Neocities Goes HTTPS

From Penny's Pages
Jump to navigationJump to search
A simple diagram showing one benafit of HTTPS, in this case, HTTPS makes encryption more secure[1]

As posted by Kyle Drake on The Neocities Blog on 2016-11-10, it was announced that "Starting [2017-01-01], Neocities will be defaulting to SSL on all sites"[2], this meant that on New Year's Day 2017, all of the subdomains on Neocities (such as would no longer be HTTP, but would become HTTPS.

As noted in the announcement, one of the reasons chosen to switch to HTTPS was as a way to "protect your users, it's critical that we switch to default encryption and make it harder to violate your user's privacy"[3], another reason cited was thanks to search engines that have since started to "penalizing unencrypted sites in search results, meaning that without default SSL, your site will be less likely to show up on search results".

As also noted in the blog post by Kyle Dreak, webpages that uses embedded content will be effected;

Basically, anything that embeds content (such as images and videos) from a third-party site using http instead of https. For example, if you have an embedded image with <img src="> instead of <img src="> (see the s in http?). The problem is that web browsers will block loading of http content because it is considered Mixed Content. If your browser is expecting an HTTPS connection, it refuses to load any unencrypted HTTP content because it "leaks" the encryption[4].

User Reactions

An example of a user reaction would be of JeremyRedhead, who in early January 2017, in an E-Mail posted on NeoMail, wrote a how-to guide for how people should deal with the possible issues that might effect them[5], writing a guide on how to handle it;

Step 1:

Find and identify any resources (images, javascript, css, music, iframes, etc) loaded over http. Note that this also includes insecure links that open in frames.

Example: <img src=">

Note that the most important changes you must make are to javascript, css, iframes, and "frame-links". Images and music will still sometimes be loaded over http, albeit often with a complaint from the browser. However, browsers WILL NOT load any insecure javascript, css, or sites in iframes. So focus your efforts there first!

Step 2: Anything hosted on another site that supports https, just change the protocol to either https, or "relative", which loads based on the protocol the page is being used over. If it's another neocities site, this should be easy!

Example of https: <img src="> Example of relative: <img src="//">

If the site doesn't support https, you can do a couple different things:

If the resource is, for example, something that's intended to be shared, or in the public domain like a 88x31 button gif, you can probably safely download and re-host it on your site Example before: <img src="> Example after: <img src="/noclick.gif">

If the resource is very large, or you don't think you're allowed to re-host it, like music or propriety javascript, then you can try saving/hosting it in the Internet Archive, which supports https. Unfortunately, it also obeys robots.txt, so this might not always work. There are also a variety of music and other anonymous file hosting services, so trying googling around some too.

Finally, if you have a link that opens in a frame that doesn't support https, just open it in a new tab! :)

Step 3: There is no no step three! Congratulations, you're done! :D See, that wasn't that hard.

Another user reaction was by Cass "Owly" Python, who makes note that her site only would become HTTPS five days after the roll-out[6]


  1. Original wiki article about this subject
    1. How-To Geek: "HTTPS is much more secure than HTTP".
    2. Neocities Blog - IMPORTANT: We're switching to default SSL (HTTPS). Here's what you need to know
    3. From blog; text used is probably open-source as the main git uses an open license, but regardless, if not this text falls under fair use (also called fair dealing)
    4. Also from blog
    5. NeoMail -- Neocities defaulting to https
    6. Just look at that nice URL, HTTPS, nice