No SSL?

Discussion in 'Suggestions & Feedback' started by Eiskaffee, Apr 16, 2020.

  1. Eiskaffee

    Eiskaffee Tails in in the sonic movie Member

    Joined:
    May 1, 2016
    Messages:
    12
    Location:
    United States
    I had a question regarding the forums. I use HTTPs Everywhere to make sure the sites I'm visiting are secure and I had issues getting into SSRG because when I go to https://sonicresearch.org it takes me to some weird landing page thing instead of SSRG. I just thought I would bring that up.
     
  2. LazloPsylus

    LazloPsylus The Railgun Member

    Joined:
    Nov 25, 2009
    Messages:
    Location:
    Academy City
    SSL is coming, but not something we're investing in for the current iteration of the site. The current test migration for the next iteration (which staff are currently testing out) already has SSL set up and active.
     
  3. nineko

    nineko I am the Holy Cat Member

    Joined:
    Mar 24, 2008
    Messages:
    1,818
    Location:
    italy
    I swear, I'll never get this whole https fetish that everyone seems to have these days, ohnoes, SSRG is not secure, someone in a basement in China now knows that I like Sonic games, my life is ruined.
     
    ProjectFM likes this.
  4. LazloPsylus

    LazloPsylus The Railgun Member

    Joined:
    Nov 25, 2009
    Messages:
    Location:
    Academy City
    SSL does have its uses, such as ensuring credential transport from client to server aren't able to be sniffed. Unfortunately, SSL is being shoehorned to be way more than it actually is, which is going to make for a hell of a mess to clean up when the shit will hit the fan. Until then, Google and other search engines are actively punishing domains that do not use SSL, so site operators are unfortunately forced into a corner for the time being.
     
  5. vladikcomper

    vladikcomper Well-Known Member Member

    Joined:
    Dec 2, 2009
    Messages:
    394
    Location:
    Russia
    Privacy concerns aside, all content transferred via unencrypted protocol is easily hijack-able nowadays.

    From what I personally know (and I've heard of it too often to ignore) some insolent ISPs (at least here in Russia) may simply inject their own code in any javascript files transported insecurely via HTTP. This code is usually targeted at tracking users activity and logging the content they're reading, but more often than not, it may inject its own ads system (that of the advertising platform affiliated with the ISP) which may either replace the existing ads on your site (so the profit goes to the third party) or modify some portions of the site to bring otherwise non-existent ads. And this, of course, has a perfectly good chance of breaking your site. And just to let you know, 80% of ads in Russia leads to fraud or outright malicious sites (but looking at those affiliated platforms, I think the number is closer to 100% in that case).

    My very own site did suffer from it, when viewed from certain ISPs (as a few people reported), until I finally switched to HTTPS.
     
  6. SuperEgg

    SuperEgg I'm a guy that knows that you know that I know Member

    Joined:
    Oct 17, 2009
    Messages:
    Location:
    THE BEST GOD DAMN STATE OF TEXAS
    Nineko, I love you, but you can't talk about modern internet things while still using Windows XP =V
     
    ProjectFM likes this.
  7. pixieditzy

    pixieditzy Newcomer Trialist

    Joined:
    Jan 3, 2021
    Messages:
    3
    Location:
    United Kingdom
    I know this is kind of silly to make my first real post here, but he does have a valid point. HTTPS isn't necessary everywhere, particularly given there's been multiple scandals with CAs over the years. Not to forget the NSA, GCHQ and other first-world country government 'national security' organisations like to lobby to make modern cipher suites deliberately exploitable for their own usage using insider-knowledge backdoors and bribing people, so really the whole 'privacy' thing that the freaks advocate for is invalid in pretty much every way.

    Besides, the modern internet is all about Node.JS script kiddies making bloated 'progressive web applications' (progressive for who? Certainly not people on slow internet connections, like y'know, many people in those countries that aren't the USA/Western Europe/East Asia), forcing social media down your throat, and only testing in Google Chrome, though that last one is honestly not particularly helped with things like Mozilla's constant fetish for copying aforementioned browser.

    Pale Moon is no option either given the devs' have a surly attitude when it comes to public relations (like refusing support for Slackware users on the basis 'it sucks lol' (literal quote from the main developer) and enforcing the MPL in an absurd way that goes against the general attitude of FOSS: basically ranting on 'hackjob' forks such as the roytam1 unbranded recompile+patch of PM/UXP with native XP/2k3 and Vista support regardless of the fact said forks likely happen to be quite a considerable amount of their userbase.

    I'd link to a few threads on another board I'm at that describe the issue in better detail but seeing as this is my first post here I'd rather not come across as advertising somewhere lol.

    If TLS is enabled, don't make it mandatory if possible, I guess - TLS 1.2 is also the minimum requirement these days which is supported under XP/Vista with KB4019276 installed (though 64-bit XP doesn't have such a corresponding update at all), though the former won't work properly with elliptic-curve certificates. In that case, ProxHTTPSProxy would work, there's a download for some XP-specific things for it on i430VX's file repository (created by heinoganda).
     
    Last edited: Jan 4, 2021
    DeltaWooloo likes this.