How Stack Overflow Flipped the Switch on HTTPS

by Anita Taylor

on

As of today, Stack Overflow now deploys HTTPS by default on StackOverflow.com — as well as the hundreds of Q&A communities that make up our Stack Exchange network. We now redirect all traffic to https://, and Google links will change over the next few weeks.

Sounds simple, right?

But getting to this point has taken years of work. Four years, to be exact.

Nick Craver, Stack Overflow architecture lead, documents this journey on his personal blog in the post, HTTPS on Stack Overflow: The End of a Long Road. He offers a detailed, comprehensive look at the technical issues that make Stack Overflow’s rollout unique, as well as the steps we took to solve them.

Nick says, “While Stack Overflow is not unique in the problems we faced along the way, the combination of problems is fairly rare. I hope you find some details of our trials, tribulations, mistakes, victories, and even some open source projects that resulted along the way to be helpful.”

>> Read Nick’s post

  • Interesting read. Thanks for sharing your experiences!

  • Anonymous

    Ironically, in a post about deploying HTTPS, both of the links to Nick Craver’s Blog are using http :-/
    (it does redirect to https {thankfully}, but still, the links here should be https from the start)

    • Anita Taylor

      Doh! We just fixed this.

  • Barry Margolin

    This impacted a bunch of Chrome extensions that I use, because the URLs saved in their preferences no longer match.

    Stack Exchange Deleted Answer Manager forgot my settings, I had to reset them.

    stackexchange-tab-editing didn’t work at all, because its default list of web sites just lists http: URLs.

    AutoReviewComments has forgotten my saved comments.

    • Benjol
    • All of these are external tools that the SO team has no control over. You can’t expect them to support this.

      • Lev19_34

        I think the point was “your actions make my life miserable”, not “fix this or else”. It is good to know that actions have (unintended) consequences. We can all learn.

    • Yep – totally understood and we expected a few of these. There’s just honestly very little we can do. The only action path we have here is try and find every plugin/extension/userscript that anyone has written and ask them to make it protocol agnostic (at least in the http:// -> https:// direction, the opposite has security concerns depending on the functionality). Unfortunately, that’s just not a reasonable thing we can do.

      Bits like this we are aware of though – after all we’re a community of mostly developers. That’s why we try and post on metas and tweet opening that things like this are coming, where we’re testing first, etc. Our hope is that many authors can see and adjust for changes here. Though we don’t support these plugins, we’re definitely not trying to actively break them. But unless we never wish to add any new functionality, some amount of this is unavoidable.

  • Edoardo Ceccarelli

    it just does not feel right to me to spend so much effort in rendering an encrypted version of a website that is public …by mission(?)

    • That was one reason why it has taken us so long to move to HTTPS (cost vs benefits). But now with HTTP2 we seeing better performance, Google includes HTTPS in page rank, and HTTPS prevents bad ISPs/proxies from injecting content into the plaintext responses (something more common that you would think). We also have found that many of the IoT botnets don’t work very well against TLS endpoints (missing cipher support, etc), so just keep in mind that HTTPS is not only about the encryption.

      • Edoardo Ceccarelli

        so it isn’t only cause “Google is including HTTPS in page rank”? 🙂

        https IS about encryption, it is http over SSL / TLS, etc. and unless there is something you want to hide to the proverbial man in the middle attack it is just a useless – and very verbose – encoding. As for http2 ex spdy aka another google lab protocol, then the title of this post would have been “How Stack Overflow Flipped the Switch on HTTP/2” – but it is not, cause everybody knows that the driving force of this https mania is just the page rank algorithm.
        I have been wondering about the reasons behind google’s decision, since reading this post, and my personal opinion is that the only useful thing that has to be SSL’d is – once again – human behaviour, navigation habits, that in such a very large scale, everybody wants to hide and protect :/

        • disqusivus

          As a pentester who routinely injects malicious code into unencrypted http responses, I hope everyone agrees with you.

          • Edoardo Ceccarelli

            well i said what you told me to say didnt I? 🙂

            PS: yes, that is the only good true reason for https, even though a bit overkill IMHO (128 bit SSL to protect javascript (?!))

        • > cause everybody knows that the driving force of this https mania is just the page rank algorithm.

          No it’s not. And we’re actively telling you that. As stated in the article *we have no idea what impact it even makes*. Google won’t tell you. It helps sell the idea to others, but it’s a total unknown. We still don’t know.

          What *do* we know? Dev, mod, and user actions should be encrypted. People don’t want their web history tracked. People don’t want ads injected by their ISPs. People like better performance (HTTP/2). People like using less mobile data (HTTP/2).

          If you don’t want to believe anything we say, fine. But none of your assertions make sense. Why would we be spending significant effort on the HTTP/2 side of things if all we cared about is encryption or page rank? HTTPS is simply the first thing you have to do to get to most HTTP/2 features, because browser makers decreed it so. If that wasn’t the case, we’d have deployed HTTP/2 first and worked on SSL/TLS second.

          • Edoardo Ceccarelli

            I do believe in everything you say Mr Craver, I am aware of the importance of data privacy and protection and my intent has got nothing to do with denying that these are all very important matters. My assertions do make sense if you decide to look a bit farther away… but it’s quite evident that you will not.

            The article is very informative and full of good practices, most of them I will follow to get Yet Another Web Site into the HTTPS era

  • kbielefe

    Next step: IPv6?

    • Coenraad Loubser

      Their platforms probably already support that so not nearly as big a deal 🙂

    • When it’s worth it – yep. It’s a non-trivial amount of work with firewalls, code, logging, bot prevention, spam detection, etc. that some people don’t consider. The network stack (BGP, firewalls, HAProxy bindings) isn’t *that* big, but the whole deal is.

      It’s just not a priority compared to more important things we’re working on at the moment. I could lie and say we’re actively working on it…but that’d just be a lie.

  • bagas 23
  • Draco18s

    Interesting read even if I didn’t actually understand about half of it.

    Also.

    Pickles.

    • Stephen Ostermiller

      I fell asleep three times reading that article.

      • Draco18s

        I only feel asleep once (because I started reading yesterday).

  • mark vr

    How are you using HTTP/2 with Haproxy? My understanding is that this isn’t yet implemented http://discourse.haproxy.org/t/http-2-support-in-1-7/927

    Do you have another proxy in front of it? You mention that you removed nginx though…

    • At present, you’re HTTP/2 to Fastly and then HTTPS (1.1) back to us. We’ll be rolling out HAProxy support for HTTP/2, push, etc. as soon as it’s ready. It’s about 4 months out as of the last update I’m aware of.

  • Alex

    Its not just adding sertificate to nginx and setting HSTS?

  • Interesting discussion. Every website now seems to have to use https agara website we are safe

    http://www.livi.co.id/en/brands-products/detail/42/Livi-Eco-Facial-Refill-Pop-Up-1000-gr