Alternatively, join us on Discord.

+-Recent Topics

Killing HTTP support on CodeWalrus (site would become HTTPS-only)

Started by DJ Omnimaga, April 06, 2016, 11:49:19 pm

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Should we kill HTTP access support on CW and make the site HTTPS-only for security?

Yes
18 (85.7%)
No
3 (14.3%)

Total Members Voted: 21

DJ Omnimaga

So in order to increase security on CW, disabling access via HTTP is being considered. However, many of our users are forced (either due to financial difficulties or restrictive parents) to use old computers or phones that cannot be upgraded to browsers with better SSL and certificate support, and we want the site to be reachable for all our users. So we wanted to ensure that the site was fully functional on old Android versions, such as Android 2.2.2. It appears that the site, despite a certificate error (which happens on every single HTTPS site on that old phone), shows up fine, but I don't know if it's because it falls back in HTTP mode without telling or something like that.

Anyway, what I am curious about is if users such as @Dudeman313 and @Unicorn are able to access CodeWalrus with https in the URL instead of http on their old Kindle and computer, respectively? And would others be ok with such move?


(Something to note is that CW can also be reached via the Tapatalk application for the time being. While we do not guarantee that future versions of the site will include Tapatalk support, everyone here will most likely have upgraded to better phones by the time we lose Tapatalk support anyway)

Juju

This issue is kind of in my department here on CW, so please give some feedback if you have an old device or browser and I'll see what I will do. If you vote no in the poll, please explain why it would be an issue.
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

DJ Omnimaga

On a side note, those were the results on various sites I tried to access from my Samsung i5510 running Android 2.2.2:

-CodeWalrus: Site loads with certificate error
-Cemetech: Site loads with certificate error
-Omnimaga: Page cannot be displayed (Can't establish secure connection)
-TI-Planet: Site loads with certificate error

So yeah I would suggest posting what you get when you try accessing CW from your device in https mode.

Jkolade936

Sorry, but I couldn't tell you now.
My dad confiscated my Nokia E63 awhile ago because I charged it next to my bed, and he kept it because my mom was afraid I'd either spoil it, never sleep, or kill myself by charging it near my bed again.  <_<
Does this qualify as a signature? 
The answer is "Sure."


Unicorn

I can access Cemetech by https, and codewalrus as well, I believe.



??? ??? ??? ??? ???

DJ Omnimaga

Quote from: Dudeman313 on April 07, 2016, 12:29:40 am
Sorry, but I couldn't tell you now.
My dad confiscated my Nokia E63 awhile ago because I charged it next to my bed, and he kept it because my mom was afraid I'd either spoil it, never sleep, or kill myself by charging it near my bed again.  <_<
THat sucks. What about your computer? Does it have modern Internet browsers installed or are you stuck with IE6 and the like?

Jkolade936

I have the modern browsers. I'm on Windows 10 Pro. ;)

~Posted from Microsoft Edge
Does this qualify as a signature? 
The answer is "Sure."


Unicorn




??? ??? ??? ??? ???

DJ Omnimaga

Quote from: Dudeman313 on April 07, 2016, 02:12:30 am
I have the modern browsers. I'm on Windows 10 Pro. ;)

~Posted from Microsoft Edge
Ah ok, that's good, then. I was worried that since your computer was from 1998 or so, that you were stuck with Windows 98 or something for performance reasons.


Our main concern right now is people who are stuck with outdated browsers, as in, unable to update for whatever reasons (for example, my Samsung i5510 only supported Android 2.2.2 as highest version and had very limited disk space to store third-party browsers, so I was stuck with the stock browser. We will not support IE6 or crap like that, but phones that are on-par with the i5510 or even crappier are still being offered in mobile plans by most phone carriers, as budget phones, and many of those cannot be upgraded very high. If such old Android version's browser can open the website fine (with errors, but still possible to post) then we might be good.

Adriweb

BTW, look at what SSLLabs tells you.
An 'A' rating minimum would be required for proper config, A+ if possible
Co-founder & co-administrator of TI-Planet and Inspired-Lua

DJ Omnimaga

I know that Securityheaders rates our site B, but SSLLabs gives us A+.

However, we still need to fix some image links. For example. WalrusIRC smileys are http links. We can do nothing about images that people post on the forums, but at the very least we want to fix our internal stuff whenever possible.

Also I wish that our SSL certificate supported sub-domains so that we could make img.codewalr.us https as well.

Adriweb

Well you could get a free StartSSL one for the subdomain, or Let's Encrypt.

On SSLLabs, TI-Planet doesn't have A+ (but A) because of the second/backup HPKP key (key pinning), which we don't have (it would require a second SSL certificate, lol). It's a bit weird, because if we disabled HPKP we'd probably get A+ actually. In fact, we have the same grades for individual criterion, and with a better key (4096) than CW, but HPKP is somehow more important, apparently :P
That reminds me, we might look at OCSP stapling again, we disabled it some time ago because of issues, but they're fixed IIRC.
Co-founder & co-administrator of TI-Planet and Inspired-Lua

Juju

We're waiting until our current Comodo certificate expires before switching. As for subdomains, we can definitely use Let's Encrypt.
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

Streetwalrus

https://dumbrss.codewalr.us/ and https://oc.codewalr.us/ are already using Let's Encrypt and are passing A+ on there. I can help setting it up for anything else if it's needed. Also certificates renew automagically every 1st of the month.

DJ Omnimaga

That's nice. I remember when juju had to manually renew the other certificate in October or so and missed the deadline <.<.

Also why is the site default page still showing up as rick.codewalr.us? ???
Quote from: Adriweb on April 07, 2016, 03:49:18 am
That reminds me, we might look at OCSP stapling again, we disabled it some time ago because of issues, but they're fixed IIRC.
Was this what caused pages to refresh twice on first load or the extreme lag on my mobile wi-fi connection attempts?

Powered by EzPortal