+-Discord Shoutbox


Alternatively, join us on Discord directly.
You can help CodeWalrus stay online by donating here.

Killing HTTP support on CodeWalrus (site would become HTTPS-only)

Started by DJ Omnimaga, April 06, 2016, 11:49:19 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Should we kill HTTP access support on CW and make the site HTTPS-only for security?

Yes
18 (85.7%)
No
3 (14.3%)

Total Members Voted: 21

DarkestEx

Quote from: Streetwalrus on September 06, 2016, 11:00:34 PM
As juju said, regular http works for browsers that don't support modern crypto.
Then it must be HTTPS resources on the front page making it not work.
  • Calculators owned: TI-84+, Casio 101-S, RPN-Calc, Hewlett-Packard 100LX, Hewlett-Packard 95LX
  • Consoles, mobile devices and vintage computers owned: Original Commodore 64C, C64 DTV, Nintendo GameBoy Color, Nintendo GameCube, Xbox 360, PlayStation 2

Yuki

Quote from: DarkestEx on September 06, 2016, 11:01:17 PM
Quote from: Streetwalrus on September 06, 2016, 11:00:34 PM
As juju said, regular http works for browsers that don't support modern crypto.
Then it must be HTTPS resources on the front page making it not work.
As I said.

And as I said, we got everything covered to offer you a potable experience on old browsers.
  • Calculators owned: TI-83+ (dead?), Casio Prizm (also dead???)
  • Consoles, mobile devices and vintage computers owned: A lot
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

DJ Omnimaga

One issue with SMF plugins is that they sometimes require us to use absolute links rather than relative. I wish the URL tag allowed us to use relative links.
  • Calculators owned: TI-84 Plus C Silver Edition, TI-84 Plus CE, Casio fx-CG10, HP Prime, fx 1.0 Plus, fx-7400G Plus, fx-9750G Plus, fx-9860G, HP 39gII
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Nintendo 64, Wii U

gameblabla

img.codewalr.us 's certificate is self-signed, which means that over HTTPS,
Firefox (and maybe Chrome) will refuse to serve it.

juju and streetwalrus should fix dis.
  • Calculators owned: None (used to own an Nspire and TI-89)

DJ Omnimaga

To be honest, when we switched to LE I thought this would solve all our sub-domain cert issues. @Juju and @Streetwalrus should indeed fix this. Plus this would allow us to finally use SSL for the WalrusIRC smileys and other things.
  • Calculators owned: TI-84 Plus C Silver Edition, TI-84 Plus CE, Casio fx-CG10, HP Prime, fx 1.0 Plus, fx-7400G Plus, fx-9750G Plus, fx-9860G, HP 39gII
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Nintendo 64, Wii U

novenary

December 05, 2016, 05:40:35 AM #65 Last Edit: December 05, 2016, 05:43:03 AM by Ş̴̀t̵́́͜͝r͏͝é̷̢͝e̢̨̡̕͟t̢̀́͢͠w̕̕á̷̧ļ҉̸́̕r̶҉̵̴͞u͟͝҉ş̴̀ ̶͏
Quote from: gameblabla on December 05, 2016, 01:20:59 AM
img.codewalr.us 's certificate is self-signed, which means that over HTTPS,
Firefox (and maybe Chrome) will refuse to serve it.

juju and streetwalrus should fix dis.
Https is not enabled on that subdomain, I have no idea how this is happening.
Let's Encrypt can't fix anything, all it does is give us certs for free. We need to take care of things.

Edit: actually it's probably trying to serve the default subdomain, pretty sure that's the issue.

DJ Omnimaga

Ah that might explain it. I recall trying one of the sub-domain on https and it redirected to a Rick Astley pic.

I think we should enable https on all subdomains.
  • Calculators owned: TI-84 Plus C Silver Edition, TI-84 Plus CE, Casio fx-CG10, HP Prime, fx 1.0 Plus, fx-7400G Plus, fx-9750G Plus, fx-9860G, HP 39gII
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Nintendo 64, Wii U

Yuki

Ah yeah, HTTPS might not be enabled on all domains in the webserver's config, nothing to do with Let's Encrypt.
  • Calculators owned: TI-83+ (dead?), Casio Prizm (also dead???)
  • Consoles, mobile devices and vintage computers owned: A lot
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

DJ Omnimaga

  • Calculators owned: TI-84 Plus C Silver Edition, TI-84 Plus CE, Casio fx-CG10, HP Prime, fx 1.0 Plus, fx-7400G Plus, fx-9750G Plus, fx-9860G, HP 39gII
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Nintendo 64, Wii U

novenary


Yuki

  • Calculators owned: TI-83+ (dead?), Casio Prizm (also dead???)
  • Consoles, mobile devices and vintage computers owned: A lot
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

novenary

Yeah, just need a little bit of setup, shouldn't be hard at all.
Would be cool if nginx supported variables/macros in the config so we could just add an include line and add the domain to acmetool, and boom, https.

Yuki

Ah yeah, that would be fun. I think nginx supports variables. Probably.

The best would be to renew the certs directly in the config and I think it's possible.
  • Calculators owned: TI-83+ (dead?), Casio Prizm (also dead???)
  • Consoles, mobile devices and vintage computers owned: A lot
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

novenary

I already have this thing set up, you just tell it that you want certs for a given subdomain and it will check and renew them on a cronjob.
The only problem is the nginx config, lots of copy-pasta. Also our current config is a bit messy. :P

gameblabla

Bump.
More and more browsers are now complaining about insecure connections.
And while codewalr.us does support HTTPS, there are some issues :
- The fact on the frontpage, some images uses http: rather than https:. Should be fairly trivial to fix.
- Cookies do not use the HttpOnly and Secure flags. Should be done for security

I believe it should be made HTTPS-only because even on older operating systems like NT 4.0, it is possible to visit secure websites with TLS 1.0 and all.
As for browsers that do not support HTTPS, i honestly doubt they can support codewalr.us properly anyway.
Preferably, codewalrus should also support CSP, here are the csp settings i use for my website.


Header always set Content-Security-Policy "default-src 'none' ; base-uri 'none';
frame-ancestors 'none'; form-action 'none';
font-src 'self'; child-src 'none'; script-src 'self'; object-src 'none';
connect-src 'none'; style-src 'self'; img-src 'self';"


Of course, since codewalrus supports scripting, you should tweak them according to your needs.

You can use the observatory by Mozilla for more info :
https://observatory.mozilla.org
  • Calculators owned: None (used to own an Nspire and TI-89)

Powered by EzPortal