Closed Bug 848520 Opened 11 years ago Closed 11 years ago

[tracker] Make all traffic HTTPS

Categories

(support.mozilla.org :: General, defect, P3)

Product:
support.mozilla.org
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Future

People

(Reporter: jsocol, Unassigned)

References

Details

(Whiteboard: u=dev c=infrastructure p=) 

The Firefox team would like to switch to all-HTTPS for in-product links, which includes changing links to support. (See bug 841218 and anything it blocks.)

Right now, our caching strategy is very different for HTTP vs HTTPS traffic--we don't cache anything on the latter.

This bug is to track any changes necessary before all SUMO traffic can be over HTTPS. If it's just one thing, we can transform this from a tracker to an implementation bug.
Blocks: 848263
Ricky, do we need to research this? If yes, we should put that into the 6th sprint. Putting it into it tentatively.
Flags: needinfo?(rrosario)
Priority: -- → P3
Whiteboard: u=dev c=infrastructure p= s=2013.6
Target Milestone: --- → 2013Q1
Sorry, I meant to ask James what his thoughts were here.

Is this about changing our caching strategy to cache some https traffic? Or is this about seeing if we even need to do that?
Flags: needinfo?(rrosario)
IIRC, our caching strategy on HTTPS is never allow HTML to be cached. That may or may not be fine, load-wise, but it may not be a great experience, especially from Brazil.

So, I guess two questions:
1) Is cache-nothing OK for load? Can we still handle a pacman-level traffic surge?
2) Is cache-nothing OK for UX?

If either of those is "no," we need to look at a more nuanced strategy than just cache-nothing.
If we had to cache some HTTPS traffic, I think we could cache all responses from requests without one of the following cookies: SUMO_ANONID, anoncsrf or sessionid. And the responses cached can't have a Set-cookie in them, obviously.

Is that even doable?
Whiteboard: u=dev c=infrastructure p= s=2013.6 → u=dev c=infrastructure p= s=2013.backlog
I wanted to get Zeus caching (hit/miss) data but apparently that's not going to happen.

Random idea:
Add a waffle flag to switch inproduct redirects to HTTPS. We can start low at 1% or whatever and dial it up slowly keeping an eye on our load and performance graphs. If we are lucky, we will get to 100% without a sweat and we can then switch the actual inproduct links to HTTPS and remove the waffling code. If we find we can't handle the load, we'll come up with a plan so that we can.
This sounds good to me. Just one question: Browsers are caching HTTPS content these days, right? Just want to make sure they don't have to load all resources every time they navigate to another page.
(In reply to Kadir Topal [:atopal] from comment #6)
> Just one question: Browsers are caching HTTPS
> content these days, right?

Quick testing (with our shiny new Network panel) shows that Firefox, at least, obeys cache control headers over HTTPS.

When I say we "don't cache anything" I mean rendered HTML. We still send long-lived cache headers for static files. Firefox is obeying these headers when we do send them.
Thanks for testing. Then I'm okay with whenever we want to start the test. Ricky, feel free to add to spring as soon you feel confident we can do this.
Q1 is in the past. Moving to the future.
Target Milestone: 2013Q1 → Future
I've been redirecting all inproduct traffic to https for a few weeks now and no issues. We should be all set to make the switch.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: u=dev c=infrastructure p= s=2013.backlog → u=dev c=infrastructure p=
You need to log in before you can comment on or make changes to this bug.