Forums

Sega Master System / Mark III / Game Gear
SG-1000 / SC-3000 / SF-7000 / OMV
Home - Forums - Games - Scans - Maps - Cheats - Credits
Music - Videos - Development - Hacks - Translations - Homebrew

View topic - HTTPS

Reply to topic
Author Message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
HTTPS
Post Posted: Wed Jul 19, 2017 9:06 am
It looks like the world is going to HTTPS, Chrome now warns lightly on our login page and soon it will warn on every page. I don't know a great deal about it but it seems like it's some one off work and then constantly renewing the Let's Encrypt certificate... does anyone have any experience to offer?
  View user's profile Send private message Visit poster's website
  • Joined: 26 Jun 2012
  • Posts: 44
  • Location: Buffalo
Reply with quote
Post Posted: Wed Jul 19, 2017 5:15 pm
Once you put the main site on SSL you'll also need to have all embedded content put on SSL as well. For example, if your images are kept on a subdomain, it will need to be put on SSL as well or you will get that "partially secure" message. Any 3rd party includes need to use their secure versions if they exist.

If you have multiple domains, you'll need a certificate for each, not just the top-level. This is especially important for any pages or images that are accessible using a variety to URLs (not counting +/- www.)

I'm not certain as to how correct that message from Chrome is you are seeing. I think you need to figure out what exactly it is expecting, especially on login pages. Even on fully SSL sites, Chrome can show that message on a login box. One example is the current version of IP.Board.
  View user's profile Send private message Visit poster's website
  • Joined: 25 Dec 2005
  • Posts: 607
  • Location: São Paulo - Brazil
Reply with quote
Post Posted: Wed Jul 19, 2017 5:43 pm
Let's encrypt works great, I've installed it on a Windows 7 IIS machine using the DNS challenge in manual mode.

There is this certbot program, which has many options and for Linux there is an automated challenge and install mode for popular web servers.

About content, if you serve everything from SMSPower using links like "/forums/posting", it will work flawlessly in secure mode automatically, but I doubt it's done this way actually...
  View user's profile Send private message
  • Joined: 30 Mar 2009
  • Posts: 280
Reply with quote
Post Posted: Wed Aug 02, 2017 12:36 pm
Alternatively, you can just put the login pages on https.
Google current spec is that only pages where critical or private information is passed are required to use ssl.

If you can put the entire site, is better. But you can't have mixed content deilvery (https site serving http content) or you will lose crawling and tracking performance. If you care about this stuff, obviously.
  View user's profile Send private message Visit poster's website
  • Joined: 05 Sep 2013
  • Posts: 3758
  • Location: Stockholm, Sweden
Reply with quote
Post Posted: Wed Aug 02, 2017 2:10 pm
phpBB should support https 'natively', so the forums shouldn't be a great problem. If the forums include (not link!) contents from outside the forum, they better be https too, or you'll get mixed content warnings - I'm thinking of images here...
  View user's profile Send private message Visit poster's website
  • Joined: 25 Dec 2005
  • Posts: 607
  • Location: São Paulo - Brazil
Reply with quote
Post Posted: Wed Aug 02, 2017 2:20 pm
I've updated my Chrome on Win7 to 60.0.3112.78 - 64 bits and no visual warning appears at login, besides the common Insecure Url icon on address bar.
no_warning_ssl.png (90.75 KB)
no_warning_ssl.png

  View user's profile Send private message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Post Posted: Wed Aug 02, 2017 9:24 pm
https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn

Quote
Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Post Posted: Wed Jul 25, 2018 5:20 pm
I've created a certificate! (Well, the host made it trivial.) The HTTPS version is quite broken, though, as we need to modify a bunch of references to use the appropriate protocol on both HTTP and HTTPS until we are able to migrate fully.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Site outage
Post Posted: Thu Jul 26, 2018 9:26 am
Our site (and a few secret websites inside the same host) was down since last night; as you may have noticed, it's better now after a reboot.
  View user's profile Send private message Visit poster's website
  • Joined: 22 Apr 2018
  • Posts: 530
Reply with quote
Post Posted: Fri Jul 27, 2018 3:43 pm
Maxim wrote
Our site (and a few secret websites inside the same host) was down since last night; as you may have noticed, it's better now after a reboot.


Glad it's working, and https now too! Will you be adding HSTS response headers soon to pin to the safer protocol?
  View user's profile Send private message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Post Posted: Fri Jul 27, 2018 6:47 pm
We will when it works :)
  View user's profile Send private message Visit poster's website
  • Joined: 22 Apr 2018
  • Posts: 530
Reply with quote
Post Posted: Sat Jul 28, 2018 12:29 am
Maxim wrote
We will when it works :)


Trollface version:
<!-- in template footer -->
<script>
// TODO: delete once no page flickers
window.addEventListener('load', function() {
    if (location.protocol !== 'https:') return;
    var old = document.documentElement.innerHTML;
    var edited = old.split('http://www.smspower.org').join('https://www.smspower.org');
    if (old === edited) return;
    document.documentElement.innerHTML = edited;
});
</script>
  View user's profile Send private message
  • Joined: 16 May 2002
  • Posts: 1355
  • Location: italy
Reply with quote
Post Posted: Sun Jul 29, 2018 1:41 pm
Please don't phase out the http version. If you want to give in to the recent https fetish everyone seems to have, go for it, but don't make it mandatory.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Post Posted: Sun Jul 29, 2018 3:21 pm
It's easier to support only one of them, but I'll try to transition it anyway. I don't see much reason to care though...
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 08 Jul 2001
  • Posts: 8644
  • Location: Paris, France
Reply with quote
Post Posted: Sun Jul 29, 2018 8:44 pm
Tom wrote
Please don't phase out the http version.

What is your reason? Stating it would be useful.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Post Posted: Sun Jul 29, 2018 9:25 pm
[I merged this thread to the HTTPS one since that's all we're talking about.]
  View user's profile Send private message Visit poster's website
  • Joined: 29 Jun 1999
  • Posts: 382
  • Location: Brazil
Reply with quote
Post Posted: Mon Jul 30, 2018 5:44 am
it always feel awkward when login in using http...
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Post Posted: Mon Jul 30, 2018 6:31 am
Consider that your password here should not be used for anything important. The only real reason for HTTPS for us is to avoid security warnings and maybe improve our search rankings.
  View user's profile Send private message Visit poster's website
  • Joined: 25 Dec 2005
  • Posts: 607
  • Location: São Paulo - Brazil
Reply with quote
Post Posted: Fri Oct 05, 2018 12:46 am
Maxim wrote
I've created a certificate! (Well, the host made it trivial.) The HTTPS version is quite broken, though, as we need to modify a bunch of references to use the appropriate protocol on both HTTP and HTTPS until we are able to migrate fully.


Maxim,

I found that every href and src html attribute can start with // instead of http:// or https://

Did you know that ?

So if you change all links and file sources like that, the same page can be served in https or http.

Perhaps this is not the bottleneck you're facing.
  View user's profile Send private message
  • Joined: 25 Dec 2005
  • Posts: 607
  • Location: São Paulo - Brazil
Reply with quote
News
Post Posted: Mon Oct 07, 2019 4:53 pm
https://www.zdnet.com/article/google-gets-tougher-on-https-with-ban-on-mixed-con...

By Feb/2020.
  View user's profile Send private message
  • Joined: 16 May 2002
  • Posts: 1355
  • Location: italy
Reply with quote
Post Posted: Mon Oct 07, 2019 11:05 pm
I still don't get all this obsession about https, why is Google pushing so hard about it? What's in it for them? What's in it for us? Boo hoo, some annoyed hacker looked at my traffic and knows that I read the forums on smspower.

*sigh*

This does look more and more inevitable by this point, please just don't mess up the TLS settings when the time comes.
  View user's profile Send private message Visit poster's website
  • Joined: 25 Dec 2005
  • Posts: 607
  • Location: São Paulo - Brazil
Reply with quote
Post Posted: Tue Oct 08, 2019 3:01 pm
I see your distress about the topic. Would you shop online without it ? What would you do if your smspower password is tampered in a public connection ?

It's a trend alright, but is it that evil ?
  View user's profile Send private message
  • Site Admin
  • Joined: 08 Jul 2001
  • Posts: 8644
  • Location: Paris, France
Reply with quote
Post Posted: Tue Oct 08, 2019 4:38 pm
Could we not be discussing this please. Let's focus on solving the problem.
  View user's profile Send private message Visit poster's website
  • Joined: 05 Dec 2019
  • Posts: 56
  • Location: USA
Reply with quote
Improve HTTPS support
Post Posted: Thu Dec 05, 2019 7:31 pm
When I type in https://www.smspower.org/forums/ I can view forum pages securely. But when I click any link, all the links redirect me from https: (🔒️) to http: (Not secure). The usual way to fix this is to use either origin-relative URLs (such as "/forums/posting.php") or scheme-relative urls (such as "//www.smspower.org/forums/posting.php") instead of specifying "http" in each URL. Letting viewers stay on HTTPS will help prevent members from getting their sessions Firesheeped.

EDIT: I realize there's another topic about this (/forums/16740-HTTPS).
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Post Posted: Thu Dec 05, 2019 7:50 pm
The deed is done. It seems to have worked pretty well, but we may have some mixed content warnings in places.
mixed.png (34.72 KB)
Mixed content warning
mixed.png

  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Post Posted: Thu Dec 05, 2019 8:09 pm
Indeed the ability to use HTTPS at all was half-done. It is now more functional - although we do now force you to HTTPS. Supporting both at once is not a goal.
  View user's profile Send private message Visit poster's website
  • Joined: 16 May 2002
  • Posts: 1355
  • Location: italy
Reply with quote
Post Posted: Fri Dec 06, 2019 12:44 am
Maxim wrote
we do now force you to HTTPS. Supporting both at once is not a goal
*sigh*

So, as I feared, that's why I haven't been able to browse smspower at all in the past few hours, good thing that I tried to double check with my phone now, but it looks like my days here are no more...

Oh well, it was fun while it lasted, bye ~
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Post Posted: Fri Dec 06, 2019 7:42 am
What reason is there to be unable to use https? Using Windows 95?
  View user's profile Send private message Visit poster's website
  • Joined: 05 Sep 2013
  • Posts: 3758
  • Location: Stockholm, Sweden
Reply with quote
Post Posted: Fri Dec 06, 2019 12:25 pm
a small note: links in the topic reply notifications e-mails now appear like this one:

https://www.smspower.org:443/forums/viewtopic.php?p=108544#108544

if you can remove the ':443' it'd be nice :)
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Post Posted: Fri Dec 06, 2019 12:35 pm
I think we’d need to hack the forum code to get rid of that...
  View user's profile Send private message Visit poster's website
  • Joined: 21 Aug 2012
  • Posts: 363
  • Location: Berlin, Germany
Reply with quote
Post Posted: Fri Dec 06, 2019 2:01 pm
Google Chrome says that it´s fine now - well done! =)
  View user's profile Send private message Visit poster's website
  • Joined: 05 Sep 2013
  • Posts: 3758
  • Location: Stockholm, Sweden
Reply with quote
Post Posted: Fri Dec 06, 2019 2:14 pm
Maxim wrote
I think we’d need to hack the forum code to get rid of that...


quick hack, since we're no longer supporting HTTP (right?)
--> in include/functions_post.php, replace the 80 with 443 in this code:

$server_port = ($board_config['server_port'] <> 80) ? ':' . trim($board_config['server_port']) . '/' : '/';
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 14685
  • Location: London
Reply with quote
Post Posted: Tue Dec 17, 2019 8:31 am
Bug: https://smspower.org does not work.
  View user's profile Send private message Visit poster's website
  • Joined: 05 Sep 2013
  • Posts: 3758
  • Location: Stockholm, Sweden
Reply with quote
Post Posted: Tue Dec 17, 2019 10:23 am
SSL certificate doesn't have the alternative name 'smspower.org' specified in it
  View user's profile Send private message Visit poster's website
Reply to topic



Back to the top of this page

Back to SMS Power!