|
ForumsSega Master System / Mark III / Game GearSG-1000 / SC-3000 / SF-7000 / OMV |
Home - Forums - Games - Scans - Maps - Cheats - Credits Music - Videos - Development - Hacks - Translations - Homebrew |
Author | Message |
---|---|
|
HTTPS
Posted: Wed Jul 19, 2017 9:06 am
|
It looks like the world is going to HTTPS, Chrome now warns lightly on our login page and soon it will warn on every page. I don't know a great deal about it but it seems like it's some one off work and then constantly renewing the Let's Encrypt certificate... does anyone have any experience to offer? | |
|
Posted: Wed Jul 19, 2017 5:15 pm |
Once you put the main site on SSL you'll also need to have all embedded content put on SSL as well. For example, if your images are kept on a subdomain, it will need to be put on SSL as well or you will get that "partially secure" message. Any 3rd party includes need to use their secure versions if they exist.
If you have multiple domains, you'll need a certificate for each, not just the top-level. This is especially important for any pages or images that are accessible using a variety to URLs (not counting +/- www.) I'm not certain as to how correct that message from Chrome is you are seeing. I think you need to figure out what exactly it is expecting, especially on login pages. Even on fully SSL sites, Chrome can show that message on a login box. One example is the current version of IP.Board. |
|
|
Posted: Wed Jul 19, 2017 5:43 pm |
Let's encrypt works great, I've installed it on a Windows 7 IIS machine using the DNS challenge in manual mode.
There is this certbot program, which has many options and for Linux there is an automated challenge and install mode for popular web servers. About content, if you serve everything from SMSPower using links like "/forums/posting", it will work flawlessly in secure mode automatically, but I doubt it's done this way actually... |
|
|
Posted: Wed Aug 02, 2017 12:36 pm |
Alternatively, you can just put the login pages on https.
Google current spec is that only pages where critical or private information is passed are required to use ssl. If you can put the entire site, is better. But you can't have mixed content deilvery (https site serving http content) or you will lose crawling and tracking performance. If you care about this stuff, obviously. |
|
|
Posted: Wed Aug 02, 2017 2:10 pm |
phpBB should support https 'natively', so the forums shouldn't be a great problem. If the forums include (not link!) contents from outside the forum, they better be https too, or you'll get mixed content warnings - I'm thinking of images here... | |
|
Posted: Wed Aug 02, 2017 2:20 pm |
I've updated my Chrome on Win7 to 60.0.3112.78 - 64 bits and no visual warning appears at login, besides the common Insecure Url icon on address bar.
|
|
|
Posted: Wed Aug 02, 2017 9:24 pm |
https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn
|
|
|
Posted: Wed Jul 25, 2018 5:20 pm |
I've created a certificate! (Well, the host made it trivial.) The HTTPS version is quite broken, though, as we need to modify a bunch of references to use the appropriate protocol on both HTTP and HTTPS until we are able to migrate fully. | |
|
Site outage
Posted: Thu Jul 26, 2018 9:26 am
|
Our site (and a few secret websites inside the same host) was down since last night; as you may have noticed, it's better now after a reboot. | |
|
Posted: Fri Jul 27, 2018 3:43 pm |
Glad it's working, and https now too! Will you be adding HSTS response headers soon to pin to the safer protocol? |
|
|
Posted: Fri Jul 27, 2018 6:47 pm |
We will when it works :) | |
|
Posted: Sat Jul 28, 2018 12:29 am |
Trollface version: <!-- in template footer -->
<script> // TODO: delete once no page flickers window.addEventListener('load', function() { if (location.protocol !== 'https:') return; var old = document.documentElement.innerHTML; var edited = old.split('http://www.smspower.org').join('https://www.smspower.org'); if (old === edited) return; document.documentElement.innerHTML = edited; }); </script> |
|
|
Posted: Sun Jul 29, 2018 1:41 pm |
Please don't phase out the http version. If you want to give in to the recent https fetish everyone seems to have, go for it, but don't make it mandatory. | |
|
Posted: Sun Jul 29, 2018 3:21 pm |
It's easier to support only one of them, but I'll try to transition it anyway. I don't see much reason to care though... | |
|
Posted: Sun Jul 29, 2018 8:44 pm |
What is your reason? Stating it would be useful. |
|
|
Posted: Sun Jul 29, 2018 9:25 pm |
[I merged this thread to the HTTPS one since that's all we're talking about.] | |
|
Posted: Mon Jul 30, 2018 5:44 am |
it always feel awkward when login in using http... | |
|
Posted: Mon Jul 30, 2018 6:31 am |
Consider that your password here should not be used for anything important. The only real reason for HTTPS for us is to avoid security warnings and maybe improve our search rankings. | |
|
Posted: Fri Oct 05, 2018 12:46 am |
Maxim, I found that every href and src html attribute can start with // instead of http:// or https:// Did you know that ? So if you change all links and file sources like that, the same page can be served in https or http. Perhaps this is not the bottleneck you're facing. |
|
|
News
Posted: Mon Oct 07, 2019 4:53 pm
|
https://www.zdnet.com/article/google-gets-tougher-on-https-with-ban-on-mixed-con...
By Feb/2020. |
|
|
Posted: Mon Oct 07, 2019 11:05 pm |
I still don't get all this obsession about https, why is Google pushing so hard about it? What's in it for them? What's in it for us? Boo hoo, some annoyed hacker looked at my traffic and knows that I read the forums on smspower.
*sigh* This does look more and more inevitable by this point, please just don't mess up the TLS settings when the time comes. |
|
|
Posted: Tue Oct 08, 2019 3:01 pm |
I see your distress about the topic. Would you shop online without it ? What would you do if your smspower password is tampered in a public connection ?
It's a trend alright, but is it that evil ? |
|
|
Posted: Tue Oct 08, 2019 4:38 pm |
Could we not be discussing this please. Let's focus on solving the problem. | |
|
Improve HTTPS support
Posted: Thu Dec 05, 2019 7:31 pm
|
When I type in https://www.smspower.org/forums/ I can view forum pages securely. But when I click any link, all the links redirect me from https: (🔒️) to http: (Not secure). The usual way to fix this is to use either origin-relative URLs (such as "/forums/posting.php") or scheme-relative urls (such as "//www.smspower.org/forums/posting.php") instead of specifying "http" in each URL. Letting viewers stay on HTTPS will help prevent members from getting their sessions Firesheeped.
EDIT: I realize there's another topic about this (/forums/16740-HTTPS). |
|
|
Posted: Thu Dec 05, 2019 7:50 pm |
The deed is done. It seems to have worked pretty well, but we may have some mixed content warnings in places.
|
|
|
Posted: Thu Dec 05, 2019 8:09 pm |
Indeed the ability to use HTTPS at all was half-done. It is now more functional - although we do now force you to HTTPS. Supporting both at once is not a goal. | |
|
Posted: Fri Dec 06, 2019 12:44 am |
*sigh* So, as I feared, that's why I haven't been able to browse smspower at all in the past few hours, good thing that I tried to double check with my phone now, but it looks like my days here are no more... Oh well, it was fun while it lasted, bye ~ |
|
|
Posted: Fri Dec 06, 2019 7:42 am |
What reason is there to be unable to use https? Using Windows 95? | |
|
Posted: Fri Dec 06, 2019 12:25 pm |
a small note: links in the topic reply notifications e-mails now appear like this one:
https://www.smspower.org:443/forums/viewtopic.php?p=108544#108544
if you can remove the ':443' it'd be nice :) |
|
|
Posted: Fri Dec 06, 2019 12:35 pm |
I think we’d need to hack the forum code to get rid of that... | |
|
Posted: Fri Dec 06, 2019 2:01 pm |
Google Chrome says that it´s fine now - well done! =) | |
|
Posted: Fri Dec 06, 2019 2:14 pm |
quick hack, since we're no longer supporting HTTP (right?) --> in include/functions_post.php, replace the 80 with 443 in this code: $server_port = ($board_config['server_port'] <> 80) ? ':' . trim($board_config['server_port']) . '/' : '/';
|
|
|
Posted: Tue Dec 17, 2019 8:31 am |
Bug: https://smspower.org does not work. | |
|
Posted: Tue Dec 17, 2019 10:23 am |
SSL certificate doesn't have the alternative name 'smspower.org' specified in it | |