I noticed in Opera 30 and Chrome mobile that CodeWalrus now redirects to https when using http, despite staff not planning to force https. Is that normal? Because that could cause issues with some public computer or older mobile device users.
http://codewalr.us/index.php?topic=629.msg19271#msg19271
Well, that is the url I get when using an old version of chrome that doesn't support omnimaga's form of https. And my kindle still works. Its not a problem for me!
Maybe its your browser checking if https is avaiable, and if so uses it since its safer?
Two ideas:
1. You aren't using HTTPS Everywhere or anything of that kind, are you? (Kinda hard since you talk about Chrome mobile and AFAIK that doesn't support extensions)
2. Could it have something to do with https://ma.ttias.be/chrome-44-sending-https-header-by-mistake-breaking-web-applications-everywhere/ ? Recent versions of Opera are Chromium-based but I'm finding it strange for the bug to have found its way to Opera so fast...
Interesting. I am curious if it could be the latter issue. I'll have to investigate further I guess.
Afaik enforcing https will become default behaviour in most major browsers in the not-too-distant future. So maybe these two already started implementing that?
HTTPS Everywhere is unlikely to be the issue as it doesn't know about codewalrus' https alt (unless you implicitly tell it).
Ok, so it looks like newer browsers are using HTTPS by default on CW and some other sites now. I just checked the following websites when typing http instead of https and got the following:
-CodeWalrus: IE6 shows the website (obviously with many display issues, but at least it displays at all)
-Omnimaga: IE6 shows error (Page can't be displayed)
-Cemetech: IE6 shows error
-TI-Planet: IE6 shows error
So CW doesn't force the use of HTTPS. Of course IE6 is pretty much useless now but I was more worried about older mobile devices or stuff like Kindles from 2008.
However, I restarted after removing CW from my Opera settings and stuff and now it shows HTTP. Mobile still shows HTTPS by default.
Older kindles are fine until there's a 360 redirect force HTTPS thing. :P
Can you access Cemetech and Omnimaga from yours, though?
Not omnimaga, but cemetech works fine, as well as ti planet. ;)
Quote from: utz on July 24, 2015, 10:47:31 PM
Afaik enforcing https will become default behaviour in most major browsers in the not-too-distant future. So maybe these two already started implementing that?
HTTPS Everywhere is unlikely to be the issue as it doesn't know about codewalrus' https alt (unless you implicitly tell it).
Since chrome quite up-to-date i'd guess they've already implemented it. Also, theres probably a check to see if a server supports https.
Juju perfected the https config and enabled HSTS (https enforcing). That means if your browser supports https then it will use it. Only ancient browsers should dislike it. HSTS was introduced in 2012 so browsers older than that will most likely ignore it so nothing to worry about. :)
Quote from: Unicorn on July 25, 2015, 02:53:24 AM
Not omnimaga, but cemetech works fine, as well as ti planet. ;)
I just checked those three sites on my Samsung i5510 actually (which runs Android 2.2.2) and this is what I got:
-Omnimaga: Doesn't work at all
-Cemetech: Works fine
-TI-Planet: Throws a warning, but works fine
When I still went to Omnimaga, all I had as mobile device was the Samsung i5510, which only supported Android 2.2.2. If the forced HTTPS would have happened back then and that Tapatalk would not have existed, I would have been in a bit of trouble. >.<
Quote from: DJ Omnimaga on July 25, 2015, 05:23:40 PM-TI-Planet: Throws a warning, but works fine
Do you know what warning it was?
I don't exactly remember what it was, but it was about untrusted certificate and it asked me to accept it. I have the same problem on many other HTTPS website (eg TVA Nouvelles).
Quote from: DJ Omnimaga on July 25, 2015, 05:55:34 PM
I don't exactly remember what it was, but it was about untrusted certificate and it asked me to accept it. I have the same problem on many other HTTPS website (eg TVA Nouvelles).
Hmm, so this phone (or at least that old OS on the phone) somehow doesn't know/trust StartSSL (the signing authority)...
I guess it's ok with a bit more recent OSes, with updated trust stores...
Yeah that could explain it. Thankfully, the site still works. I guess it might just be a bit annoying for certain users or scary for technology-illiterate users to have such warning.
Ah yeah, StartSSL. They're not trusted by everyone, or at least not until recently.
Few browsers trusted CACert by default, but StartSSL has been well supported by the mainstream browsers for years.
It's heart-breaking for users that manufacturers are so careless about updating devices :(
What is strange is that back in the days, certain certificates seemed trusted by almost every browser, old or new. Even older versions of IE seemed to have no issue displaying such site, aside from a warning about how we are about to enter a secured connection, which we could disable. I am bettering that those certificates were the ones that costed several hundreds of dollars, though. I myself would never pay this much for a certificate unless I was really serious about a website. Not that I am not serious about CW, but it only averages at 4000 page views a day and doesn't even have a shop (it used to, but it was external).
EDIT: Also, the Facebook sharing doesn't work by default on HTTPS now. It says content was blocked. The FB button at the top of the page works, but not the one in the first post of each topic.
So I read up on the web browser, and it has support for SSL, and a clouple of other things..
The Startcom Class 1 certificate is for no fee, and the Class 2 certificate, with wildcard support, was only $30 a year when we bought one for TI-Planet + Inspired-Lua, which is far better than the other CAs.
The Let's Encrypt (https://letsencrypt.org/) initiative from Mozilla, the EFF and friends, which is supposed to produce its first certificate next week and become available for the general public in September, will change the cards in the CA business, at long last.
Hm interesting. Ideally we would prefer to use free certificates since Juju can't even afford to pay CW hosting right now (I pay most of it ATM).
Quote from: DJ Omnimaga on July 26, 2015, 04:31:05 PM
Hm interesting. Ideally we would prefer to use free certificates since Juju can't even afford to pay CW hosting right now (I pay most of it ATM).
I still had like one dollar on the paypal account i never use (Since i need to make a minimum transaction of €25 to put money on it <_<) so i figured, why not give it?
Also since CW has a lot of Dutch members maybe it's worth adding iDeal as payment method?
Is iDeals a Dutch-only thing? I could perhaps check if SMF has a plugin that adds support for it.
Yeah, I enabled HSTS the other day. As Streetwalrus said, you still have access to HTTP, and since HSTS is fairly new, your old browser should not do the redirection since it don't know yet how to do that. And even on new browsers, it only works if you already went on HTTPS at least once since I activated it and there's a way in the settings (at least on Chrome, you may probably have to delete some cache file) to "forget" you already visited that site on HTTPS.
For the certificates, we use the ones at Namecheap, they're often free with a new domain name, otherwise they're real cheap, like $1.88 if I remember well. And they do the job. There's errors on Omnimaga and CodeWalrus, but it's because we serve HTTP content over HTTPS, which is quite normal for a server, I guess, and this error should be ignorable.
Quote from: DJ Omnimaga on July 27, 2015, 12:54:31 AM
Is iDeals a Dutch-only thing? I could perhaps check if SMF has a plugin that adds support for it.
Yeah i think it is. It's supported on many international platforms though
By the way, if you still want to use http, use http://http.codewalr.us or any other subdomain that doesn't already have a defined purpose.
Lol I didn't know this worked. But then won't the url switch back to default site URL once clicking links?
Edit: it does x.x
Eh, didn't think of that. Nevermind then.
Quote from: Lionel Debroux on July 26, 2015, 06:50:16 AM
The Let's Encrypt (https://letsencrypt.org/) initiative from Mozilla, the EFF and friends, which is supposed to produce its first certificate next week and become available for the general public in September, will change the cards in the CA business, at long last.
They changed their scchedule, and general availability will be in November.
It's really nice that they're doing it at all, looking forward to avoid the mess of adding trusted certificates on android. Basically you can either add one from the settings app and get a lockscreen code forced on you or go through the trouble of figuring out how the system expects it and installing on the system partition. I eventually did the latter when I got fed up with the former.
Quote from: Legimet on August 11, 2015, 09:28:01 PM
Quote from: Lionel Debroux on July 26, 2015, 06:50:16 AM
The Let's Encrypt (https://letsencrypt.org/) initiative from Mozilla, the EFF and friends, which is supposed to produce its first certificate next week and become available for the general public in September, will change the cards in the CA business, at long last.
They changed their scchedule, and general availability will be in November.
As long as they don't do the same as Duke Nukem Forever... <_<
Also, for odd reasons, the certificate we currently use causes the website to randomly lag like hell with some German ISPs.
Quote from: DJ Omnimaga on August 12, 2015, 12:51:00 AM
Also, for odd reasons, the certificate we currently use causes the website to randomly lag like hell with some German ISPs.
Maybe it has something to do with OCSP (https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol).
Ah, maybe
@Streetwalrus and
@Juju could check that out?
Coincidentally, we've had to temporarily disable OCSP stapling on tiplanet domains (and others) as the startssl server for the check was being unreliable the past few days
By the way
@Juju would it be possible to make http://img.codewalr.us work with https? Or do you need to use a different certificate per sub-domain?
Our https certificate is only for codewalr.us and www.codewalr.us. We should get a wildcard certificate but these are expensive as hell. Probably going to be fixed with Let's Encrypt in like 2-3 weeks now.
Quote from: Streetwalrus on November 01, 2015, 09:21:10 AMWe should get a wildcard certificate but these are expensive as hell.
Absolutely not :) TI-Planet's is multiple-domain as well as wildcard and only cost $60 for 2 years, or something. (It's a Class 2 StartSSL one (https://www.startssl.com/?app=40), organization verified)
Well we don't have the same kind of funds as you do, for us that's half what hosting costs already (we pay $12 a month, or $144 a year).
Well, that's $2.5 per month, though, even rare ads could cover that.
But ads. D:
That's in theory :P
But... have you guys thought about adding a Donate button?
There is one actually. It's in your profile > paid subscriptions. Not the easiest to find and requires an account though, but we get enough donations it seems.
But yeah, waiting for let's encrypt. :)
Why are SSL Certificate's so expesive anyway? i mean i could generate one myself so that's obviously not it
Because they are verified by a Certificate Authority, and it's the only way the certificates are going to be trusted blindly by a browser. Otherwise you get the warning message that's extremely discouraging for most users.
$30 or more per year seems like an awful lot of money just to put something in a database...
With the higher trust levels which are more expensive, you also have to meet members of the CA to confirm your identity and stuff. Even when I registered for free certs at StartSSL (for another project), I had to answer a phone call to confirm that the phone number I gave was mine. That's why they make you pay apparently.
Oh yeah, now i rememeber why i didn't get a certificate there :P
There are two parts in secure transmissions: encryption (with PFS ciphers, of course - non-PFS ciphers are much easier to bypass, and must therefore not be used), and identity (checking, with some reasonable certainty, that the peer is what it pretends to be). Fundamentally, one can't create trust with cryptography, so CAs attempt to take care of the latter.
Currently, users don't have a choice, they need to go through the monopoly of the CA cartel, which imposes outrageous price tags (though Startcom sets apart from the crowd, by being cheap and relatively unintrusive) to users, while committing various occurrences of insecurity (DigiNotar and crew) or crimes (signing fake, trusted certificates for Google, as Symantec was most recently caught doing, triggering strong pushback by Google). Let's Encrypt will break that monopoly, at long last.
That's basically it. The same thing happened with mobile phone carriers in France and in Israel, in both countries a new carrier jumped into the business, smashing the prices of the market, which caused the insane monopoly to end, and mobile data is now affordable (I pay 37 shekel/month, less than 10€, for 2h calls, unlimited SMS/MMS and 6GB mobile data including LTE).
I guess something that could be done is move img.codewalr.us to codewalr.us/imgupload or something and preserve old links so they forward to the new https URL.
And yeah money is always the issue >.<
Quote from: Streetwalrus on November 01, 2015, 10:45:43 AM
That's basically it. The same thing happened with mobile phone carriers in France and in Israel, in both countries a new carrier jumped into the business, smashing the prices of the market, which caused the insane monopoly to end, and mobile data is now affordable (I pay 37 shekel/month, less than 10€, for 2h calls, unlimited SMS/MMS and 6GB mobile data including LTE).
In Canada, many new phone companies did that as well, but only recently. THe same thing happened with Internet, with resellers popping up everywhere. But the problem is that Bell company is trying to take them down via some anti-competitive tactics and stuff like that, and if others close down then Bell could raise their prices as high as they want. There is a petition going around about it https://act.openmedia.org/emergency?utm_campaign=7012&tdid=127