Serving jQuery and jQuery Mobile from CDN under HTTPS Doesn't Work as the Connection is Untrusted

[matt@…]

Trying to serve jQuery and jQuery Mobile using https says that the connection is untrusted, so obviously doesn't serve the files.

To reproduce, try to access:

 https://code.jquery.com/jquery-1.6.2.min.js
 https://code.jquery.com/mobile/1.0b2/jquery.mobile-1.0b2.min.js
 https://code.jquery.com/mobile/1.0b2/jquery.mobile-1.0b2.min.css

In Firefox you'll get the "Connection is Untrusted". In Chrome you'll get something like "You attempted to reach code.jquery.com, but instead you actually reached a server identifying itself as gp1.wac.edgecastcdn.net"

[rwaldron]

Where does it say that those resources are available over https?

[matt@…]

Replying to rwaldron:

Where does it say that those resources are available over https?

It doesn't. But if jQuery are providing a CDN for web developers to use, then it has to work all of the time, no matter what the protocol.

[dmethvin]

The Google CDN works with https right now. In the meantime we'll start a collection to get https working. You can donate here:  http://jquery.org/donate/

[rwaldron]

#10205 is a duplicate of this ticket.

[wislam]

Replying to dmethvin:

The Google CDN works with https right now. In the meantime we'll start a collection to get https working. You can donate here:  http://jquery.org/donate/

As a company, we're unable to use the Google CDN due to privacy concerns and protection of our customers, specifically Google's wide-ranging data collection. Also, Microsoft's CDN doesn't host older jQuery scripts (1.2.6), which I've contacted them about.

Also, your CDN (code.jquery.com - edgecast) is the fastest out of the 3, followed by Microsoft. see:  http://royal.pingdom.com/2010/05/11/cdn-performance-downloading-jquery-from-google-microsoft-and-edgecast-cdns/

Furthermore, as Matt suggested in comment #2, if you provide a cdn, you can't simply provide half the functionality, i.e what about payment sites, login portals, etc?

Sorry, but making a comment like "Where does it say that those resources are available over https?" is cheer lack of care for your users. Again, sorry, but making a comment like donate so we can fix this is further indicative of lack of care and trying to brush the issue aside.

At this point I'm left wondering why you even chose to provide users with a CDN and your comments cast doubt over its stability and availability.

[rwaldron]

#10334 is a duplicate of this ticket.

[etiger13]

Updated the Downloads page to specify which CDN providers offer SSL versions.

[dmethvin]

As a company, we're unable to use the Google CDN due to privacy concerns and protection of our customers ...

What is your company and what privacy or security guarantees do you require? The https protocol only addresses site identity and security over the wire. From your comments, clearly there are concerns beyond that if Google's CDN isn't acceptable. For example, if your site is accepting credit cards and wishes to use our CDN, the jQuery servers are not PCI DSS certified -- I don't think any CDN is PCI DSS certified for that matter.

[etiger13]

Edgecast CDN supports SSL.

MediaTemple is hosting the jQuery CDN.

MediaTemple seems to use Edgecast to provide their CDN services.

ergo, the jQuery CDN should be able to use SSL. In reality, MT's implementation of Edgecast does not yet support SSL. This is why the jQuery CDN does not offer a HTTPS version of the library.

wat wat

[anonymous]

@wislam - Your sense of entitlement is staggering.

[anonymous]

You could use the links provided on :  http://cdnjs.com/

Replying to etiger13:

Edgecast CDN supports SSL.

MediaTemple is hosting the jQuery CDN.

MediaTemple seems to use Edgecast to provide their CDN services.

ergo, the jQuery CDN should be able to use SSL. In reality, MT's implementation of Edgecast does not yet support SSL. This is why the jQuery CDN does not offer a HTTPS version of the library.

wat wat