Forums

Sega Master System / Mark III / Game Gear
SG-1000 / SC-3000 / SF-7000 / OMV
Home - Forums - Games - Scans - Maps - Cheats - Credits
Music - Videos - Development - Hacks - Translations - Homebrew

View topic - HTTPS

Reply to topic
Author Message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 11905
  • Location: London
Reply with quote
HTTPS
Post Posted: Wed Jul 19, 2017 9:06 am
It looks like the world is going to HTTPS, Chrome now warns lightly on our login page and soon it will warn on every page. I don't know a great deal about it but it seems like it's some one off work and then constantly renewing the Let's Encrypt certificate... does anyone have any experience to offer?
  View user's profile Send private message Visit poster's website
  • Joined: 26 Jun 2012
  • Posts: 26
  • Location: Buffalo
Reply with quote
Post Posted: Wed Jul 19, 2017 5:15 pm
Once you put the main site on SSL you'll also need to have all embedded content put on SSL as well. For example, if your images are kept on a subdomain, it will need to be put on SSL as well or you will get that "partially secure" message. Any 3rd party includes need to use their secure versions if they exist.

If you have multiple domains, you'll need a certificate for each, not just the top-level. This is especially important for any pages or images that are accessible using a variety to URLs (not counting +/- www.)

I'm not certain as to how correct that message from Chrome is you are seeing. I think you need to figure out what exactly it is expecting, especially on login pages. Even on fully SSL sites, Chrome can show that message on a login box. One example is the current version of IP.Board.
  View user's profile Send private message Visit poster's website
  • Joined: 25 Dec 2005
  • Posts: 512
  • Location: São Paulo - Brazil
Reply with quote
Post Posted: Wed Jul 19, 2017 5:43 pm
Let's encrypt works great, I've installed it on a Windows 7 IIS machine using the DNS challenge in manual mode.

There is this certbot program, which has many options and for Linux there is an automated challenge and install mode for popular web servers.

About content, if you serve everything from SMSPower using links like "/forums/posting", it will work flawlessly in secure mode automatically, but I doubt it's done this way actually...
  View user's profile Send private message
  • Joined: 30 Mar 2009
  • Posts: 206
Reply with quote
Post Posted: Wed Aug 02, 2017 12:36 pm
Alternatively, you can just put the login pages on https.
Google current spec is that only pages where critical or private information is passed are required to use ssl.

If you can put the entire site, is better. But you can't have mixed content deilvery (https site serving http content) or you will lose crawling and tracking performance. If you care about this stuff, obviously.
  View user's profile Send private message Visit poster's website
  • Joined: 05 Sep 2013
  • Posts: 1963
Reply with quote
Post Posted: Wed Aug 02, 2017 2:10 pm
phpBB should support https 'natively', so the forums shouldn't be a great problem. If the forums include (not link!) contents from outside the forum, they better be https too, or you'll get mixed content warnings - I'm thinking of images here...
  View user's profile Send private message Visit poster's website
  • Joined: 25 Dec 2005
  • Posts: 512
  • Location: São Paulo - Brazil
Reply with quote
Post Posted: Wed Aug 02, 2017 2:20 pm
I've updated my Chrome on Win7 to 60.0.3112.78 - 64 bits and no visual warning appears at login, besides the common Insecure Url icon on address bar.
no_warning_ssl.png (90.75 KB)
no_warning_ssl.png

  View user's profile Send private message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 11905
  • Location: London
Reply with quote
Post Posted: Wed Aug 02, 2017 9:24 pm
https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn

Quote
Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.
  View user's profile Send private message Visit poster's website
Reply to topic



Back to the top of this page

Back to SMS Power!