Post by natt

Posted: 9/6/2019 1:08 AM

Quote

SmashManiac

Player (12)

Joined: 6/17/2006
Posts: 501

Security bugs! First, the HTTPS version of the site uses a TLS certificate from CAcert, which is not a trusted Certificate Authority. It should be switched to one that is trusted to protect users' passwords and accounts, especially considering that price is no longer an issue thanks to CAs like Let's Encrypt. I would also highly recommend implementing preloaded HSTS as well. Second, the page Accessing the TASVideos Channel mentions that the service requires installing the root certificate for CACert, again despite the fact that it is not a trusted CA, which makes users vulnerable when browsing the rest of the web. This should be removed after fixing the previous issue. Third, I'm seeing the note "Powered by phpBB © 2001, 2005 phpBB Group" on the footer while browsing the forums. If phpBB has not been updated in 14 years as that note suggests, then it is also riddled with security issues that are patched in the latest version, and it should be upgraded.

The BIG List of Randomizers

Posted: 9/6/2019 8:39 AM

Quote

Warp

Banned User, Former player

Joined: 3/10/2004
Posts: 7698
Location: Finland

SmashManiac wrote:

Third, I'm seeing the note "Powered by phpBB © 2001, 2005 phpBB Group" on the footer while browsing the forums. If phpBB has not been updated in 14 years as that note suggests, then it is also riddled with security issues that are patched in the latest version, and it should be upgraded.

If I understand correctly, the current server-side code, which uses that antique version of phpBB, is heavily modded with custom code, making it very hard to update to the latest version. (This is one of the main problems with taking an open source project and essentially creating a fork of it with tons of custom modifications of your own: It may become extraordinarily difficult to merge updates to the main branch into yours, especially if the main branch code changes radically in design and implementation.) It would be theoretically possible, of course, but require a lot of work, unfortunately.

Posted: 11/24/2019 4:55 PM

Post subject: Hunting for HTTPS bugs

Quote

Nach

Emulator Coder

Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers

If you would like to assist for finding bugs with our site running on HTTPS, please do the following: 1) Install the root certificate we are currently using. 2) Visit the site on HTTPS via one of the following: https://direct.tasvideos.org/ (IPv4 or IPv6) https://ipv4.tasvideos.org/ (IPv4 only) https://ipv6.tasvideos.org/ (IPv6 only) 3) Report any issues you find where content is not properly loading/displaying under HTTPS, or where some action redirects you to the HTTP version of the site. One example of an issue is that our RSS feeds on our HTTPS site use HTTP URLs. Please list anything else you find.

Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.

Posted: 11/24/2019 5:19 PM

Quote

fsvgm777

She/Her

Senior Publisher, Player (221)

Joined: 5/28/2009
Posts: 1185
Location: Luxembourg

Downloading any submission movie file (e.g. this one) gives me "Access blocked because of missing/unacceptable referrer information.". The same goes for published movie files (e.g. this one). Torrents are unaffected. EDIT: However, I can download submission movie files as well as published movie files just fine if I use either https://ipv4.tasvideos.org/ or https://ipv6.tasvideos.org/, so this is strictly an issue with https://direct.tasvideos.org/

Steam Community page - Cohost profile Oh, I'm just a concerned observer.

Posted: 11/24/2019 5:27 PM

Quote

Nach

Emulator Coder

Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers

fsvgm777 wrote:

Downloading any submission movie file (e.g. this one) gives me "Access blocked because of missing/unacceptable referrer information.". The same goes for published movie files (e.g. this one). Torrents are unaffected.

Fixed, please confirm.

Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.

Posted: 11/24/2019 5:28 PM

Quote

fsvgm777

She/Her

Senior Publisher, Player (221)

Joined: 5/28/2009
Posts: 1185
Location: Luxembourg

Just tested again, and I can confirm that issue has been fixed.

Steam Community page - Cohost profile Oh, I'm just a concerned observer.

Posted: 11/24/2019 6:35 PM

Quote

feos

Site Admin, Skilled player (1236)

Joined: 4/17/2010
Posts: 11268
Location: RU

Firefox cert link is dead https://addons.mozilla.org/en-US/firefox/addon/cacert-root-certificate/ Can't see the image at https://direct.tasvideos.org/EmulatorResources.html (suspecting all such images are missing)

Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.

Posted: 11/24/2019 10:49 PM

Quote

Nach

Emulator Coder

Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers

feos wrote:

Firefox cert link is dead https://addons.mozilla.org/en-US/firefox/addon/cacert-root-certificate/

Removed, thanks.

feos wrote:

Can't see the image at https://direct.tasvideos.org/EmulatorResources.html (suspecting all such images are missing)

Can you make a list of all the domains where we have images that aren't loading? For internal links, we can come up with an internal system to use HTTPS when coming from our HTTPS sites. For 3rd party sites, we'll need to come up with some other solution.

Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.

Posted: 11/26/2019 10:35 PM

Quote

ThunderAxe31

Any

Judge, Skilled player (1288)

Joined: 9/12/2016
Posts: 1645
Location: Italy

Clicking on the forum logo in the upper left redirects you to http://tasvideos.org

my personal page - my YouTube channel - my GitHub - my Discord: thunderaxe31 <Masterjun> if you look at the "NES" in a weird angle, it actually clearly says "GBA"

Posted: 12/2/2019 3:26 PM

Quote

feos

Site Admin, Skilled player (1236)

Joined: 4/17/2010
Posts: 11268
Location: RU

I looked for "png" and "jpg" and couldn't find any externally hosted embedded images that weren't working. The only ones that don't work are those whose hosting is dead.

Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.

Posted: 12/25/2019 5:27 AM

Post subject: NewMovies page errors (& invalid certificate)

Quote

Bisqwit

Editor, Active player (296)

Joined: 3/8/2004
Posts: 7469
Location: Arzareth

It’s a bit errorry today. https://i.imgur.com/N1tALm7.png https://i.imgur.com/CySvcBr.png Edited by feos: Unembedded the huge images.

Posted: 12/26/2019 5:17 AM

Quote

Patashu

He/Him

Joined: 10/2/2005
Posts: 4016

It looks like it's fixed now, so thanks to whoever did that!

My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu

Posted: 1/2/2020 11:13 PM

Quote

Bisqwit

Editor, Active player (296)

Joined: 3/8/2004
Posts: 7469
Location: Arzareth

Well, some of it is fixed. https://i.imgur.com/HPRuIty.png Edited by feos: Unembedded the huge image.

Posted: 1/26/2020 9:45 PM

Quote

mesonnaise

Joined: 1/26/2020
Posts: 1

tasvideos.org uses an invalid security certificate.
 
The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
 
Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

This error shows up in Firefox 73+. The error is caused by SHA-1 being used to sign the certificate.

Posted: 2/1/2020 8:44 AM

Quote

Nicos

Joined: 6/4/2009
Posts: 893

ipv6 side Looks fine i can post but resources switch to media.tasvideos.org so i can't tell if they're using the IPV6 or IPV4 side but maybe switching the Cert to Let's encrypt would be easier on the user side as they wouldn't need to install another root.ca edit: same as feos; getting a 404 with the following file: https://files.tasvideos.org/1853/site_images/EmulatorResources.png and clicking on the logo sends back to the main http standard side edit again : when click on a link in the forum (ex: https://ipv6.tasvideos.org/forum/viewtopic.php?t=21517) the Feos improvement comment redirect to : https://tasvideos.org/3991M.html & gives me a 404 same if you click on the name of the judge (https://tasvideos.org/Spikestuff.html) but from the submition pages it correctly redirect to https://ipv6.tasvideos.org/3991M.html

Posted: 11/25/2020 7:34 PM

Post subject: Movie submission wiki links lose subdomain in the forum

Quote

Sand

He/Him

Player (125)

Joined: 6/26/2018
Posts: 154

I made a submission while browsing under https://direct.tasvideos.org/. The submission includes a wiki link. On the submission page, the link works as I expect, with a domain-relative URL that keeps me in direct.tasvideos.org:

<a href="/GameResources/DOS/CaptainComic.html">GameResources/DOS/CaptainComic</a>

But in the forum post, the link uses a scheme-relative URL that changes the domain from direct.tasvideos.org to tasvideos.org (it remains https):

<a href="//tasvideos.org/GameResources/DOS/CaptainComic.html">GameResources/DOS/CaptainComic</a>

Posted: 12/7/2020 6:14 AM

Quote

SmashManiac

Player (12)

Joined: 6/17/2006
Posts: 501

Bisqwit wrote:

Well, some of it is fixed. https://i.imgur.com/HPRuIty.png

That's because CAcert is not a trusted certificate authority by any major OS nor web browser. It should be switched to something else, and doing so would also save bandwidth costs as well since it will allow HTTP/2 data compression in transit. I use Let's Encrypt as the certificate authority for my own website and it's free, so it's win-win. I'm bringing this up again because the lack of proper HTTPS support is becoming more and more of an issue. For example, Firefox has now a user-facing setting to prevent all HTTP connections, and I sure would like to enable it, but I can't because TASVideos is still the one site I frequently visit that still doesn't support this basic security feature for some reason. For a seamless transition, I recommend implementing a CSP with the upgrade-insecure-requests directive - it's just an HTTP header, and there would be no need to manually rewrite links that way. Once it's confirmed to work, I would immediately follow with preloaded HSTS to discontinue the unsecure HTTP protocol without any user impact.

The BIG List of Randomizers

Posted: 2/22/2021 5:02 PM

Quote

SmashManiac

Player (12)

Joined: 6/17/2006
Posts: 501

To add to my previous post, TASVideos also distributes their own software (lsnes, for example). The fact that there is no secure way to download said software due to the required insecure HTTP connection puts all TASVideos users at risk of downloading malware instead, even if TASVideos itself is not infected. I do not understand why this critical issue is not considered a priority, considering TASVideos already accepts HTTPS connections with a bad certificate, and considering how easy it is to install and automatically renew free trusted HTTPS certificates nowadays. It's not like I'm the only one with this opinion either: dwangoAC was complaining about this issue in a stream recently, and Bisqwit's previous post certainly suggests that he agrees as well. If the issue is a lack of volunteers, please let us know! I'd be willing to help on this regard myself if needed, and I'm sure many others would as well!

The BIG List of Randomizers

Posted: 2/23/2021 9:41 PM

Quote

Sand

He/Him

Player (125)

Joined: 6/26/2018
Posts: 154

I will add my support to SmashManiac's statement and say that HTTPS is important to me as well. Whenever I do something at TASVideos that requires logging in, I go to https://direct.tasvideos.org/ and click through the MD5 warning, because even bad TLS is vastly better than no TLS.

Posted: 2/24/2021 8:27 AM

Quote

Warp

Banned User, Former player

Joined: 3/10/2004
Posts: 7698
Location: Finland

Speaking of that, I think it would be a good idea to add the SHA-256 hash of the distributed exe file (and perhaps other, even more secure hashes). (Sure, only something like 0.1% of people will actually check the hash of the downloaded file, but at least the option would be there for those who want to be extra sure.)

Posted: 2/24/2021 3:23 PM

Quote

feos

Site Admin, Skilled player (1236)

Joined: 4/17/2010
Posts: 11268
Location: RU

We have a thread for https discussion: http://tasvideos.org/forum/viewtopic.php?t=21429

Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.

Posted: 3/9/2021 4:17 AM

Quote

SmashManiac

Player (12)

Joined: 6/17/2006
Posts: 501

Until all the remaining quirks are being ironed out, is it possible to simply mirror the HTTP version and implement a CSP with the upgrade-insecure-requests directive over it? It's supported by all major browsers nowadays.

The BIG List of Randomizers

Posted: 3/9/2021 4:32 AM

Quote

SmashManiac

Player (12)

Joined: 6/17/2006
Posts: 501

Warp wrote:

Speaking of that, I think it would be a good idea to add the SHA-256 hash of the distributed exe file (and perhaps other, even more secure hashes).

It's not a bad idea, but if file hashes were published right now, they would still be distributed over insecure HTTP, and thus could not be trusted either.

feos wrote:

We have a thread for https discussion: http://tasvideos.org/forum/viewtopic.php?t=21429

That thread contains no reply from site manages since 2019, despite the multiple issues and progress report requests posted since then.

The BIG List of Randomizers

Posted: 3/9/2021 2:51 PM

Quote

feos

Site Admin, Skilled player (1236)

Joined: 4/17/2010
Posts: 11268
Location: RU

SmashManiac wrote:

That thread contains no reply from site manages since 2019, despite the multiple issues and progress report requests posted since then.

Does this thread look better in that regard?

Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.