It is currently Fri Oct 18, 2019 6:46 pm

All times are UTC




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: Forum Https
PostPosted: Mon Jul 31, 2017 3:46 am 
Offline

Joined: Sun Feb 04, 2007 8:16 pm
Posts: 99
I'm not actually sure if this works better in the Technical Discussion forum or the Off Topic forum, but I wanted to mention that mystonline.com doesn't appear to have https fully implemented. I can access an https version of the site, but in firefox it tells me "Connection is not secure, parts of this page are not secure, (such as images,)" and the header image is invisible. In Comodo icedragon, the header image is visible on the https version, but it still says that the connection is only "partially encrypted."

I know it's a small thing, but I wondered if Cyan could set up https more fully? While my password on this site is different from my password on other websites, it's possible that many forum users may use the same password for this and other sites, and if not everyone uses https then there's a risk that someone could find out what their password is, (say, e.g., someone logs into the site from a public wifi in a coffee shop or library, where the connection might not be secure.)

Thanks to Cyan for all they do!


Top
 Profile  
Reply with quote  
 Post subject: Re: Forum Https
PostPosted: Mon Jul 31, 2017 9:55 am 
Offline
Former MystOnline Moderator

Joined: Fri Nov 10, 2006 3:05 pm
Posts: 4197
Location: 56°2'26", -3°20'28"
I'm not sure on this but I think any HTTPS connectivity you're seeing is coming from Cloudflare and not Cyan.

_________________
Image Mac - MOULagain KI#00004826 00004289
In the interests of the environment, this post has been constructed entirely from recycled electrons.


Top
 Profile  
Reply with quote  
 Post subject: Re: Forum Https
PostPosted: Mon Jul 31, 2017 7:01 pm 
Offline

Joined: Tue Jan 11, 2011 9:26 pm
Posts: 2468
Location: Ontario, Canada
That's interesting. I had no reason to check for that. I don't think Cyan will be able to do anything about this anytime soon.

_________________
-------------------
-Jamie Marchant
If I don't respond it's because email notification is down again and
I forgot to return to the thread.


Top
 Profile  
Reply with quote  
 Post subject: Re: Forum Https
PostPosted: Mon Jul 31, 2017 9:45 pm 
Offline
Former MystOnline Moderator

Joined: Fri Nov 10, 2006 3:05 pm
Posts: 4197
Location: 56°2'26", -3°20'28"
I just checked - the SSL certificate is for Cloudflare not for Cyan. So things that the page loads directly from Cyan's servers rather than from Cloudflare's cache are not going to match the certificate so will cause the warning/partial load.

Besides, there's an interesting wrinkle on that, with Cloudflare... Contrary to popular belief HTTPS via their service does not actually guarantee you a secure connection: Normally HTTPS means that you get a validated end-to-end connection to the destination server and everything that passes is encrypted. With Cloudflare, your secure connection only goes as far as the Cloudflare servers - they're acting as a cache/proxy so they need to serve some of the data so they are the "end-point" of your connection. Whether or not Cloudflare then creates a secure connection to the original host is not something you can tell, but in any case the end-to-end encryption is broken and a man-in-the-middle attack becomes possible.

_________________
Image Mac - MOULagain KI#00004826 00004289
In the interests of the environment, this post has been constructed entirely from recycled electrons.


Top
 Profile  
Reply with quote  
 Post subject: Re: Forum Https
PostPosted: Mon Jul 31, 2017 10:52 pm 
Offline
Obduction Backer

Joined: Tue May 09, 2006 4:41 pm
Posts: 1694
Location: South Georgia
https://letsencrypt.org/

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject: Re: Forum Https
PostPosted: Tue Aug 01, 2017 9:24 am 
Offline
Former MystOnline Moderator

Joined: Fri Nov 10, 2006 3:05 pm
Posts: 4197
Location: 56°2'26", -3°20'28"
LetsEncrypt certs biggest problem, IMHO, is that they need to be renewed every three months. They provide APIs so that you can automate that renewal, meaning that to all intents and purposes you can make it happen transparently. But there are reports that the auto-renewal doesn't always work or the request is rejected for some reason. That issue may well be overstated but it's been enough to put me off moving my sites to HTTPS via LetsEncrypt up to now. Maybe once the wildcard certs become available next year it'll look better to me, but right now the prospect of needing to keep an eye on maybe a dozen isn't appealing.

[Edit] I'm having vague memories of certificates expiring on the mystonline.com domain in the past... Probably back in GoDaddy hosting days. So maybe there used to be full HTTPS support...

_________________
Image Mac - MOULagain KI#00004826 00004289
In the interests of the environment, this post has been constructed entirely from recycled electrons.


Top
 Profile  
Reply with quote  
 Post subject: Re: Forum Https
PostPosted: Tue Aug 01, 2017 2:43 pm 
Offline
Obduction Backer

Joined: Thu Jun 08, 2006 7:01 pm
Posts: 1890
I've had Seltani.net working with the letsencrypt renewal for a few years now. Updates monthly. Never had any trouble.

Even if it failed one month, it would be better than never having supported https at all.

_________________
Andrew Plotkin -- Seltani founding member


Top
 Profile  
Reply with quote  
 Post subject: Re: Forum Https
PostPosted: Tue Aug 01, 2017 3:35 pm 
Offline
Obduction Backer

Joined: Tue May 09, 2006 4:41 pm
Posts: 1694
Location: South Georgia
Works 100% on guildofwriters.org. Just use the acme client, and it's all crontab'd.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject: Re: Forum Https
PostPosted: Thu Aug 03, 2017 10:51 pm 
Offline
Site Admin

Joined: Wed Aug 02, 2006 7:13 pm
Posts: 1061
I know this is not about the forums but I used Adam's idea of using "Let's Encrypt" on account.mystonline.com... and account creation is now secure! :D
Setting the auto update for the certificates seems to work fine. We'll see in 90 days, but it does test it every morning and that worked.

I'll see if I can get the reset of mystonline.com encrypted (it's on a different server).

Thanks!
Chogon


Top
 Profile  
Reply with quote  
 Post subject: Re: Forum Https
PostPosted: Fri Aug 04, 2017 3:24 am 
Offline

Joined: Sun Feb 04, 2007 8:16 pm
Posts: 99
Chogon wrote:
I know this is not about the forums but I used Adam's idea of using "Let's Encrypt" on account.mystonline.com... and account creation is now secure! :D
Setting the auto update for the certificates seems to work fine. We'll see in 90 days, but it does test it every morning and that worked.

I'll see if I can get the reset of mystonline.com encrypted (it's on a different server).

Thanks!
Chogon


Awesomesauce! Thank you! I bestow my most gleeful of thanks upon you! :D


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC


Who is online

Users browsing this forum: JWPlatt and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to: