CodeWalrus

CodeWalrus Website => Site Discussion => Site Discussion & Bug Reports => Topic started by: Dream of Omnimaga on April 06, 2016, 11:49:19 PM

Poll
Question: Should we kill HTTP access support on CW and make the site HTTPS-only for security?
Option 1: Yes votes: 18
Option 2: No votes: 3
Title: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on April 06, 2016, 11:49:19 PM
So in order to increase security on CW, disabling access via HTTP is being considered. However, many of our users are forced (either due to financial difficulties or restrictive parents) to use old computers or phones that cannot be upgraded to browsers with better SSL and certificate support, and we want the site to be reachable for all our users. So we wanted to ensure that the site was fully functional on old Android versions, such as Android 2.2.2. It appears that the site, despite a certificate error (which happens on every single HTTPS site on that old phone), shows up fine, but I don't know if it's because it falls back in HTTP mode without telling or something like that.

Anyway, what I am curious about is if users such as @Dudeman313 and @Unicorn are able to access CodeWalrus with https in the URL instead of http on their old Kindle and computer, respectively? And would others be ok with such move?


(Something to note is that CW can also be reached via the Tapatalk application for the time being. While we do not guarantee that future versions of the site will include Tapatalk support, everyone here will most likely have upgraded to better phones by the time we lose Tapatalk support anyway)
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Yuki on April 06, 2016, 11:54:37 PM
This issue is kind of in my department here on CW, so please give some feedback if you have an old device or browser and I'll see what I will do. If you vote no in the poll, please explain why it would be an issue.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on April 07, 2016, 12:04:40 AM
On a side note, those were the results on various sites I tried to access from my Samsung i5510 running Android 2.2.2:

-CodeWalrus: Site loads with certificate error
-Cemetech: Site loads with certificate error
-Omnimaga: Page cannot be displayed (Can't establish secure connection)
-TI-Planet: Site loads with certificate error

So yeah I would suggest posting what you get when you try accessing CW from your device in https mode.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dudeman313 on April 07, 2016, 12:29:40 AM
Sorry, but I couldn't tell you now.
My dad confiscated my Nokia E63 awhile ago because I charged it next to my bed, and he kept it because my mom was afraid I'd either spoil it, never sleep, or kill myself by charging it near my bed again.  <_<
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Unicorn on April 07, 2016, 12:34:11 AM
I can access Cemetech by https, and codewalrus as well, I believe.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on April 07, 2016, 01:19:30 AM
Quote from: Dudeman313 on April 07, 2016, 12:29:40 AM
Sorry, but I couldn't tell you now.
My dad confiscated my Nokia E63 awhile ago because I charged it next to my bed, and he kept it because my mom was afraid I'd either spoil it, never sleep, or kill myself by charging it near my bed again.  <_<
THat sucks. What about your computer? Does it have modern Internet browsers installed or are you stuck with IE6 and the like?
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dudeman313 on April 07, 2016, 02:12:30 AM
I have the modern browsers. I'm on Windows 10 Pro. ;)

~Posted from Microsoft Edge
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Unicorn on April 07, 2016, 02:32:30 AM
Yup, I can load pages ;)
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on April 07, 2016, 02:38:53 AM
Quote from: Dudeman313 on April 07, 2016, 02:12:30 AM
I have the modern browsers. I'm on Windows 10 Pro. ;)

~Posted from Microsoft Edge
Ah ok, that's good, then. I was worried that since your computer was from 1998 or so, that you were stuck with Windows 98 or something for performance reasons.


Our main concern right now is people who are stuck with outdated browsers, as in, unable to update for whatever reasons (for example, my Samsung i5510 only supported Android 2.2.2 as highest version and had very limited disk space to store third-party browsers, so I was stuck with the stock browser. We will not support IE6 or crap like that, but phones that are on-par with the i5510 or even crappier are still being offered in mobile plans by most phone carriers, as budget phones, and many of those cannot be upgraded very high. If such old Android version's browser can open the website fine (with errors, but still possible to post) then we might be good.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Adriweb on April 07, 2016, 03:21:10 AM
BTW, look at what SSLLabs tells you.
An 'A' rating minimum would be required for proper config, A+ if possible
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on April 07, 2016, 03:42:07 AM
I know that Securityheaders rates our site B, but SSLLabs gives us A+.

However, we still need to fix some image links. For example. WalrusIRC smileys are http links. We can do nothing about images that people post on the forums, but at the very least we want to fix our internal stuff whenever possible.

Also I wish that our SSL certificate supported sub-domains so that we could make img.codewalr.us https as well.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Adriweb on April 07, 2016, 03:49:18 AM
Well you could get a free StartSSL one for the subdomain, or Let's Encrypt.

On SSLLabs, TI-Planet doesn't have A+ (but A) because of the second/backup HPKP key (key pinning), which we don't have (it would require a second SSL certificate, lol). It's a bit weird, because if we disabled HPKP we'd probably get A+ actually. In fact, we have the same grades for individual criterion, and with a better key (4096) than CW, but HPKP is somehow more important, apparently :P
That reminds me, we might look at OCSP stapling again, we disabled it some time ago because of issues, but they're fixed IIRC.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Yuki on April 07, 2016, 03:59:07 AM
We're waiting until our current Comodo certificate expires before switching. As for subdomains, we can definitely use Let's Encrypt.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: novenary on April 07, 2016, 06:48:00 PM
https://dumbrss.codewalr.us/ and https://oc.codewalr.us/ are already using Let's Encrypt and are passing A+ on there (https://www.ssllabs.com/ssltest/). I can help setting it up for anything else if it's needed. Also certificates renew automagically every 1st of the month.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on April 07, 2016, 07:04:58 PM
That's nice. I remember when juju had to manually renew the other certificate in October or so and missed the deadline <.<.

Also why is the site default page still showing up as rick.codewalr.us? ???
Quote from: Adriweb on April 07, 2016, 03:49:18 AM
That reminds me, we might look at OCSP stapling again, we disabled it some time ago because of issues, but they're fixed IIRC.
Was this what caused pages to refresh twice on first load or the extreme lag on my mobile wi-fi connection attempts?
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dudeman313 on April 13, 2016, 08:25:50 PM
Quote from: DJ Omnimaga on April 07, 2016, 07:04:58 PM
Also why is the site default page still showing up as rick.codewalr.us? ???
Maybe that's something for the Easter Egg thread. :D
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on April 13, 2016, 10:10:41 PM
Nah it was set like that until the August 9th data loss. But for whatever reasons, some of the site stuff still seems to direct there. At least, though, when someone types an invalid domain name it now redirects to the forums, not a pic of Rick Astley.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dudeman313 on April 14, 2016, 08:48:30 PM
Oh, okay. Have you killed http support yet?
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on April 15, 2016, 05:59:02 AM
Not yet, and I think what will happen instead is that we'll make http automatically redirect or something like that.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Yuki on April 15, 2016, 01:48:18 PM
Quote from: DJ Omnimaga on April 15, 2016, 05:59:02 AM
Not yet, and I think what will happen instead is that we'll make http automatically redirect or something like that.
That's actually the point, if we're gonna kill http, it does mean it's gonna redirect to https, or else the site is gonna be unusable.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on April 15, 2016, 02:09:36 PM
Quote from: Juju on April 15, 2016, 01:48:18 PM
Quote from: DJ Omnimaga on April 15, 2016, 05:59:02 AM
Not yet, and I think what will happen instead is that we'll make http automatically redirect or something like that.
That's actually the point, if we're gonna kill http, it does mean it's gonna redirect to https, or else the site is gonna be unusable.
IIRC, disabling https was what Omni did last year though, right? The site didn't even work in that mode. That changed more recently, though.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dudeman313 on April 15, 2016, 08:27:35 PM
When? 'Cause there used to be a time I could access the full Omnimaga site on my Nokia E63, thru Opera Mini, and even use IRC there, but since last month, all I got was a blank page.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on April 16, 2016, 07:54:53 AM
Somewhere around October 2014 until earlier in 2016 or maybe before. I don't know if they changed anything afterwards or if it fixed itself, though. They rarely make any site updates public, unlike Cemetech, TI-Planet and CodeWalrus (which have site update threads such as this one)
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: allynfolksjr on April 22, 2016, 03:56:58 AM
Very nice change! Thanks for taking our security seriously. :)
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: c4ooo on April 30, 2016, 08:19:26 PM
What is the problem of letting people use HTTP if they want to? There's security risk for the server if the users use HTTP, right?
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: DarkestEx on April 30, 2016, 09:01:26 PM
Quote from: c4ooo on April 30, 2016, 08:19:26 PM
What is the problem of letting people use HTTP if they want to? There's security risk for the server if the users use HTTP, right?
I totally agree. Leave HTTP support intact!
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: c4ooo on April 30, 2016, 09:06:43 PM
Either way, i vote "i dont care" :)
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on May 01, 2016, 03:02:45 AM
The problem is apparently when logging in with Sorunome's mod. Passwords are encrypted and stuff and using HTTP renders any form of encrypting useless. Personally I would not disable it entirely and tell users to use it at their own risk, but it depends.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: DarkestEx on May 01, 2016, 03:06:31 AM
Quote from: DJ Omnimaga on May 01, 2016, 03:02:45 AM
The problem is apparently when logging in with Sorunome's mod. Passwords are encrypted and stuff and using HTTP renders any form of encrypting useless. Personally I would not disable it entirely and tell users to use it at their own risk, but it depends.
I don't give af about my password being sent using http as long as compatibility is maintained. I am sure people use https themselves if they care enough. If they don't then they don't use it. I would rather suggest adding a warning when login in using http. Just a plain red box saying: "You are not using the HTTPS version of the site, so your credentials are sent in plain text. If you don't want that you can switch to the https version here [link]."
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on May 01, 2016, 03:07:26 AM
Yeah we could modify the warning that way. Also yeah this is why we made that poll.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Lionel Debroux on May 01, 2016, 07:08:01 AM
QuoteWhat is the problem of letting people use HTTP if they want to?
The problem is, by now, there's no good reason to want to use HTTP ;)
And the fact that HTTP remains accessible (beyond permanent redirection to HTTP upon first request, that is), for users who want to use HTTP despite the fact that it's a bad thing, is a threat to the privacy of other unwitting users, those who are not yet aware of what's at stake.
Compatibility with thoroughly obsolete, long-unmaintained platforms (as are most smartphones and tablets, unfortunately) is a liability, not an asset. The right thing to do is to push these out of the way, not try and remain compatible with these pieces of junk (which already can't access a growing number of sites following best security practices, anyway). Our community has already done the right thing, with four of the five major sites using high-grade TLS settings. One of these four is pretty much dead due to its staff's behaviour, but still.

Remember, you never know what the surveillance state collecting information through pervasive monitoring (of network connections, of unique IDs drawn onto paper by printers, etc.) can use against you in the future. Anything which makes the surveillance state's job harder (slower, more costly) is a good thing. Let's Encrypt is a fantastic tool for widening the use of encrypted communications on the Web. On a more normative ground, the "Pervasive monitoring is an attack" RFC strongly suggests, if not mandates, that all future standardized protocols build defenses against surveillance state methods.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on May 01, 2016, 07:15:28 AM
I think DarkestEx's main concern is that HTTPS is extremely slow on his Internet connection, especially on CodeWalrus. But it isn't necessarily our fault, but rather ISP's in Germany. Or perhaps the German government just gets SSL connections through a filter? Or is that 100% impossible? That said, maybe they just throttles SSL connections on purpose to discourage their use. IIRC some governments even wanted to make encryption illegal.

But the thing is that this is 2016, not 1996. People have to adapt, especially that maybe, one day, new browsers will ditch HTTP support entirely.

According to the poll, it looks like we will focus on HTTPS support, but not block HTTP access entirely. Instead, HTTP users will login to CW at their own risk (if any) and CW staff will be asked to only use HTTPS to avoid site defacement.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: DarkestEx on May 01, 2016, 01:14:34 PM
Quote from: DJ Omnimaga on May 01, 2016, 07:15:28 AM
I think DarkestEx's main concern is that HTTPS is extremely slow on his Internet connection, especially on CodeWalrus. But it isn't necessarily our fault, but rather ISP's in Germany. Or perhaps the German government just gets SSL connections through a filter? Or is that 100% impossible? That said, maybe they just throttles SSL connections on purpose to discourage their use. IIRC some governments even wanted to make encryption illegal.

But the thing is that this is 2016, not 1996. People have to adapt, especially that maybe, one day, new browsers will ditch HTTP support entirely.

According to the poll, it looks like we will focus on HTTPS support, but not block HTTP access entirely. Instead, HTTP users will login to CW at their own risk (if any) and CW staff will be asked to only use HTTPS to avoid site defacement.
SSL isn't particularly slow here nor is CW but it used to be for a few weeks. I don't think the connections are filtered or slowed down as it only applied to CW when it it was.

I don't like having features removed and I don't think http will ever be removed from browsers for compatibility.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on May 03, 2016, 04:27:07 AM
Ah ok, I thought it might have been due to some government bans or something.

And yeah we don't plan to remove any features unless nobody uses them. And even then we would ask users and if it involved data loss then we would at least make that data available in some forms.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dudeman313 on May 04, 2016, 01:18:25 AM
And I think I'll be okay with this even when browsing from my Nokia. Apparently, I've been using HTTPS this whole time. :-|
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on May 04, 2016, 01:19:02 AM
Does the entire site load fine on your side?

EDIT: on the topic of Nokia:

http://i1.kym-cdn.com/photos/images/facebook/000/232/787/4aa.jpg
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dudeman313 on May 05, 2016, 02:13:33 AM
All but GIFs, which appear as non-moving images that must be downloaded to see movement. Like :walrii: . I can only see his first frame.

And I'm not sure what that picture is trying to say... :-|

EDIT: IRC also doesn't load for me. Stays on loading page and doesn't move on. Slows down the webpage.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on May 05, 2016, 02:40:34 AM
That picture is a reference to an old Nokia 3310 meme. That phone is notorious for being nearly indestructible and somewhat heavy so people made lots of jokes about it and it spread on the Internet years ago. :P


Also at least you can see the :walrii: but it's a shame you can't use IRC.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: DarkestEx on May 08, 2016, 03:44:49 PM
Quote from: Dudeman313 on May 05, 2016, 02:13:33 AM
All but GIFs, which appear as non-moving images that must be downloaded to see movement. Like :walrii: . I can only see his first frame.

And I'm not sure what that picture is trying to say... :-|

EDIT: IRC also doesn't load for me. Stays on loading page and doesn't move on. Slows down the webpage.
Just get a new phone. You can get the Moto E for under 80€. There are even cheaper offers if you buy them used.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on May 08, 2016, 03:48:13 PM
The problem @DarkestEx is I doubt his parents agree with you.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: DarkestEx on May 08, 2016, 03:52:18 PM
Quote from: DJ Omnimaga on May 08, 2016, 03:48:13 PM
The problem @DarkestEx is I doubt his parents agree with you.
Some parents are just stupid moroons when it comes to certain things and I don't just mean phones.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: novenary on May 09, 2016, 09:00:41 PM
I don't think you're the one to decide how parents should educate their children. You can do what you want with yours, but dudeman is only 12, which is pretty young for having a smartphone at all. It's not only a matter of money. I didn't even have a cellphone till I was 16 myself.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: aetios on May 09, 2016, 09:03:37 PM
Quote from: DarkestEx on May 01, 2016, 01:14:34 PM
SSL isn't particularly slow here nor is CW but it used to be for a few weeks. I don't think the connections are filtered or slowed down as it only applied to CW when it it was.

I don't like having features removed and I don't think http will ever be removed from browsers for compatibility.
While it's not likely that http will be removed from browsers, it is very likely that webservers will lose http support thus killing its usage off to a minimum. The web is an unsafe place, that should be better. I forgot if I already stated my opinion on the matter but I'd all for removing http support. Thing is that I don't want to break the site experience for people.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on May 09, 2016, 09:16:03 PM
Quote from: Streetwalrus on May 09, 2016, 09:00:41 PM
I don't think you should meddle in how parents educate their children. You can do what you want with yours, but dudeman is only 12, which is pretty young for having a smartphone at all. It's not only a matter of money. I didn't even have a cellphone till I was 16 myself.
Nah the issue with Dudeman313 parents is not smartphone restrictions, but rather the fact he is not allowed to play any video game at all, not even Tetris, Kirby, Mario Paint nor Wii Sports. It's not like those games are violent at all. Games are rated 6+ or 10+ in North America and the violent ones are rated higher. He is not allowed to frequent game-related forums at all either, even though in USA the legal age to sign up on a forum is 13 (and Dudeman313 now meets the legal age). From 8 to 15 years old I could play video games between 30 and 60 minutes per day. But yeah I guess it's their decision.
Quote from: aeTIos on May 09, 2016, 09:03:37 PM
Quote from: DarkestEx on May 01, 2016, 01:14:34 PM
SSL isn't particularly slow here nor is CW but it used to be for a few weeks. I don't think the connections are filtered or slowed down as it only applied to CW when it it was.

I don't like having features removed and I don't think http will ever be removed from browsers for compatibility.
While it's not likely that http will be removed from browsers, it is very likely that webservers will lose http support thus killing its usage off to a minimum. The web is an unsafe place, that should be better. I forgot if I already stated my opinion on the matter but I'd all for removing http support. Thing is that I don't want to break the site experience for people.
Yeah this is why I think we should wait. I brought up the topic in case just the action of leaving it enabled was a security threat even for people who don't use it.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: DarkestEx on May 09, 2016, 11:38:36 PM
Quote from: Streetwalrus on May 09, 2016, 09:00:41 PM
I don't think you're the one to decide how parents should educate their children. You can do what you want with yours, but dudeman is only 12, which is pretty young for having a smartphone at all. It's not only a matter of money. I didn't even have a cellphone till I was 16 myself.
That's not not point I am trying to make. Some parents are just over caring like forbidding their child to accept physical prices or similar things. While I bought my first cellphone with 13, I was forced to do so and personally didn't need one at the time. I can totally give my 50 cents here if I want to. And there are a ton of stupid parents out there, trust me there. My ones care enough but a still not too annoying. There are parents giving gun lessons to their children in murrica and ot letting their 11 year old son play 18+ titles.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: aetios on May 09, 2016, 11:44:38 PM
Welp, let's stay on topic. If you want a discussion thread I can split that off, but I'll be watching it 'cause this already looks a bit nasty, can't quite put my finger on it tho.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on May 09, 2016, 11:47:22 PM
Yeah my main issue is not when parents are protecting their kids, but rather parents that restrict their kid's activities based on personal beliefs. For example, some parents who hate technology might go as far as banning all video games from the house, disregarding what their kids might like the most, and then, there are families like this: http://www.torontosun.com/2013/08/31/guelph-family-lives-like-its-1986 . There are even parents who will restrict certain of their kids activities based on religious beliefs. And it's not just with video games. SirCmpwn was 17, yet was not even allowed to use his own car without his parents' permissions (which he rarely got).
Quote from: aeTIos on May 09, 2016, 11:44:38 PM
Welp, let's stay on topic. If you want a discussion thread I can split that off, but I'll be watching it 'cause this already looks a bit nasty, can't quite put my finger on it tho.
Feel free to do so
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: DarkestEx on May 09, 2016, 11:48:04 PM
Quote from: aeTIos on May 09, 2016, 11:44:38 PM
Welp, let's stay on topic. If you want a discussion thread I can split that off, but I'll be watching it 'cause this already looks a bit nasty, can't quite put my finger on it tho.
(http://24.media.tumblr.com/tumblr_lvrf58vBkL1qibz0jo1_r1_1280.png)
/me runs
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: DarkestEx on September 06, 2016, 06:02:02 PM
LOOK WHAT YOU DID TO MY POOR WINDOWS CE 5.0  :'(
(http://i.imgur.com/aGmy0lu.png)
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on September 06, 2016, 06:03:21 PM
That sucks. D: ANyway blame Streetwalrus :P
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Lionel Debroux on September 06, 2016, 06:10:52 PM
But, how dare you browse the modern, advanced but wild Internet with a Windows CE 5.0 computer and its original browser ? ;)
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: DarkestEx on September 06, 2016, 06:12:33 PM
Quote from: DJ Omnimaga on September 06, 2016, 06:03:21 PM
That sucks. D: ANyway blame Streetwalrus :P
Haha yea XD
Well I am just kidding, but on some of my devices I still quite dislike the forced switch to HTTPS :P
For all you nostalgic people, my website HTTP://bmuessig.eu/ (http://bmuessig.eu/) will always stay SSL-free XD

Quote from: Lionel Debroux on September 06, 2016, 06:10:52 PM
But, how dare you browse the modern, advanced but wild Internet with a Windows CE 5.0 computer and its original browser ? ;)
I totally had to. This DVB-C receiver I bought new, old stock just needed to be let free on the modern internet. It's just 10 years out of date XD
(http://i.imgur.com/TK3d4w5.png)
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on September 06, 2016, 06:57:13 PM
Something to keep in mind is that we're now in 2016. :P
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: p2 on September 06, 2016, 06:59:31 PM
Quote from: DarkestEx on September 06, 2016, 06:12:33 PM
Quote from: Lionel Debroux on September 06, 2016, 06:10:52 PM
But, how dare you browse the modern, advanced but wild Internet with a Windows CE 5.0 computer and its original browser ? ;)
I totally had to. This DVB-C receiver I bought new, old stock just needed to be let free on the modern internet. It's just 10 years out of date XD
using internet explorer sounds more like it's 20 years out of date ^^
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: c4ooo on September 06, 2016, 07:44:29 PM
Quote from: DJ Omnimaga on September 06, 2016, 06:57:13 PM
Something to keep in mind is that we're now in 2016. :P
Times go by so fast D:
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: novenary on September 06, 2016, 08:39:01 PM
Quote from: DJ Omnimaga on September 06, 2016, 06:03:21 PM
That sucks. D: ANyway blame Streetwalrus :P
Butbutbut... it's @Juju's fault. :'(
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Yuki on September 06, 2016, 08:47:32 PM
Quote from: Streetwalrus on September 06, 2016, 08:39:01 PM
Quote from: DJ Omnimaga on September 06, 2016, 06:03:21 PM
That sucks. D: ANyway blame Streetwalrus :P
Butbutbut... it's @Juju's fault. :'(
b-b-but

Well, the thing is, we actually aren't forcing HTTPS. You're actually on normal HTTP and you can safely ignore that popup as we probably embedded some https images on the main page for some reason. Anyway, old browsers will have an outdated bundle of certificates and thus won't recognize newer certificates signed with root certificates that didn't existed yet when that browser and OS was compiled.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: novenary on September 06, 2016, 10:54:51 PM
Not to mention we only allow modern crypto so it probably won't work, certificate or not.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: DarkestEx on September 06, 2016, 10:55:31 PM
Quote from: Streetwalrus on September 06, 2016, 10:54:51 PM
Not to mention we only allow modern crypto so it probably won't work, certificate or not.
What a sad move. RIP IE5  :'(
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: novenary on September 06, 2016, 11:00:34 PM
As juju said, regular http works for browsers that don't support modern crypto.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: DarkestEx on September 06, 2016, 11:01:17 PM
Quote from: Streetwalrus on September 06, 2016, 11:00:34 PM
As juju said, regular http works for browsers that don't support modern crypto.
Then it must be HTTPS resources on the front page making it not work.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Yuki on September 06, 2016, 11:17:21 PM
Quote from: DarkestEx on September 06, 2016, 11:01:17 PM
Quote from: Streetwalrus on September 06, 2016, 11:00:34 PM
As juju said, regular http works for browsers that don't support modern crypto.
Then it must be HTTPS resources on the front page making it not work.
As I said.

And as I said, we got everything covered to offer you a potable experience on old browsers.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on September 06, 2016, 11:52:32 PM
One issue with SMF plugins is that they sometimes require us to use absolute links rather than relative. I wish the URL tag allowed us to use relative links.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: gameblabla on December 05, 2016, 01:20:59 AM
img.codewalr.us 's certificate is self-signed, which means that over HTTPS,
Firefox (and maybe Chrome) will refuse to serve it.

juju and streetwalrus should fix dis.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on December 05, 2016, 05:18:11 AM
To be honest, when we switched to LE I thought this would solve all our sub-domain cert issues. @Juju and @Streetwalrus should indeed fix this. Plus this would allow us to finally use SSL for the WalrusIRC smileys and other things.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: novenary on December 05, 2016, 05:40:35 AM
Quote from: gameblabla on December 05, 2016, 01:20:59 AM
img.codewalr.us 's certificate is self-signed, which means that over HTTPS,
Firefox (and maybe Chrome) will refuse to serve it.

juju and streetwalrus should fix dis.
Https is not enabled on that subdomain, I have no idea how this is happening.
Let's Encrypt can't fix anything, all it does is give us certs for free. We need to take care of things.

Edit: actually it's probably trying to serve the default subdomain, pretty sure that's the issue.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on December 05, 2016, 05:49:12 AM
Ah that might explain it. I recall trying one of the sub-domain on https and it redirected to a Rick Astley pic.

I think we should enable https on all subdomains.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Yuki on December 05, 2016, 06:04:00 AM
Ah yeah, HTTPS might not be enabled on all domains in the webserver's config, nothing to do with Let's Encrypt.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Dream of Omnimaga on December 05, 2016, 06:08:54 AM
Can't it be fixed?
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: novenary on December 05, 2016, 06:17:45 AM
It can, but it's effort. :P
Will look into it tonight.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Yuki on December 05, 2016, 06:22:40 AM
Don't think it is a lot of effort.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: novenary on December 05, 2016, 06:24:09 AM
Yeah, just need a little bit of setup, shouldn't be hard at all.
Would be cool if nginx supported variables/macros in the config so we could just add an include line and add the domain to acmetool, and boom, https.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: Yuki on December 05, 2016, 06:29:27 AM
Ah yeah, that would be fun. I think nginx supports variables. Probably.

The best would be to renew the certs directly in the config and I think it's possible.
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: novenary on December 05, 2016, 06:33:24 AM
I already have this thing (https://github.com/hlandau/acme) set up, you just tell it that you want certs for a given subdomain and it will check and renew them on a cronjob.
The only problem is the nginx config, lots of copy-pasta. Also our current config is a bit messy. :P
Title: Re: Killing HTTP support on CodeWalrus (site would become HTTPS-only)
Post by: gameblabla on January 21, 2018, 12:45:23 AM
Bump.
More and more browsers are now complaining about insecure connections.
And while codewalr.us does support HTTPS, there are some issues :
- The fact on the frontpage, some images uses http: rather than https:. Should be fairly trivial to fix.
- Cookies do not use the HttpOnly and Secure flags. Should be done for security

I believe it should be made HTTPS-only because even on older operating systems like NT 4.0, it is possible to visit secure websites with TLS 1.0 and all.
As for browsers that do not support HTTPS, i honestly doubt they can support codewalr.us properly anyway.
Preferably, codewalrus should also support CSP, here are the csp settings i use for my website.


Header always set Content-Security-Policy "default-src 'none' ; base-uri 'none';
frame-ancestors 'none'; form-action 'none';
font-src 'self'; child-src 'none'; script-src 'self'; object-src 'none';
connect-src 'none'; style-src 'self'; img-src 'self';"


Of course, since codewalrus supports scripting, you should tweak them according to your needs.

You can use the observatory by Mozilla for more info :
https://observatory.mozilla.org (https://observatory.mozilla.org)