The shoutbox is currently out of service. Join us on Discord instead.
You can help CodeWalrus stay online by donating here.

Killing HTTP support on CodeWalrus (site would become HTTPS-only)

Started by DJ Omnimaga, April 06, 2016, 11:49:19 pm

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Should we kill HTTP access support on CW and make the site HTTPS-only for security?

Yes
18 (85.7%)
No
3 (14.3%)

Total Members Voted: 21

Dudeman313

Quote from: DJ Omnimaga on April 07, 2016, 07:04:58 pm
Also why is the site default page still showing up as rick.codewalr.us? ???

Maybe that's something for the Easter Egg thread. :D
Does this qualify as a signature? 
The answer is "Sure."


DJ Omnimaga

Nah it was set like that until the August 9th data loss. But for whatever reasons, some of the site stuff still seems to direct there. At least, though, when someone types an invalid domain name it now redirects to the forums, not a pic of Rick Astley.

Dudeman313

Does this qualify as a signature? 
The answer is "Sure."


DJ Omnimaga

Not yet, and I think what will happen instead is that we'll make http automatically redirect or something like that.

Juju

Quote from: DJ Omnimaga on April 15, 2016, 05:59:02 am
Not yet, and I think what will happen instead is that we'll make http automatically redirect or something like that.
That's actually the point, if we're gonna kill http, it does mean it's gonna redirect to https, or else the site is gonna be unusable.
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

DJ Omnimaga

Quote from: Juju on April 15, 2016, 01:48:18 pm
Quote from: DJ Omnimaga on April 15, 2016, 05:59:02 am
Not yet, and I think what will happen instead is that we'll make http automatically redirect or something like that.
That's actually the point, if we're gonna kill http, it does mean it's gonna redirect to https, or else the site is gonna be unusable.
IIRC, disabling https was what Omni did last year though, right? The site didn't even work in that mode. That changed more recently, though.

Dudeman313

When? 'Cause there used to be a time I could access the full Omnimaga site on my Nokia E63, thru Opera Mini, and even use IRC there, but since last month, all I got was a blank page.
Does this qualify as a signature? 
The answer is "Sure."


DJ Omnimaga

Somewhere around October 2014 until earlier in 2016 or maybe before. I don't know if they changed anything afterwards or if it fixed itself, though. They rarely make any site updates public, unlike Cemetech, TI-Planet and CodeWalrus (which have site update threads such as this one)

allynfolksjr

Very nice change! Thanks for taking our security seriously. :)

c4ooo

What is the problem of letting people use HTTP if they want to? There's security risk for the server if the users use HTTP, right?

DarkestEx

Quote from: c4ooo on April 30, 2016, 08:19:26 pm
What is the problem of letting people use HTTP if they want to? There's security risk for the server if the users use HTTP, right?

I totally agree. Leave HTTP support intact!

c4ooo


DJ Omnimaga

The problem is apparently when logging in with Sorunome's mod. Passwords are encrypted and stuff and using HTTP renders any form of encrypting useless. Personally I would not disable it entirely and tell users to use it at their own risk, but it depends.

DarkestEx

Quote from: DJ Omnimaga on May 01, 2016, 03:02:45 am
The problem is apparently when logging in with Sorunome's mod. Passwords are encrypted and stuff and using HTTP renders any form of encrypting useless. Personally I would not disable it entirely and tell users to use it at their own risk, but it depends.

I don't give af about my password being sent using http as long as compatibility is maintained. I am sure people use https themselves if they care enough. If they don't then they don't use it. I would rather suggest adding a warning when login in using http. Just a plain red box saying: "You are not using the HTTPS version of the site, so your credentials are sent in plain text. If you don't want that you can switch to the https version here [link]."

DJ Omnimaga

Yeah we could modify the warning that way. Also yeah this is why we made that poll.

Powered by EzPortal