CNN.com quietly turned on TLS/HTTPS over the weekend

52 points0x7f8000007y ago32 comments

I just noticed this. HTTP 301s to HTTPS. I say "quietly" because I can't find any official announcement.

32 comments

tastyham7y ago

Shit, they were my go-to page for signing into hotel WiFi. Where can I go to now?

enigmango7y ago

http://example.com is my go-to.

theak7y ago

http://neverhttps.com is my go-to. Looks like there are plenty of other good suggestions as well :)

tazard7y ago

http://http.rip

dajohnson897y ago

sorry for the stupid question, but how is https a bad thing? and what does this have to do with hotel WiFi?

enzanki_ars7y ago

Most hotel wifi networks require opening a browser to connect. Once you open it, the first page you go to is redirected. Because a lot of sites default to HTTPS, that redirect is detected as a MITM by the browser, and prevents you from moving on. http://neverssl.com/ is an easy way to get to the portal without an issue.

As noted on NeverSSL:

> [...] it [...] means that if you're relying on poorly-behaved wifi networks, it can be hard to get online. Secure browsers and websites using https make it impossible for those wifi networks to send you to a login or payment page. Basically, those networks can't tap into your connection just like attackers can't. Modern browsers are so good that they can remember when a website supports encryption and even if you type in the website name, they'll use https.

ecesena7y ago

http://captive.apple.com/

mopeloi7y ago

NeverSSL.com is my goto

saurik7y ago

All the other replies to your comment are "this is a permanent solution to the problem"; but I think to truly answer the spirit of your question, the correct answer is "yahoo.com": I mean... can you imagine Yahoo! ever getting around to adding SSL to their website? ;P

enigmango7y ago

I just tried http://yahoo.com and it gave me a 301 redirect to https://www.yahoo.com. (Same with http://www.yahoo.com).

corin_7y ago

I use ipchicken.com, works over http for public wifi signins, and has added benefit of showing me whether I’m connected to wifi/4g/vpn via IP’s reverse DNS.

geofft7y ago

Redirects are fine as long as they aren't HSTS preloaded - you can open it in an incognito window if your browser has cached the redirect.

I usually use gstatic.com, which does redirect, but also gstatic.com/generate_204 is Chrome's own capive portal test page and does not redirect. There's also msftncsi.com, which (/ncsi.txt) is Microsoft's test page.

tompagenet27y ago

I enjoy using http://www.stealmylogin.com as it seems apt (and works)

wemdyjreichert7y ago

Captive.apple.com or msftconnecttest.net/redirect

jdlyga7y ago

www.neverssl.com

sandstrom7y ago

asd.com is quick to type, and short

hitsurume7y ago

Is this a big deal? Pretty sure they did this because of SEO reasons

HendrikR7y ago

Safari just joined the party in displaying a warning if the connection is not using TLS/HTTPS just like other browsers do.

Nouser767y ago

CNN.com used to be my go to website for logging into splash pages that were blocked on HTTPS websites. Now I have to find a new one!

gabrielwong7y ago

I've been using neverssl.com

sp3327y ago

example.com should be safe.

bhartzer7y ago

They didn't move everything to HTTPs. There are still subdomains that are still HTTP, such as collection., money., go.cnn.com

adam-ff7y ago

Searching for an announcement, I found an ironic result:

http://money.cnn.com/2016/09/08/technology/google-chrome-fla...

And, despite money.cnn.com being one of the Subject Alt Names on their certificate (as well as plenty of app, api and some staging domain names), that domain in particular rejects connections to port 443.

Maybe their transition is incomplete and they're not ready to announce yet?

coolso7y ago

I wonder if they'll ever turn comments back on, too?

overcast7y ago

The internet, especially news, is a better place without it.

kardos7y ago

Says a guy commenting on the internet?

1 more reply

coolso7y ago

I think most would agree - but come on, let's not go overboard. CNN has just as much a right to exist on the internet as anyone else.

1 more reply

super_trooper7y ago

I was seeing this a couple weeks ago

scrollaway7y ago

I've been seeing it for six months almost. Maybe https-everywhere was doing this but I also used to use CNN as a hotel WiFi sign-in gate so I noticed it back then.

Funny how many people independently ended up in that same situation. How did y'all start?

stevew207y ago

Strange, given the numerous anti-cryptography articles they've published...

j / k navigate · click thread line to collapse

32 comments

tastyham7y ago

Shit, they were my go-to page for signing into hotel WiFi. Where can I go to now?

enigmango7y ago

http://example.com is my go-to.

theak7y ago

http://neverhttps.com is my go-to. Looks like there are plenty of other good suggestions as well :)

tazard7y ago

http://http.rip

dajohnson897y ago

sorry for the stupid question, but how is https a bad thing? and what does this have to do with hotel WiFi?

enzanki_ars7y ago

As noted on NeverSSL:

ecesena7y ago

http://captive.apple.com/

mopeloi7y ago

NeverSSL.com is my goto

saurik7y ago

enigmango7y ago

I just tried http://yahoo.com and it gave me a 301 redirect to https://www.yahoo.com. (Same with http://www.yahoo.com).

corin_7y ago

I use ipchicken.com, works over http for public wifi signins, and has added benefit of showing me whether I’m connected to wifi/4g/vpn via IP’s reverse DNS.

geofft7y ago

Redirects are fine as long as they aren't HSTS preloaded - you can open it in an incognito window if your browser has cached the redirect.

tompagenet27y ago

I enjoy using http://www.stealmylogin.com as it seems apt (and works)

wemdyjreichert7y ago

Captive.apple.com or msftconnecttest.net/redirect

jdlyga7y ago

www.neverssl.com

sandstrom7y ago

asd.com is quick to type, and short

hitsurume7y ago

Is this a big deal? Pretty sure they did this because of SEO reasons

HendrikR7y ago

Safari just joined the party in displaying a warning if the connection is not using TLS/HTTPS just like other browsers do.

Nouser767y ago

CNN.com used to be my go to website for logging into splash pages that were blocked on HTTPS websites. Now I have to find a new one!

gabrielwong7y ago

I've been using neverssl.com

sp3327y ago

example.com should be safe.

bhartzer7y ago

They didn't move everything to HTTPs. There are still subdomains that are still HTTP, such as collection., money., go.cnn.com

adam-ff7y ago

Searching for an announcement, I found an ironic result:

http://money.cnn.com/2016/09/08/technology/google-chrome-fla...

Maybe their transition is incomplete and they're not ready to announce yet?

coolso7y ago

I wonder if they'll ever turn comments back on, too?

overcast7y ago

The internet, especially news, is a better place without it.

kardos7y ago

Says a guy commenting on the internet?

1 more reply

coolso7y ago

I think most would agree - but come on, let's not go overboard. CNN has just as much a right to exist on the internet as anyone else.

1 more reply

super_trooper7y ago

I was seeing this a couple weeks ago

scrollaway7y ago

I've been seeing it for six months almost. Maybe https-everywhere was doing this but I also used to use CNN as a hotel WiFi sign-in gate so I noticed it back then.

Funny how many people independently ended up in that same situation. How did y'all start?

stevew207y ago

Strange, given the numerous anti-cryptography articles they've published...

j / k navigate · click thread line to collapse