Killing HTTP support on CodeWalrus (site would become HTTPS-only)

u/Dudeman313 April 13, 2016, 08:25:50 PM

Quote from: DJ Omnimaga on April 07, 2016, 07:04:58 PM
Also why is the site default page still showing up as rick.codewalr.us?

Maybe that's something for the Easter Egg thread.

u/Dream of Omnimaga April 13, 2016, 10:10:41 PM

Nah it was set like that until the August 9th data loss. But for whatever reasons, some of the site stuff still seems to direct there. At least, though, when someone types an invalid domain name it now redirects to the forums, not a pic of Rick Astley.

u/Dudeman313 April 14, 2016, 08:48:30 PM

Oh, okay. Have you killed http support yet?

u/Dream of Omnimaga April 15, 2016, 05:59:02 AM

Not yet, and I think what will happen instead is that we'll make http automatically redirect or something like that.

u/Yuki April 15, 2016, 01:48:18 PM

Quote from: DJ Omnimaga on April 15, 2016, 05:59:02 AM
Not yet, and I think what will happen instead is that we'll make http automatically redirect or something like that.

That's actually the point, if we're gonna kill http, it does mean it's gonna redirect to https, or else the site is gonna be unusable.

u/Dream of Omnimaga April 15, 2016, 02:09:36 PM

Quote from: Juju on April 15, 2016, 01:48:18 PM
Quote from: DJ Omnimaga on April 15, 2016, 05:59:02 AM
Not yet, and I think what will happen instead is that we'll make http automatically redirect or something like that.
That's actually the point, if we're gonna kill http, it does mean it's gonna redirect to https, or else the site is gonna be unusable.

IIRC, disabling https was what Omni did last year though, right? The site didn't even work in that mode. That changed more recently, though.

u/Dudeman313 April 15, 2016, 08:27:35 PM

When? 'Cause there used to be a time I could access the full Omnimaga site on my Nokia E63, thru Opera Mini, and even use IRC there, but since last month, all I got was a blank page.

u/Dream of Omnimaga April 16, 2016, 07:54:53 AM

Somewhere around October 2014 until earlier in 2016 or maybe before. I don't know if they changed anything afterwards or if it fixed itself, though. They rarely make any site updates public, unlike Cemetech, TI-Planet and CodeWalrus (which have site update threads such as this one)

u/allynfolksjr April 22, 2016, 03:56:58 AM

Very nice change! Thanks for taking our security seriously.

u/c4ooo April 30, 2016, 08:19:26 PM

What is the problem of letting people use HTTP if they want to? There's security risk for the server if the users use HTTP, right?

u/DarkestEx April 30, 2016, 09:01:26 PM

Quote from: c4ooo on April 30, 2016, 08:19:26 PM
What is the problem of letting people use HTTP if they want to? There's security risk for the server if the users use HTTP, right?

I totally agree. Leave HTTP support intact!

u/c4ooo April 30, 2016, 09:06:43 PM

Either way, i vote "i dont care"

u/Dream of Omnimaga May 01, 2016, 03:02:45 AM

The problem is apparently when logging in with Sorunome's mod. Passwords are encrypted and stuff and using HTTP renders any form of encrypting useless. Personally I would not disable it entirely and tell users to use it at their own risk, but it depends.

u/DarkestEx May 01, 2016, 03:06:31 AM

Quote from: DJ Omnimaga on May 01, 2016, 03:02:45 AM
The problem is apparently when logging in with Sorunome's mod. Passwords are encrypted and stuff and using HTTP renders any form of encrypting useless. Personally I would not disable it entirely and tell users to use it at their own risk, but it depends.

I don't give af about my password being sent using http as long as compatibility is maintained. I am sure people use https themselves if they care enough. If they don't then they don't use it. I would rather suggest adding a warning when login in using http. Just a plain red box saying: "You are not using the HTTPS version of the site, so your credentials are sent in plain text. If you don't want that you can switch to the https version here [link]."