CodeWalrus

CodeWalrus Website => Site Discussion => Site Discussion & Bug Reports => Topic started by: DJ Omnimaga on July 24, 2015, 08:33:25 pm

Title: Forced https? ???
Post by: DJ Omnimaga on July 24, 2015, 08:33:25 pm
I noticed in Opera 30 and Chrome mobile that CodeWalrus now redirects to https when using http, despite staff not planning to force https. Is that normal? Because that could cause issues with some  public computer or older mobile device users.
Title: Re: Forced https? ???
Post by: Unicorn on July 24, 2015, 08:35:42 pm
http://codewalr.us/index.php?topic=629.msg19271#msg19271

Well, that is the url I get when using an old version of chrome that doesn't support omnimaga's form of https. And my kindle still works. Its not a problem for me!
Title: Re: Forced https? ???
Post by: Snektron on July 24, 2015, 08:36:37 pm
Maybe its your browser checking if https is avaiable, and if so uses it since its safer?
Title: Re: Forced https? ???
Post by: gbl08ma on July 24, 2015, 09:00:31 pm
Two ideas:
1. You aren't using HTTPS Everywhere or anything of that kind, are you? (Kinda hard since you talk about Chrome mobile and AFAIK that doesn't support extensions)
2. Could it have something to do with https://ma.ttias.be/chrome-44-sending-https-header-by-mistake-breaking-web-applications-everywhere/ ? Recent versions of Opera are Chromium-based but I'm finding it strange for the bug to have found its way to Opera so fast...
Title: Re: Forced https? ???
Post by: DJ Omnimaga on July 24, 2015, 10:02:04 pm
Interesting. I am curious if  it could be the latter issue.  I'll have to investigate further I guess.
Title: Re: Forced https? ???
Post by: utz on July 24, 2015, 10:47:31 pm
Afaik enforcing https will become default behaviour in most major browsers in the not-too-distant future. So maybe these two already started implementing that?

HTTPS Everywhere is unlikely to be the issue as it doesn't know about codewalrus' https alt (unless you implicitly tell it).
Title: Re: Forced https? ???
Post by: DJ Omnimaga on July 25, 2015, 01:53:13 am
Ok, so it looks like newer browsers are using HTTPS by default on CW and some other sites now. I just checked the following websites when typing http instead of https and got the following:


-CodeWalrus: IE6 shows the website (obviously with many display issues, but at least it displays at all)
-Omnimaga: IE6 shows error (Page can't be displayed)
-Cemetech: IE6 shows error
-TI-Planet: IE6 shows error

So CW doesn't force the use of HTTPS. Of course IE6 is pretty much useless now but I was more worried about older mobile devices or stuff like Kindles from 2008.


However, I restarted after removing CW from my Opera settings and stuff and now it shows HTTP. Mobile still shows HTTPS by default.
Title: Re: Forced https? ???
Post by: Unicorn on July 25, 2015, 01:59:54 am
Older kindles are fine until there's a 360 redirect force HTTPS thing. :P
Title: Re: Forced https? ???
Post by: DJ Omnimaga on July 25, 2015, 02:31:31 am
Can you access Cemetech and Omnimaga from yours, though?
Title: Re: Forced https? ???
Post by: Unicorn on July 25, 2015, 02:53:24 am
Not omnimaga, but cemetech works fine, as well as ti planet. ;)
Title: Re: Forced https? ???
Post by: Snektron on July 25, 2015, 11:27:40 am
Quote from: utz on July 24, 2015, 10:47:31 pm
Afaik enforcing https will become default behaviour in most major browsers in the not-too-distant future. So maybe these two already started implementing that?

HTTPS Everywhere is unlikely to be the issue as it doesn't know about codewalrus' https alt (unless you implicitly tell it).

Since chrome quite up-to-date i'd guess they've already implemented it. Also, theres probably a check to see if a server supports https.
Title: Re: Forced https? ???
Post by: Streetwalrus on July 25, 2015, 12:32:09 pm
Juju perfected the https config and enabled HSTS (https enforcing). That means if your browser supports https then it will use it. Only ancient browsers should dislike it. HSTS was introduced in 2012 so browsers older than that will most likely ignore it so nothing to worry about. :)
Title: Re: Forced https? ???
Post by: DJ Omnimaga on July 25, 2015, 05:23:40 pm
Quote from: Unicorn on July 25, 2015, 02:53:24 am
Not omnimaga, but cemetech works fine, as well as ti planet. ;)
I just checked those three sites on my Samsung i5510 actually (which runs Android 2.2.2) and this is what I got:

-Omnimaga: Doesn't work at all
-Cemetech: Works fine
-TI-Planet: Throws a warning, but works fine

When I still went to Omnimaga, all I had as mobile device was the Samsung i5510, which only supported Android 2.2.2. If the forced HTTPS would have happened back then and that Tapatalk would not have existed, I would have been in a bit of trouble. >.<
Title: Re: Forced https? ???
Post by: Adriweb on July 25, 2015, 05:54:12 pm
Quote from: DJ Omnimaga on July 25, 2015, 05:23:40 pm-TI-Planet: Throws a warning, but works fine

Do you know what warning it was?
Title: Re: Forced https? ???
Post by: DJ Omnimaga on July 25, 2015, 05:55:34 pm
I don't exactly remember what it was, but it was about untrusted certificate and it asked me to accept it. I have the same problem on many other HTTPS website (eg TVA Nouvelles).
Title: Re: Forced https? ???
Post by: Adriweb on July 25, 2015, 05:59:58 pm
Quote from: DJ Omnimaga on July 25, 2015, 05:55:34 pm
I don't exactly remember what it was, but it was about untrusted certificate and it asked me to accept it. I have the same problem on many other HTTPS website (eg TVA Nouvelles).

Hmm, so this phone (or at least that old OS on the phone) somehow doesn't know/trust StartSSL (the signing authority)...
I guess it's ok with a bit more recent OSes, with updated trust stores...
Title: Re: Forced https? ???
Post by: DJ Omnimaga on July 25, 2015, 06:01:04 pm
Yeah that could explain it. Thankfully, the site still works. I guess it might just be a bit annoying for certain users or scary for technology-illiterate users to have such warning.
Title: Re: Forced https? ???
Post by: Streetwalrus on July 25, 2015, 07:37:19 pm
Ah yeah, StartSSL. They're not trusted by everyone, or at least not until recently.
Title: Re: Forced https? ???
Post by: Lionel Debroux on July 25, 2015, 07:45:57 pm
Few browsers trusted CACert by default, but StartSSL has been well supported by the mainstream browsers for years.
It's heart-breaking for users that manufacturers are so careless about updating devices :(
Title: Re: Forced https? ???
Post by: DJ Omnimaga on July 25, 2015, 08:14:52 pm
What is strange is that back in the days, certain certificates seemed trusted by almost every browser, old or new. Even older versions of IE seemed to have no issue displaying such site, aside from a warning about how we are about to enter a secured connection, which we could disable. I am bettering that those certificates were the ones that costed several hundreds of dollars, though. I myself would never pay this much for a certificate unless I was really serious about a website. Not that I am not serious about CW, but it only averages at 4000 page views a day and doesn't even have a shop (it used to, but it was external).


EDIT: Also, the Facebook sharing doesn't work by default on HTTPS now. It says content was blocked. The FB button at the top of the page works, but not the one in the first post of each topic.
Title: Re: Forced https? ???
Post by: Unicorn on July 26, 2015, 04:33:08 am
So I read up on the web browser, and it has support for SSL, and a clouple of other things..
Title: Re: Forced https? ???
Post by: Lionel Debroux on July 26, 2015, 06:50:16 am
The Startcom Class 1 certificate is for no fee, and the Class 2 certificate, with wildcard support, was only $30 a year when we bought one for TI-Planet + Inspired-Lua, which is far better than the other CAs.
The Let's Encrypt (https://letsencrypt.org/) initiative from Mozilla, the EFF and friends, which is supposed to produce its first certificate next week and become available for the general public in September, will change the cards in the CA business, at long last.
Title: Re: Forced https? ???
Post by: DJ Omnimaga on July 26, 2015, 04:31:05 pm
Hm interesting. Ideally we would prefer to use free certificates since Juju can't even afford to pay CW hosting right now (I pay most of it ATM).
Title: Re: Forced https? ???
Post by: Snektron on July 26, 2015, 06:01:56 pm
Quote from: DJ Omnimaga on July 26, 2015, 04:31:05 pm
Hm interesting. Ideally we would prefer to use free certificates since Juju can't even afford to pay CW hosting right now (I pay most of it ATM).


I still had like one dollar on the paypal account i never use (Since i need to make a minimum transaction of €25 to put money on it <_<) so i figured, why not give it?
Also since CW has a lot of Dutch members maybe it's worth adding iDeal as payment method?
Title: Re: Forced https? ???
Post by: DJ Omnimaga on July 27, 2015, 12:54:31 am
Is iDeals a Dutch-only thing? I could perhaps check if SMF has a plugin that adds support for it.
Title: Re: Forced https? ???
Post by: Juju on July 27, 2015, 03:40:50 am
Yeah, I enabled HSTS the other day. As Streetwalrus said, you still have access to HTTP, and since HSTS is fairly new, your old browser should not do the redirection since it don't know yet how to do that. And even on new browsers, it only works if you already went on HTTPS at least once since I activated it and there's a way in the settings (at least on Chrome, you may probably have to delete some cache file) to "forget" you already visited that site on HTTPS.

For the certificates, we use the ones at Namecheap, they're often free with a new domain name, otherwise they're real cheap, like $1.88 if I remember well. And they do the job. There's errors on Omnimaga and CodeWalrus, but it's because we serve HTTP content over HTTPS, which is quite normal for a server, I guess, and this error should be ignorable.
Title: Re: Forced https? ???
Post by: Snektron on July 28, 2015, 07:44:13 pm
Quote from: DJ Omnimaga on July 27, 2015, 12:54:31 am
Is iDeals a Dutch-only thing? I could perhaps check if SMF has a plugin that adds support for it.


Yeah i think it is. It's supported on many international platforms though
Title: Re: Forced https? ???
Post by: Streetwalrus on August 11, 2015, 02:09:51 pm
By the way, if you still want to use http, use http://http.codewalr.us or any other subdomain that doesn't already have a defined purpose.
Title: Re: Forced https? ???
Post by: DJ Omnimaga on August 11, 2015, 03:19:03 pm
Lol I didn't know this worked. But then won't the url switch back to default site URL once clicking links?

Edit: it does x.x
Title: Re: Forced https? ???
Post by: Streetwalrus on August 11, 2015, 03:25:10 pm
Eh, didn't think of that. Nevermind then.
Title: Re: Forced https? ???
Post by: Legimet on August 11, 2015, 09:28:01 pm
Quote from: Lionel Debroux on July 26, 2015, 06:50:16 am
The Let's Encrypt (https://letsencrypt.org/) initiative from Mozilla, the EFF and friends, which is supposed to produce its first certificate next week and become available for the general public in September, will change the cards in the CA business, at long last.


They changed their scchedule, and general availability will be in November.
Title: Re: Forced https? ???
Post by: Streetwalrus on August 11, 2015, 09:31:05 pm
It's really nice that they're doing it at all, looking forward to avoid the mess of adding trusted certificates on android. Basically you can either add one from the settings app and get a lockscreen code forced on you or go through the trouble of figuring out how the system expects it and installing on the system partition. I eventually did the latter when I got fed up with the former.
Title: Re: Forced https? ???
Post by: DJ Omnimaga on August 12, 2015, 12:51:00 am
Quote from: Legimet on August 11, 2015, 09:28:01 pm
Quote from: Lionel Debroux on July 26, 2015, 06:50:16 am
The Let's Encrypt (https://letsencrypt.org/) initiative from Mozilla, the EFF and friends, which is supposed to produce its first certificate next week and become available for the general public in September, will change the cards in the CA business, at long last.


They changed their scchedule, and general availability will be in November.
As long as they don't do the same as Duke Nukem Forever... <_<


Also, for odd reasons, the certificate we currently use causes the website to randomly lag like hell with some German ISPs.
Title: Re: Forced https? ???
Post by: Legimet on August 12, 2015, 02:04:47 am
Quote from: DJ Omnimaga on August 12, 2015, 12:51:00 am
Also, for odd reasons, the certificate we currently use causes the website to randomly lag like hell with some German ISPs.


Maybe it has something to do with OCSP (https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol).
Title: Re: Forced https? ???
Post by: DJ Omnimaga on August 12, 2015, 02:24:33 am
Ah, maybe @Streetwalrus and @Juju could check that out?
Title: Re: Forced https? ???
Post by: Adriweb on August 12, 2015, 06:11:02 am
Coincidentally, we've had to temporarily disable OCSP stapling on tiplanet domains (and others) as the startssl server for the check was being unreliable the past few days
Title: Re: Forced https? ???
Post by: DJ Omnimaga on November 01, 2015, 06:58:16 am
By the way @Juju would it be possible to make http://img.codewalr.us work with https? Or do you need to use a different certificate per sub-domain?
Title: Re: Forced https? ???
Post by: Streetwalrus on November 01, 2015, 09:21:10 am
Our https certificate is only for codewalr.us and www.codewalr.us. We should get a wildcard certificate but these are expensive as hell. Probably going to be fixed with Let's Encrypt in like 2-3 weeks now.
Title: Re: Forced https? ???
Post by: Adriweb on November 01, 2015, 09:23:48 am
Quote from: Streetwalrus on November 01, 2015, 09:21:10 amWe should get a wildcard certificate but these are expensive as hell.

Absolutely not :) TI-Planet's is multiple-domain as well as wildcard and only cost $60 for 2 years, or something. (It's a Class 2 StartSSL one (https://www.startssl.com/?app=40), organization verified)
Title: Re: Forced https? ???
Post by: Streetwalrus on November 01, 2015, 09:25:42 am
Well we don't have the same kind of funds as you do, for us that's half what hosting costs already (we pay $12 a month, or $144 a year).
Title: Re: Forced https? ???
Post by: Adriweb on November 01, 2015, 09:26:49 am
Well, that's $2.5 per month, though, even rare ads could cover that.
Title: Re: Forced https? ???
Post by: Streetwalrus on November 01, 2015, 09:27:29 am
But ads. D:
Title: Re: Forced https? ???
Post by: Adriweb on November 01, 2015, 09:28:06 am
That's in theory :P

But... have you guys thought about adding a Donate button?
Title: Re: Forced https? ???
Post by: Streetwalrus on November 01, 2015, 09:31:07 am
There is one actually. It's in your profile > paid subscriptions. Not the easiest to find and requires an account though, but we get enough donations it seems.

But yeah, waiting for let's encrypt. :)
Title: Re: Forced https? ???
Post by: Snektron on November 01, 2015, 09:54:43 am
Why are SSL Certificate's so expesive anyway? i mean i could generate one myself so that's obviously not it
Title: Re: Forced https? ???
Post by: Streetwalrus on November 01, 2015, 09:56:17 am
Because they are verified by a Certificate Authority, and it's the only way the certificates are going to be trusted blindly by a browser. Otherwise you get the warning message that's extremely discouraging for most users.
Title: Re: Forced https? ???
Post by: Snektron on November 01, 2015, 09:58:10 am
$30 or more per year seems like an awful lot of money just to put something in a database...
Title: Re: Forced https? ???
Post by: Streetwalrus on November 01, 2015, 10:10:25 am
With the higher trust levels which are more expensive, you also have to meet members of the CA to confirm your identity and stuff. Even when I registered for free certs at StartSSL (for another project), I had to answer a phone call to confirm that the phone number I gave was mine. That's why they make you pay apparently.
Title: Re: Forced https? ???
Post by: Snektron on November 01, 2015, 10:14:37 am
Oh yeah, now i rememeber why i didn't get a certificate there :P
Title: Re: Forced https? ???
Post by: Lionel Debroux on November 01, 2015, 10:37:44 am
There are two parts in secure transmissions: encryption (with PFS ciphers, of course - non-PFS ciphers are much easier to bypass, and must therefore not be used), and identity (checking, with some reasonable certainty, that the peer is what it pretends to be). Fundamentally, one can't create trust with cryptography, so CAs attempt to take care of the latter.
Currently, users don't have a choice, they need to go through the monopoly of the CA cartel, which imposes outrageous price tags (though Startcom sets apart from the crowd, by being cheap and relatively unintrusive) to users, while committing various occurrences of insecurity (DigiNotar and crew) or crimes (signing fake, trusted certificates for Google, as Symantec was most recently caught doing, triggering strong pushback by Google). Let's Encrypt will break that monopoly, at long last.
Title: Re: Forced https? ???
Post by: Streetwalrus on November 01, 2015, 10:45:43 am
That's basically it. The same thing happened with mobile phone carriers in France and in Israel, in both countries a new carrier jumped into the business, smashing the prices of the market, which caused the insane monopoly to end, and mobile data is now affordable (I pay 37 shekel/month, less than 10€, for 2h calls, unlimited SMS/MMS and 6GB mobile data including LTE).
Title: Re: Forced https? ???
Post by: DJ Omnimaga on November 04, 2015, 02:46:22 am
I guess something that could be done is move img.codewalr.us to codewalr.us/imgupload or something and preserve old links so they forward to the new https URL.

And yeah money is always the issue >.<
Quote from: Streetwalrus on November 01, 2015, 10:45:43 am
That's basically it. The same thing happened with mobile phone carriers in France and in Israel, in both countries a new carrier jumped into the business, smashing the prices of the market, which caused the insane monopoly to end, and mobile data is now affordable (I pay 37 shekel/month, less than 10€, for 2h calls, unlimited SMS/MMS and 6GB mobile data including LTE).
In Canada, many new phone companies did that as well, but only recently. THe same thing happened with Internet, with resellers popping up everywhere. But the problem is that Bell company is trying to take them down via some anti-competitive tactics and stuff like that, and if others close down then Bell could raise their prices as high as they want. There is a petition going around about it https://act.openmedia.org/emergency?utm_campaign=7012&tdid=127