISP as an actor in a bunch of important ways. Making it the default very much does reassert the web as a collection of empowered endpoints, and restores the idea that the internet interprets censorship as damage and routes around it.

I'd suggest Let's Encrypt (https://letsencrypt.org). Free and soon available (open beta next week) :)

@mrdoob

What are the benefits of https in this case?

it will work when browsers drop http. they are already turning features off for http. read more here or here if you missed the news.

Only tangentially relevant, but if you haven't heard of IPFS, check it out -- it is an elegant reworking of how we handle sending data over the internet

I second cloudflare. You can set everything up and add an enforce https page rule in about half an hour. And it's free.

Okay, let's summarize. CloudFlare describes the advantages of SSL like this:

• Security: ensure that no one is intercepting web traffic
• Trust: by displaying a green lock image, the website increases visitors’ trust
• Search ranking boost: Google ranks sites that have SSL higher in search results
• Regulatory compliance: financial institutions and web stores that work with credit cards must comply with regulations and adopt SSL on their websites

Besides, @makc mentioned an other important reason. In the future, some JavaScript functionalities will only work with a secure origin. The following three.js example already reports a respective warning with Chrome.

_The deviceorientation event is deprecated on insecure origins, and support will be removed in the future. You should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details._

So it definitely makes sense to switch to SSL.

you can already go to https version at https://mrdoob.github.io/three.js/

ah, I see you're aware of that, sorry

Right, i mean the domain threejs.org. That's the primary domain for google and many other web pages...

@ashconnell I have also made good experience with CloudFlare. Setup is easy and SSL works as expected :+1:

Bumping this topic as its still not fixed. I know there is a big GitHub topic discussing the implementation of HTTPS for custom domains https://github.com/isaacs/github/issues/156 However, I don't think waiting for something "to maybe be implemented" is a valid reason to delay the implement HTTPS.
Every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has now become commonplace. Today, there is no such thing as non-sensitive web traffic, and public websites, even if its completely static like threejs.org it should not depend on the benevolence of network operators.

"What are the benefits of https in this case?"
https://scotthelme.co.uk/still-think-you-dont-need-https/ :+1:

Google is also known to show websites supporting HTTPS higher up in the search results which could boost three.js popularity. I strongly recommend CloudFlare as I have only had good experience with them and I run several sites that is currently hosted on Pages and routed through CF. :smiley:

Google is also known to show websites supporting HTTPS higher up in the search results which could boost three.js popularity.

because being #1 google hit is clearly not good enough

because being #1 google hit is clearly not good enough

Setting up CloudFlare takes less than 10 minutes. Instead we have gotten a 8 month long conversation about it. Someone is yet to bring up an argument against HTTPS, and seeing as the many benefits clearly outweighs the non-existing consequences, why not just get it fixed and we can move on?

less than 10 minutes

there is a guy just outside my house selling milk. I bet I could go out and buy it in less than 10 minutes, too. sounds like compelling reason to do it )

selling

You missed an important point; HTTPS is completely free. I don't know about you but if someone was offering me _free milk_ then I would gladly accept. I have nothing against milk but I would like to stick talking about HTTPS in this thread. I would like if it did not get closed because being too off-topic. :stuck_out_tongue:

The last time I used CloudFlare it broke stuff because it didn't handle some file formats properly. So even if it takes 10 minutes, it may have side effects.

Besides, I don't yet trust CloudFlare...

Another host to consider for free+ssl threejs.org is firebase (owned by Google) It is really simple to set up a custom domain ad they will get you a free SSL certificate.

Interesting...

(I originally filed a dupe of this issue at #9753, so I'm moving my comments here.)

HTTPS will soon be required in WebVR-capable browsers. It'd be awesome if http://threejs.org was served from https://threejs.org. See the WebVR spec issue and @toji's blog post for more info.

Since http://threejs.org is already being served from GitHub Pages, I'd recommend using CloudFlare's free tier service as a reverse cache proxy + CDN (which includes best-in-class perf server settings [gzip, SDCH, HTTP/2, sane Cache-Control and E-Tag headers, etc.]), free HTTPS (TLS) support, server-side page rules (to force HTTPS and add server-side redirects), among other awesome options.

Here's a walkthrough I wrote of how to set up GitHub Pages + CloudFlare.

FYI, Let's Encrypt is great, but it appears GitHub Pages isn't supported just yet.

@mrdoob: per your comment above, do you remember which issues you encountered? I haven't seen any or heard of any reports of issues, but let me know, and I can try to help to track them down.

https://threejs.org/ ✌️

Sweet, thanks so much!

My response:

https://goo.gl/BhG2sp