Player (13)
Joined: 6/17/2006
Posts: 506
Security bugs! First, the HTTPS version of the site uses a TLS certificate from CAcert, which is not a trusted Certificate Authority. It should be switched to one that is trusted to protect users' passwords and accounts, especially considering that price is no longer an issue thanks to CAs like Let's Encrypt. I would also highly recommend implementing preloaded HSTS as well. Second, the page Accessing the TASVideos Channel mentions that the service requires installing the root certificate for CACert, again despite the fact that it is not a trusted CA, which makes users vulnerable when browsing the rest of the web. This should be removed after fixing the previous issue. Third, I'm seeing the note "Powered by phpBB © 2001, 2005 phpBB Group" on the footer while browsing the forums. If phpBB has not been updated in 14 years as that note suggests, then it is also riddled with security issues that are patched in the latest version, and it should be upgraded.
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
SmashManiac wrote:
Third, I'm seeing the note "Powered by phpBB © 2001, 2005 phpBB Group" on the footer while browsing the forums. If phpBB has not been updated in 14 years as that note suggests, then it is also riddled with security issues that are patched in the latest version, and it should be upgraded.
If I understand correctly, the current server-side code, which uses that antique version of phpBB, is heavily modded with custom code, making it very hard to update to the latest version. (This is one of the main problems with taking an open source project and essentially creating a fork of it with tons of custom modifications of your own: It may become extraordinarily difficult to merge updates to the main branch into yours, especially if the main branch code changes radically in design and implementation.) It would be theoretically possible, of course, but require a lot of work, unfortunately.
Post subject: Hunting for HTTPS bugs
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
If you would like to assist for finding bugs with our site running on HTTPS, please do the following: 1) Install the root certificate we are currently using. 2) Visit the site on HTTPS via one of the following: https://direct.tasvideos.org/ (IPv4 or IPv6) https://ipv4.tasvideos.org/ (IPv4 only) https://ipv6.tasvideos.org/ (IPv6 only) 3) Report any issues you find where content is not properly loading/displaying under HTTPS, or where some action redirects you to the HTTP version of the site. One example of an issue is that our RSS feeds on our HTTPS site use HTTP URLs. Please list anything else you find.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
fsvgm777
She/Her
Senior Publisher, Player (225)
Joined: 5/28/2009
Posts: 1213
Location: Luxembourg
Downloading any submission movie file (e.g. this one) gives me "Access blocked because of missing/unacceptable referrer information.". The same goes for published movie files (e.g. this one). Torrents are unaffected. EDIT: However, I can download submission movie files as well as published movie files just fine if I use either https://ipv4.tasvideos.org/ or https://ipv6.tasvideos.org/, so this is strictly an issue with https://direct.tasvideos.org/
Steam Community page - Bluesky profile Oh, I'm just a concerned observer.
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
fsvgm777 wrote:
Downloading any submission movie file (e.g. this one) gives me "Access blocked because of missing/unacceptable referrer information.". The same goes for published movie files (e.g. this one). Torrents are unaffected.
Fixed, please confirm.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
fsvgm777
She/Her
Senior Publisher, Player (225)
Joined: 5/28/2009
Posts: 1213
Location: Luxembourg
Just tested again, and I can confirm that issue has been fixed.
Steam Community page - Bluesky profile Oh, I'm just a concerned observer.
Site Admin, Skilled player (1250)
Joined: 4/17/2010
Posts: 11473
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
Firefox cert link is dead https://addons.mozilla.org/en-US/firefox/addon/cacert-root-certificate/ Can't see the image at https://direct.tasvideos.org/EmulatorResources.html (suspecting all such images are missing)
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
feos wrote:
Firefox cert link is dead https://addons.mozilla.org/en-US/firefox/addon/cacert-root-certificate/
Removed, thanks.
feos wrote:
Can't see the image at https://direct.tasvideos.org/EmulatorResources.html (suspecting all such images are missing)
Can you make a list of all the domains where we have images that aren't loading? For internal links, we can come up with an internal system to use HTTPS when coming from our HTTPS sites. For 3rd party sites, we'll need to come up with some other solution.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Editor, Reviewer, Skilled player (1352)
Joined: 9/12/2016
Posts: 1646
Location: Italy
Clicking on the forum logo in the upper left redirects you to http://tasvideos.org
my personal page - my YouTube channel - my GitHub - my Discord: thunderaxe31 <Masterjun> if you look at the "NES" in a weird angle, it actually clearly says "GBA"
Site Admin, Skilled player (1250)
Joined: 4/17/2010
Posts: 11473
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
I looked for "png" and "jpg" and couldn't find any externally hosted embedded images that weren't working. The only ones that don't work are those whose hosting is dead.
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Post subject: NewMovies page errors (& invalid certificate)
Editor, Active player (297)
Joined: 3/8/2004
Posts: 7469
Location: Arzareth
It’s a bit errorry today. https://i.imgur.com/N1tALm7.png https://i.imgur.com/CySvcBr.png Edited by feos: Unembedded the huge images.
Patashu
He/Him
Joined: 10/2/2005
Posts: 4042
It looks like it's fixed now, so thanks to whoever did that!
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Editor, Active player (297)
Joined: 3/8/2004
Posts: 7469
Location: Arzareth
Well, some of it is fixed. https://i.imgur.com/HPRuIty.png Edited by feos: Unembedded the huge image.
Joined: 1/26/2020
Posts: 1
tasvideos.org uses an invalid security certificate.
 
The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
 
Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
This error shows up in Firefox 73+. The error is caused by SHA-1 being used to sign the certificate.
Joined: 6/4/2009
Posts: 893
ipv6 side Looks fine i can post but resources switch to media.tasvideos.org so i can't tell if they're using the IPV6 or IPV4 side but maybe switching the Cert to Let's encrypt would be easier on the user side as they wouldn't need to install another root.ca edit: same as feos; getting a 404 with the following file: https://files.tasvideos.org/1853/site_images/EmulatorResources.png and clicking on the logo sends back to the main http standard side edit again : when click on a link in the forum (ex: https://ipv6.tasvideos.org/forum/viewtopic.php?t=21517) the Feos improvement comment redirect to : https://tasvideos.org/3991M.html & gives me a 404 same if you click on the name of the judge (https://tasvideos.org/Spikestuff.html) but from the submition pages it correctly redirect to https://ipv6.tasvideos.org/3991M.html
Editor, Emulator Coder, Site Developer
Joined: 5/11/2011
Posts: 1108
Location: Murka
mesonnaise wrote:
tasvideos.org uses an invalid security certificate.
 
The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
 
Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
This error shows up in Firefox 73+. The error is caused by SHA-1 being used to sign the certificate.
Any progress on this? Getting the same error.
Post subject: Movie submission wiki links lose subdomain in the forum
Sand
He/Him
Player (143)
Joined: 6/26/2018
Posts: 174
I made a submission while browsing under https://direct.tasvideos.org/. The submission includes a wiki link. On the submission page, the link works as I expect, with a domain-relative URL that keeps me in direct.tasvideos.org:
<a href="/GameResources/DOS/CaptainComic.html">GameResources/DOS/CaptainComic</a>
But in the forum post, the link uses a scheme-relative URL that changes the domain from direct.tasvideos.org to tasvideos.org (it remains https):
<a href="//tasvideos.org/GameResources/DOS/CaptainComic.html">GameResources/DOS/CaptainComic</a>
Player (13)
Joined: 6/17/2006
Posts: 506
Bisqwit wrote:
Well, some of it is fixed. https://i.imgur.com/HPRuIty.png
That's because CAcert is not a trusted certificate authority by any major OS nor web browser. It should be switched to something else, and doing so would also save bandwidth costs as well since it will allow HTTP/2 data compression in transit. I use Let's Encrypt as the certificate authority for my own website and it's free, so it's win-win. I'm bringing this up again because the lack of proper HTTPS support is becoming more and more of an issue. For example, Firefox has now a user-facing setting to prevent all HTTP connections, and I sure would like to enable it, but I can't because TASVideos is still the one site I frequently visit that still doesn't support this basic security feature for some reason. For a seamless transition, I recommend implementing a CSP with the upgrade-insecure-requests directive - it's just an HTTP header, and there would be no need to manually rewrite links that way. Once it's confirmed to work, I would immediately follow with preloaded HSTS to discontinue the unsecure HTTP protocol without any user impact.
Player (13)
Joined: 6/17/2006
Posts: 506
To add to my previous post, TASVideos also distributes their own software (lsnes, for example). The fact that there is no secure way to download said software due to the required insecure HTTP connection puts all TASVideos users at risk of downloading malware instead, even if TASVideos itself is not infected. I do not understand why this critical issue is not considered a priority, considering TASVideos already accepts HTTPS connections with a bad certificate, and considering how easy it is to install and automatically renew free trusted HTTPS certificates nowadays. It's not like I'm the only one with this opinion either: dwangoAC was complaining about this issue in a stream recently, and Bisqwit's previous post certainly suggests that he agrees as well. If the issue is a lack of volunteers, please let us know! I'd be willing to help on this regard myself if needed, and I'm sure many others would as well!
Sand
He/Him
Player (143)
Joined: 6/26/2018
Posts: 174
I will add my support to SmashManiac's statement and say that HTTPS is important to me as well. Whenever I do something at TASVideos that requires logging in, I go to https://direct.tasvideos.org/ and click through the MD5 warning, because even bad TLS is vastly better than no TLS.
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
Speaking of that, I think it would be a good idea to add the SHA-256 hash of the distributed exe file (and perhaps other, even more secure hashes). (Sure, only something like 0.1% of people will actually check the hash of the downloaded file, but at least the option would be there for those who want to be extra sure.)
Site Admin, Skilled player (1250)
Joined: 4/17/2010
Posts: 11473
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
We have a thread for https discussion: http://tasvideos.org/forum/viewtopic.php?t=21429
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Player (13)
Joined: 6/17/2006
Posts: 506
Until all the remaining quirks are being ironed out, is it possible to simply mirror the HTTP version and implement a CSP with the upgrade-insecure-requests directive over it? It's supported by all major browsers nowadays.
Player (13)
Joined: 6/17/2006
Posts: 506
Warp wrote:
Speaking of that, I think it would be a good idea to add the SHA-256 hash of the distributed exe file (and perhaps other, even more secure hashes).
It's not a bad idea, but if file hashes were published right now, they would still be distributed over insecure HTTP, and thus could not be trusted either.
feos wrote:
We have a thread for https discussion: http://tasvideos.org/forum/viewtopic.php?t=21429
That thread contains no reply from site manages since 2019, despite the multiple issues and progress report requests posted since then.
Site Admin, Skilled player (1250)
Joined: 4/17/2010
Posts: 11473
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
SmashManiac wrote:
That thread contains no reply from site manages since 2019, despite the multiple issues and progress report requests posted since then.
Does this thread look better in that regard?
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.