search

TheMinusWorld / forum-improvements

Organize suggestions and other details related to improving the phpBB iteration of the Minus World
BSD 3-Clause "New" or "Revised" License
0 stars 0 forks source link

Imported: Give Us HTTPS #60

Open wtl420 opened 8 years ago

wtl420 commented 8 years ago

Mon Aug 12, 2013 11:46 PM give us https by World'sTallestLadder:

don't think there's any reason not to offer this as an option. I mean yeah non-self signed certificates cost money but we don't really need one of those I don't think

Sun Aug 23, 2015 08:12 PM Re: give us https by World'sTallestLadder:

Looks like you guys got your act together and enabled it... (though I think this is just cloudflares 'free' one lol)

good score btw, https://www.ssllabs.com/ssltest/analyze ... .89&latest

bring your score to a+ and redirect all non-https connections and setup hsts; here's a guide: https://raymii.org/s/tutorials/HTTP_Str ... httpd.html you can preload https in the browser too if you want: https://hstspreload.appspot.com/

thats my free professional consultation, though feel free to pay me

Mon Aug 24, 2015 12:17 AM Re: give us https by McPhresh:

if mw got hacked or w/e thatd just be @!$% funny

like who'd even bother

Tue Aug 25, 2015 05:34 AM Re: give us https by World'sTallestLadder:

????

Tue Aug 25, 2015 03:02 PM Re: give us https by Yrr:

ngl i dont even know what https is

Tue Aug 25, 2015 09:58 PM Re: give us https by World'sTallestLadder:

long version: https://en.wikipedia.org/wiki/HTTPS

@!$% up cyberpunk dystopia version: https was created in the 90s by Netscape to deal with the issue of http traffic being completely unencrypted- that means any connection not over https is in complete plain text and easily readable; try out wireshark sometime- its fun and educational. https is actually completely @!$% awesome in that you probably use it all the time without realizing it, because there's no difference in experience for the end user- the protocol and your browser handle all the encryption on its own with no interaction from you necessary. That's @!$% cool and means anyone can be secure On Line.

One other thing HTTPS offers that isn't really offered in HTTP is it sort of allows you to verify that a site is what it says it is. This is important for avoiding 'man in the middle' attacks (where intercept communications and make it seem like you're dealing with the real deal), but I don't think anyone pays enough attention to care, so I don't think the 'verification' part is particularly useful. Because its used for 'verification' HTTPS certificates are expensive- the cheaper ones are still like $50/ year- cost you more than a domain, and hell, even more than some hosting companies out there. But there's free options out there too if you're vigilant.

anyway because it was the 90s encryption was a very expensive (cpu-wise) task, so it didn't catch on that quickly. sysadmins did not want to use it because it would make their already nightmarish slow sites slower. but now its not the 90s and https has no significant impact on sites loading. There's lots of advocacy to bring HTTPS everywhere because its so useful and easy to use- this is why Cloudflare offers it for 'free' for its users. ( you can read about their stuff here: https://www.cloudflare.com/ssl )

anyway because everythings @!$% up plenty of sites that do have certificates only use it for logging in. It's great for keeping passwords safe, sure, but if you're already paying for it and using it why the @!$% wouldn't you just use it on your entire site amazon pixiv whatever!! what the @!$%!

so anyway, use https. its good for your users. unless your malicious and/or incompetent- in which case stop running a @!$% web site thank you god bless

other stuff:

why give a @!$% about the ssl labs score? ultimately, if you keep your browser up to date, your browser will negotiate the most secure connection available, so you personally will be fine. But making sure that bad options aren't available is an important step to show that you respect your users. Since Minus World has an A you don't really have to worry about this, but its worth noting for other websites out there.

what's hsts? a big issue is that if you type in a domain, your browser will automatically assume you want it over http. Good sites will redirect you automatically, but hsts saves the redirect and the one insecure connection by telling your browser to only access said site over https for a given amount of time. paypal came up with it and its pretty good. not available in versions of IE lower than 11, which tbh you shouldn't use anyway because TLS1.2 isn't available in those either, which is the only truely secure https protocol available today.

other thing worth noting: even though cloud flare is real and your friend, i'd still recommend getting an actual certificate (there are free ones out there if you search enough) and setting it up 'for real' on the actual minus world server. the cloud flare one encrypts connections from me to cloudflare but won't do that for connections from cloudflare to minus worlds actual server- that's kind of a security issue, and something ssllabs won't detect unfortunately.

short version: the nsa knows

Tue Aug 25, 2015 10:03 PM Re: give us https by McPhresh:

woow dont see much posts like that here anymore

and lmao it'd be amazing if the nsa just hijacked mw for no reason