Post subject: HTTPS support
darkszero
He/Him
Joined: 7/12/2009
Posts: 181
Location: São Paulo, Brazil
(MOD EDIT: Posts from various topics have been merged together, to make information easier to find. -Mothrayas) When trying to open an HTTPS page on tasvideos, my Firefox (Dev Edition, so roughly v43) is giving a sec_error_cert_signature_algorithm_disabled error on the certificate. Checking the certificate itself, it uses 'sha512WithRSAEncryption' so there's a possibility it's a Firefox issue, but I'll err on the caution side. (Oh, and the certificate is valid until 'Oct 12 22:09:51 2015 GMT'. That's tomorrow.)
Joined: 2/1/2008
Posts: 347
darkszero wrote:
When trying to open an HTTPS page on tasvideos, my Firefox (Dev Edition, so roughly v43) is giving a sec_error_cert_signature_algorithm_disabled error on the certificate. Checking the certificate itself, it uses 'sha512WithRSAEncryption' so there's a possibility it's a Firefox issue, but I'll err on the caution side. (Oh, and the certificate is valid until 'Oct 12 22:09:51 2015 GMT'. That's tomorrow.)
I tested this in Chrome and it appears that the issue is that it wasn't signed by a trusted authority. Then again, it doesn't look like tasvideos really has any HTTPS functionality; attempting to access the forums results in a 404 and the home page results in a plaintext "Hi". By the way, nudging you guys again about Gmail saying that e-mails sent from this forum are not following proper standards for bulk e-mails. You really should fix that, as notifications keep ending up in spam where they don't belong.
<ccfreak2k> There is no 'ctrl' button on DeHackEd's computer. DeHackEd is always in control.
Player (75)
Joined: 8/26/2015
Posts: 70
blahmoomoo wrote:
I tested this in Chrome and it appears that the issue is that it wasn't signed by a trusted authority.
These are two different issues. If you look at the connection information, Chrome also warns you that the connection is encrypted by an obsolete cipher suite, which is what Firefox is complaining about; Firefox is a little better at making users aware of problems with encryption. But, as you say, it's a moot point as it appears that tasvideos isn't actually accessible by https.
darkszero
He/Him
Joined: 7/12/2009
Posts: 181
Location: São Paulo, Brazil
Considering the lack of actual HTTPS content, I tried to figure out why I was redirected to this page, and it's a mix of me accessing my RSS agregator via HTTPS, and the TASVideos RSS feed with an odd link. If you check the source for http://tasvideos.org/publications.rss (in my case it was http://tasvideos.org/combined.rss) and check any description that has links, the a tag appears as this:
&lt;a href=&quot;//tasvideos.org/GameResources/SNES/MegaManX.html&quot;&gt;Mega Man X Tricks&lt;/a&gt;
It's pointing to "//tasvideos.org", which Firefox seems to complete to the currently used protocol, that in my case happened to be HTTPS.
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
Firefox has started giving warnings for login pages that are "insecure" (with which I'm assuming it means does not use https). How difficult would it be to have the forum login page use https instead of http? (Only the login page would need to do this, not the entire forum, if I understand correctly.) I'm not acquainted with the technical details, but I have got the impression from somewhere that it might not be absolutely trivial (like just turning a flag on somewhere), so it may be understandable if this isn't done, but it could be nice, if it isn't a lot of trouble.
Joined: 3/11/2008
Posts: 583
Location: USA
(MOD EDIT: This and following posts have been split from this topic -Mothrayas) Was looking around since the site throws an error if I try connecting thusly, and this seems the relevant topic…
Ilari wrote:
The reasons why this site doesn't do HTTPS have absolutely nothing to do with CPU nor memory usage.
What are those reasons?
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
The latest version of Firefox has started warning if passwords are going unencrypted (ie. I'm assuming if it's not through https). Would it really hurt to set up https for the login page?
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
For the login page by itself, is quite useless. You want all or nothing (preferably all).
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
The password moves from the user's computer to the server through the internet when logging in from the login page. It doesn't move constantly anywhere else. Of course the entire site could be behind https, but I don't know how heavy that is on the server.
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
The issue isn't load so much as parts of the site not being ready for it. https://dev.tasvideos.org/ has been up for a few years now, but not necessarily has every bug been worked out. If users want to test and create a list of HTTPS-related bugs, we can fix them and then enable it on the main site.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
marzojr
He/Him
Experienced player (761)
Joined: 9/29/2008
Posts: 964
Location: 🇫🇷 France
Nach wrote:
https://dev.tasvideos.org/ has been up for a few years now, but not necessarily has every bug been worked out. If users want to test and create a list of HTTPS-related bugs, we can fix them and then enable it on the main site.
Is there any specific location for posting bugs? Because I already found two: the 'View posts since last visit' link redirects to the normal (non-HTTPS) forums for the search results, and the 'search' link uses the non-HTTPS search form.
Marzo Junior
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
Nach wrote:
The issue isn't load so much as parts of the site not being ready for it.
Perhaps for that reason the https protocol could be restricted to the login page. Would be better (much better) than nothing.
Joined: 4/13/2009
Posts: 431
Warp wrote:
Perhaps for that reason the https protocol could be restricted to the login page. Would be better (much better) than nothing.
It's just as easy to steal your session cookie id as it is to steal your password. Unless the entire site is protected by https, your cookie id is vulnerable, hence making the site no more secure than before from the site's point of view.
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
EEssentia wrote:
It's just as easy to steal your session cookie id as it is to steal your password. Unless the entire site is protected by https, your cookie id is vulnerable, hence making the site no more secure than before from the site's point of view.
That would be undesirable, of course, but if I understand correctly, simply hijacking your session doesn't allow the attacker to change your password (I haven't actually tried to change my password on tasvideos.org, but I'm assuming you need to enter your old one to be able to do it). Your account could be used to post spam etc. this way, which is bad, but logging out and in again ought to quickly fix that. If I'm mistaken, please correct me.
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
marzojr wrote:
Nach wrote:
https://dev.tasvideos.org/ has been up for a few years now, but not necessarily has every bug been worked out. If users want to test and create a list of HTTPS-related bugs, we can fix them and then enable it on the main site.
Is there any specific location for posting bugs? Because I already found two: the 'View posts since last visit' link redirects to the normal (non-HTTPS) forums for the search results, and the 'search' link uses the non-HTTPS search form.
Perhaps start a new thread with the title HTTPS bugs. Thanks for these, I will look into them.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Joined: 4/13/2009
Posts: 431
Warp wrote:
That would be undesirable, of course, but if I understand correctly, simply hijacking your session doesn't allow the attacker to change your password (I haven't actually tried to change my password on tasvideos.org, but I'm assuming you need to enter your old one to be able to do it).
In an ideal world, they should not be able to change anything sensitive, such as passwords. But it all depends on how well the server handles security, because the hacker is not "someone else", the hacker is YOU, the hacker has identified themselves as YOU, not some stranger. There are usually these back doors. What if, say, the hacker tries to PM an admin and say they've lost their password and email (arguing, for example, that they have auto-login ticked on their computer)? In the ideal scenario, that won't work. But as we've seen before (e.g. Apple), sometimes security routines fail.
Warp wrote:
Your account could be used to post spam etc. this way, which is bad, but logging out and in again ought to quickly fix that. If I'm mistaken, please correct me.
Sure, until the hacker steals your next session ID. If they've stolen one, I don't see why they wouldn't steal the next.
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
So the argument is that since the session IDs can't be protected, the login page shouldn't be protected either?
Joined: 4/13/2009
Posts: 431
The argument is that just protecting the login page won't be much safer and much better. It won't really do much to aid security at all unless the entire site runs on https (at least where login information and hence the session cookie is used).
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
EEssentia wrote:
The argument is that just protecting the login page won't be much safer and much better.
Actually it would. That's because your password can't be stolen and changed.
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
Warp wrote:
How difficult would it be to have the forum login page use https instead of http?
In fact, it would be a good idea to make the entire site https-only. Read here why: https://doesmysiteneedhttps.com/ Please consider it seriously.
Post subject: HTTPS support
Player (13)
Joined: 6/17/2006
Posts: 508
As the rest of the web is transitioning to an HTTPS-only world, I'm surprised TASVideos still doesn't properly support HTTPS. HTTPS has a bunch of advantages, including: - Preventing man-in-the-middle attacks, including password/session theft and ad/spyware/cryptominer injection - Allowing HTTP/2, which uses less bandwidth overall despite the security overhead thanks to Brotli compression - Granting access to users blocking all HTTP traffic for security and privacy reasons - Better rankings in search engines - No annoying browser warnings - It's free! I highly recommend TASVideos to implement HTTPS with HSTS as soon as possible.
duke1102
He/Him
Joined: 6/30/2018
Posts: 1
Hey. Okay, this is not really a bug so to speak, but something important every website/forum should enforce these days. SSL/TLS encryption, instead of unencrypted HTTP transport, which can easily be sniffed and sensitive information can get into the wrong people's hands. I'm pretty sure you all heard/read about the recent new EU GDPR regulations that went into effect at the end of May this year. Here in Germany it is expected that you use SSL/TLS encryption on your websites and as a commercial website you are basically legally bound to having a proper encryption on your website, otherwise you can face a hefty fine of like 10k+€. Luckily SSL/TLS encryption certificates are easy to obtain and with Lets Encrypt there is a great provider who gives out certificates without charging any money. The process of getting a certificate and managing it is straight forward and mostly automated. (There's a command line tool for Linux-based systems that automatically obtains the certificate and modifies the configuration of the webserver to use it.) I'd highly appreciate if you point your system admin to https://letsencrypt.org/ and get this set up soon. Edit After some discussions in the IRC channel I dug a bit more, because of the EU GDPR laws and they apply to companies AND website owners. While private website owners might not comply completely with everything, they still have to make sure to protect the personal data of their users that live in the EU. Since TASVideos obviously servers people from the EU it applies. Here's a detailed article about what things are required: https://www.disclaimertemplate.com/the-gdpr-affects-your-website-how-you-can-comply-avoid-fines/
Joined: 7/20/2018
Posts: 1
When I try to load tasvideos.org on my linux/firefox browser it just shows "Hi". I'm guessing this is some anti-spam protection. But I am not a robot. User agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0 Edit Actually it happens on chrome, too, but only in HTTPS mode. Maybe that's intentional. Let's Encrypt is free!
KennyMan666
He/Him
Joined: 8/24/2005
Posts: 375
Location: Göteboj
Thirding what Warp and SmashManiac said on the previous page - TASVideos should really get itself a proper SSL certificate and go fully https. There's no reason to not use https these days. I personally use Let's Encrypt for all my sites (mostly because it's built into the web host I use and is literally just a checkbox there, but anyway). There's probably other services that provide free certificates as well.
Det man inte har i begåvning får man ta ut i energi. "I think I need to get to Snoop Dogg's level of high to be able to research this post." -Samsara Read my fanfic, One Piece: Pure Corruption
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
More and more software are starting to give huge-ass warnings when logging in through non-https, including browsers themselves, as well as antivirus/firewall software to an increasing extent.