No SSL?

Discussion in 'Suggestions & Feedback' started by Eiskaffee, Apr 16, 2020.

Thread Status:
Not open for further replies.
  1. Eiskaffee

    Eiskaffee Tails in in the sonic movie Member

    Joined:
    May 1, 2016
    Messages:
    12
    Location:
    United States
    I had a question regarding the forums. I use HTTPs Everywhere to make sure the sites I'm visiting are secure and I had issues getting into SSRG because when I go to https://sonicresearch.org it takes me to some weird landing page thing instead of SSRG. I just thought I would bring that up.
     
  2. LazloPsylus

    LazloPsylus The Railgun Member

    Joined:
    Nov 25, 2009
    Messages:
    Location:
    Academy City
    SSL is coming, but not something we're investing in for the current iteration of the site. The current test migration for the next iteration (which staff are currently testing out) already has SSL set up and active.
     
  3. nineko

    nineko I am the Holy Cat Member

    Joined:
    Mar 24, 2008
    Messages:
    1,902
    Location:
    italy
    I swear, I'll never get this whole https fetish that everyone seems to have these days, ohnoes, SSRG is not secure, someone in a basement in China now knows that I like Sonic games, my life is ruined.
     
    Niko and ProjectFM like this.
  4. LazloPsylus

    LazloPsylus The Railgun Member

    Joined:
    Nov 25, 2009
    Messages:
    Location:
    Academy City
    SSL does have its uses, such as ensuring credential transport from client to server aren't able to be sniffed. Unfortunately, SSL is being shoehorned to be way more than it actually is, which is going to make for a hell of a mess to clean up when the shit will hit the fan. Until then, Google and other search engines are actively punishing domains that do not use SSL, so site operators are unfortunately forced into a corner for the time being.
     
  5. vladikcomper

    vladikcomper Well-Known Member Member

    Joined:
    Dec 2, 2009
    Messages:
    415
    Privacy concerns aside, all content transferred via unencrypted protocol is easily hijack-able nowadays.

    From what I personally know (and I've heard of it too often to ignore) some insolent ISPs (at least here in Russia) may simply inject their own code in any javascript files transported insecurely via HTTP. This code is usually targeted at tracking users activity and logging the content they're reading, but more often than not, it may inject its own ads system (that of the advertising platform affiliated with the ISP) which may either replace the existing ads on your site (so the profit goes to the third party) or modify some portions of the site to bring otherwise non-existent ads. And this, of course, has a perfectly good chance of breaking your site. And just to let you know, 80% of ads in Russia leads to fraud or outright malicious sites (but looking at those affiliated platforms, I think the number is closer to 100% in that case).

    My very own site did suffer from it, when viewed from certain ISPs (as a few people reported), until I finally switched to HTTPS.
     
    Niko, Ravenfreak, TheBlad768 and 6 others like this.
  6. SuperEgg

    SuperEgg I'm a guy that knows that you know that I know Member

    Joined:
    Oct 17, 2009
    Messages:
    Location:
    THE BEST GOD DAMN STATE OF TEXAS
    Nineko, I love you, but you can't talk about modern internet things while still using Windows XP =V
     
    ProjectFM likes this.
  7. pixieditzy

    pixieditzy Newcomer Trialist

    Joined:
    Jan 3, 2021
    Messages:
    3
    Location:
    United Kingdom
    I know this is kind of silly to make my first real post here, but he does have a valid point. HTTPS isn't necessary everywhere, particularly given there's been multiple scandals with CAs over the years. Not to forget the NSA, GCHQ and other first-world country government 'national security' organisations like to lobby to make modern cipher suites deliberately exploitable for their own usage using insider-knowledge backdoors and bribing people, so really the whole 'privacy' thing that the freaks advocate for is invalid in pretty much every way.

    Besides, the modern internet is all about Node.JS script kiddies making bloated 'progressive web applications' (progressive for who? Certainly not people on slow internet connections, like y'know, many people in those countries that aren't the USA/Western Europe/East Asia), forcing social media down your throat, and only testing in Google Chrome, though that last one is honestly not particularly helped with things like Mozilla's constant fetish for copying aforementioned browser.

    Pale Moon is no option either given the devs' have a surly attitude when it comes to public relations (like refusing support for Slackware users on the basis 'it sucks lol' (literal quote from the main developer) and enforcing the MPL in an absurd way that goes against the general attitude of FOSS: basically ranting on 'hackjob' forks such as the roytam1 unbranded recompile+patch of PM/UXP with native XP/2k3 and Vista support regardless of the fact said forks likely happen to be quite a considerable amount of their userbase.

    I'd link to a few threads on another board I'm at that describe the issue in better detail but seeing as this is my first post here I'd rather not come across as advertising somewhere lol.

    If TLS is enabled, don't make it mandatory if possible, I guess - TLS 1.2 is also the minimum requirement these days which is supported under XP/Vista with KB4019276 installed (though 64-bit XP doesn't have such a corresponding update at all), though the former won't work properly with elliptic-curve certificates. In that case, ProxHTTPSProxy would work, there's a download for some XP-specific things for it on i430VX's file repository (created by heinoganda).
     
    Last edited: Jan 4, 2021
    DeltaWooloo likes this.
  8. Keiro

    Keiro The Fluffy One Root Admin

    Joined:
    Dec 11, 2017
    Messages:
    55
    TLS will be enabled. 1.2 at a minimum. Other than that, we will continue to balance the usage of the ciphers to continue supporting older platforms where possible, but I'll be blunt and say that XP should not be used further and that if you're on XP, it's likely that we won't be able to help much, as eventually TLS 1.3 will be made mandatory.
     
  9. Spanner

    Spanner The Tool Member

    Joined:
    Aug 9, 2007
    Messages:
    2,570
    I have spoken to the server host and once the hardware upgrade is out the way, SSL will be set up for SSRG.
     
    Niko and Ravenfreak like this.
  10. SeanieB

    SeanieB Dude! Root Admin

    Joined:
    Jul 19, 2008
    Messages:
    230
    Location:
    San Diego, CA
    I added an SSL cert but apparently someone put this site behind a mystery CloudFlare account, but didn't enable it?? so I literally can't enable SSL until we know whos account it is
     
  11. Keiro

    Keiro The Fluffy One Root Admin

    Joined:
    Dec 11, 2017
    Messages:
    55
    SSL is enabled. See for yourself why it's not enabled by default.
     
  12. SeanieB

    SeanieB Dude! Root Admin

    Joined:
    Jul 19, 2008
    Messages:
    230
    Location:
    San Diego, CA
    We have switched back to my DNS to bypass the whole thing entirely since we're not sure what's going on, this SSL issue should just clear up within a few hours of that change.

    I updated XenForo's URL base but somehow it seems to not be obeying it. Avatars, weirdly, and some theme assets which is somewhat normal don't load securely even with the url base updated.

    Also strangely even with the URL base forced, say, if you click the logo which IS set to https://sonicresearch.org/community/ it kicks you back to plaintext as it loads. Do you have a rule in CF to bounce people back to plain text?

    Code:
    # curl -I https://sonicresearch.org/community/
    HTTP/2 200
    date: Wed, 07 Apr 2021 18:52:54 GMT
    content-type: text/html; charset=UTF-8
    set-cookie: __cfduid=d4a30a07110f58e3eb90aaf3fa38a9b151617821574; expires=Fri, 07-May-21 18:52:54 GMT; path=/; domain=.sonicresearch.org; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: private, max-age=0
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1
    vary: Accept-Encoding
    
    hmm the CF http/2 cookie is suspect, I wouldnt know what's up with that without being able to see the settings

    Edit, if whoever has it sees this, just dump all the CF caches and a lot of the mixed content might go away.

    Yeah this has to be a CF problem, because with CF bypassed, I get a clean SSL domain with no mixed content at all, there's either a caching issue, a ruleset issue or a CF misconfiguration because:

    upload_2021-4-7_12-14-45.png
     

    Attached Files:

    Last edited: Apr 7, 2021
  13. Spanner

    Spanner The Tool Member

    Joined:
    Aug 9, 2007
    Messages:
    2,570
    SSL has been implemented, so no need to keep the thread open. Thanks to SeanieB for sorting it out and ironing out any bugs during the way.
     
    JGamer2151 likes this.
  14. Keiro

    Keiro The Fluffy One Root Admin

    Joined:
    Dec 11, 2017
    Messages:
    55
    Yes, there was a CF rule to bounce it back to plain text.

    I unfortunately am not the one with CF access. But that checks out, re: caching issue.
     
Thread Status:
Not open for further replies.