Forums

Sega Master System / Mark III / Game Gear
SG-1000 / SC-3000 / SF-7000 / OMV
Home - Forums - Games - Scans - Maps - Cheats - Credits
Music - Videos - Development - Hacks - Translations - Homebrew

View topic - HTTPS

Reply to topic
Author Message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 12879
  • Location: London
Reply with quote
HTTPS
Post Posted: Wed Jul 19, 2017 9:06 am
It looks like the world is going to HTTPS, Chrome now warns lightly on our login page and soon it will warn on every page. I don't know a great deal about it but it seems like it's some one off work and then constantly renewing the Let's Encrypt certificate... does anyone have any experience to offer?
  View user's profile Send private message Visit poster's website
  • Joined: 26 Jun 2012
  • Posts: 34
  • Location: Buffalo
Reply with quote
Post Posted: Wed Jul 19, 2017 5:15 pm
Once you put the main site on SSL you'll also need to have all embedded content put on SSL as well. For example, if your images are kept on a subdomain, it will need to be put on SSL as well or you will get that "partially secure" message. Any 3rd party includes need to use their secure versions if they exist.

If you have multiple domains, you'll need a certificate for each, not just the top-level. This is especially important for any pages or images that are accessible using a variety to URLs (not counting +/- www.)

I'm not certain as to how correct that message from Chrome is you are seeing. I think you need to figure out what exactly it is expecting, especially on login pages. Even on fully SSL sites, Chrome can show that message on a login box. One example is the current version of IP.Board.
  View user's profile Send private message Visit poster's website
  • Joined: 25 Dec 2005
  • Posts: 562
  • Location: São Paulo - Brazil
Reply with quote
Post Posted: Wed Jul 19, 2017 5:43 pm
Let's encrypt works great, I've installed it on a Windows 7 IIS machine using the DNS challenge in manual mode.

There is this certbot program, which has many options and for Linux there is an automated challenge and install mode for popular web servers.

About content, if you serve everything from SMSPower using links like "/forums/posting", it will work flawlessly in secure mode automatically, but I doubt it's done this way actually...
  View user's profile Send private message
  • Joined: 30 Mar 2009
  • Posts: 282
Reply with quote
Post Posted: Wed Aug 02, 2017 12:36 pm
Alternatively, you can just put the login pages on https.
Google current spec is that only pages where critical or private information is passed are required to use ssl.

If you can put the entire site, is better. But you can't have mixed content deilvery (https site serving http content) or you will lose crawling and tracking performance. If you care about this stuff, obviously.
  View user's profile Send private message Visit poster's website
  • Joined: 05 Sep 2013
  • Posts: 2496
Reply with quote
Post Posted: Wed Aug 02, 2017 2:10 pm
phpBB should support https 'natively', so the forums shouldn't be a great problem. If the forums include (not link!) contents from outside the forum, they better be https too, or you'll get mixed content warnings - I'm thinking of images here...
  View user's profile Send private message Visit poster's website
  • Joined: 25 Dec 2005
  • Posts: 562
  • Location: São Paulo - Brazil
Reply with quote
Post Posted: Wed Aug 02, 2017 2:20 pm
I've updated my Chrome on Win7 to 60.0.3112.78 - 64 bits and no visual warning appears at login, besides the common Insecure Url icon on address bar.
no_warning_ssl.png (90.75 KB)
no_warning_ssl.png

  View user's profile Send private message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 12879
  • Location: London
Reply with quote
Post Posted: Wed Aug 02, 2017 9:24 pm
https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn

Quote
Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 12879
  • Location: London
Reply with quote
Post Posted: Wed Jul 25, 2018 5:20 pm
I've created a certificate! (Well, the host made it trivial.) The HTTPS version is quite broken, though, as we need to modify a bunch of references to use the appropriate protocol on both HTTP and HTTPS until we are able to migrate fully.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 12879
  • Location: London
Reply with quote
Site outage
Post Posted: Thu Jul 26, 2018 9:26 am
Our site (and a few secret websites inside the same host) was down since last night; as you may have noticed, it's better now after a reboot.
  View user's profile Send private message Visit poster's website
  • Joined: 22 Apr 2018
  • Posts: 110
Reply with quote
Post Posted: Fri Jul 27, 2018 3:43 pm
Maxim wrote
Our site (and a few secret websites inside the same host) was down since last night; as you may have noticed, it's better now after a reboot.


Glad it's working, and https now too! Will you be adding HSTS response headers soon to pin to the safer protocol?
  View user's profile Send private message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 12879
  • Location: London
Reply with quote
Post Posted: Fri Jul 27, 2018 6:47 pm
We will when it works :)
  View user's profile Send private message Visit poster's website
  • Joined: 22 Apr 2018
  • Posts: 110
Reply with quote
Post Posted: Sat Jul 28, 2018 12:29 am
Maxim wrote
We will when it works :)


Trollface version:
<!-- in template footer -->
<script>
// TODO: delete once no page flickers
window.addEventListener('load', function() {
    if (location.protocol !== 'https:') return;
    var old = document.documentElement.innerHTML;
    var edited = old.split('http://www.smspower.org').join('https://www.smspower.org');
    if (old === edited) return;
    document.documentElement.innerHTML = edited;
});
</script>
  View user's profile Send private message
  • Joined: 16 May 2002
  • Posts: 1136
  • Location: italy
Reply with quote
Post Posted: Sun Jul 29, 2018 1:41 pm
Please don't phase out the http version. If you want to give in to the recent https fetish everyone seems to have, go for it, but don't make it mandatory.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 12879
  • Location: London
Reply with quote
Post Posted: Sun Jul 29, 2018 3:21 pm
It's easier to support only one of them, but I'll try to transition it anyway. I don't see much reason to care though...
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 08 Jul 2001
  • Posts: 8092
  • Location: Paris, France
Reply with quote
Post Posted: Sun Jul 29, 2018 8:44 pm
Tom wrote
Please don't phase out the http version.

What is your reason? Stating it would be useful.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 12879
  • Location: London
Reply with quote
Post Posted: Sun Jul 29, 2018 9:25 pm
[I merged this thread to the HTTPS one since that's all we're talking about.]
  View user's profile Send private message Visit poster's website
  • Joined: 29 Jun 1999
  • Posts: 331
  • Location: Brazil
Reply with quote
Post Posted: Mon Jul 30, 2018 5:44 am
it always feel awkward when login in using http...
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 12879
  • Location: London
Reply with quote
Post Posted: Mon Jul 30, 2018 6:31 am
Consider that your password here should not be used for anything important. The only real reason for HTTPS for us is to avoid security warnings and maybe improve our search rankings.
  View user's profile Send private message Visit poster's website
  • Joined: 25 Dec 2005
  • Posts: 562
  • Location: São Paulo - Brazil
Reply with quote
Post Posted: Fri Oct 05, 2018 12:46 am
Maxim wrote
I've created a certificate! (Well, the host made it trivial.) The HTTPS version is quite broken, though, as we need to modify a bunch of references to use the appropriate protocol on both HTTP and HTTPS until we are able to migrate fully.


Maxim,

I found that every href and src html attribute can start with // instead of http:// or https://

Did you know that ?

So if you change all links and file sources like that, the same page can be served in https or http.

Perhaps this is not the bottleneck you're facing.
  View user's profile Send private message
Reply to topic



Back to the top of this page

Back to SMS Power!