Joined: 7/12/2009
Posts: 181
Location: São Paulo, Brazil
(MOD EDIT: Posts from various topics have been merged together, to make information easier to find. -Mothrayas)
When trying to open an HTTPS page on tasvideos, my Firefox (Dev Edition, so roughly v43) is giving a sec_error_cert_signature_algorithm_disabled error on the certificate.
Checking the certificate itself, it uses 'sha512WithRSAEncryption' so there's a possibility it's a Firefox issue, but I'll err on the caution side.
(Oh, and the certificate is valid until 'Oct 12 22:09:51 2015 GMT'. That's tomorrow.)
When trying to open an HTTPS page on tasvideos, my Firefox (Dev Edition, so roughly v43) is giving a sec_error_cert_signature_algorithm_disabled error on the certificate.
Checking the certificate itself, it uses 'sha512WithRSAEncryption' so there's a possibility it's a Firefox issue, but I'll err on the caution side.
(Oh, and the certificate is valid until 'Oct 12 22:09:51 2015 GMT'. That's tomorrow.)
I tested this in Chrome and it appears that the issue is that it wasn't signed by a trusted authority.
Then again, it doesn't look like tasvideos really has any HTTPS functionality; attempting to access the forums results in a 404 and the home page results in a plaintext "Hi".
By the way, nudging you guys again about Gmail saying that e-mails sent from this forum are not following proper standards for bulk e-mails. You really should fix that, as notifications keep ending up in spam where they don't belong.
<ccfreak2k> There is no 'ctrl' button on DeHackEd's computer. DeHackEd is always in control.
I tested this in Chrome and it appears that the issue is that it wasn't signed by a trusted authority.
These are two different issues. If you look at the connection information, Chrome also warns you that the connection is encrypted by an obsolete cipher suite, which is what Firefox is complaining about; Firefox is a little better at making users aware of problems with encryption.
But, as you say, it's a moot point as it appears that tasvideos isn't actually accessible by https.
Joined: 7/12/2009
Posts: 181
Location: São Paulo, Brazil
Considering the lack of actual HTTPS content, I tried to figure out why I was redirected to this page, and it's a mix of me accessing my RSS agregator via HTTPS, and the TASVideos RSS feed with an odd link.
If you check the source for http://tasvideos.org/publications.rss (in my case it was http://tasvideos.org/combined.rss) and check any description that has links, the a tag appears as this:
<a href="//tasvideos.org/GameResources/SNES/MegaManX.html">Mega Man X Tricks</a>
It's pointing to "//tasvideos.org", which Firefox seems to complete to the currently used protocol, that in my case happened to be HTTPS.
Firefox has started giving warnings for login pages that are "insecure" (with which I'm assuming it means does not use https).
How difficult would it be to have the forum login page use https instead of http? (Only the login page would need to do this, not the entire forum, if I understand correctly.)
I'm not acquainted with the technical details, but I have got the impression from somewhere that it might not be absolutely trivial (like just turning a flag on somewhere), so it may be understandable if this isn't done, but it could be nice, if it isn't a lot of trouble.
(MOD EDIT: This and following posts have been split from this topic -Mothrayas)
Was looking around since the site throws an error if I try connecting thusly, and this seems the relevant topic…
Ilari wrote:
The reasons why this site doesn't do HTTPS have absolutely nothing to do with CPU nor memory usage.
The latest version of Firefox has started warning if passwords are going unencrypted (ie. I'm assuming if it's not through https). Would it really hurt to set up https for the login page?
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
For the login page by itself, is quite useless. You want all or nothing (preferably all).
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
The password moves from the user's computer to the server through the internet when logging in from the login page. It doesn't move constantly anywhere else.
Of course the entire site could be behind https, but I don't know how heavy that is on the server.
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
The issue isn't load so much as parts of the site not being ready for it.
https://dev.tasvideos.org/ has been up for a few years now, but not necessarily has every bug been worked out. If users want to test and create a list of HTTPS-related bugs, we can fix them and then enable it on the main site.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
https://dev.tasvideos.org/ has been up for a few years now, but not necessarily has every bug been worked out. If users want to test and create a list of HTTPS-related bugs, we can fix them and then enable it on the main site.
Is there any specific location for posting bugs? Because I already found two: the 'View posts since last visit' link redirects to the normal (non-HTTPS) forums for the search results, and the 'search' link uses the non-HTTPS search form.
Perhaps for that reason the https protocol could be restricted to the login page. Would be better (much better) than nothing.
It's just as easy to steal your session cookie id as it is to steal your password. Unless the entire site is protected by https, your cookie id is vulnerable, hence making the site no more secure than before from the site's point of view.
It's just as easy to steal your session cookie id as it is to steal your password. Unless the entire site is protected by https, your cookie id is vulnerable, hence making the site no more secure than before from the site's point of view.
That would be undesirable, of course, but if I understand correctly, simply hijacking your session doesn't allow the attacker to change your password (I haven't actually tried to change my password on tasvideos.org, but I'm assuming you need to enter your old one to be able to do it).
Your account could be used to post spam etc. this way, which is bad, but logging out and in again ought to quickly fix that. If I'm mistaken, please correct me.
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
marzojr wrote:
Nach wrote:
https://dev.tasvideos.org/ has been up for a few years now, but not necessarily has every bug been worked out. If users want to test and create a list of HTTPS-related bugs, we can fix them and then enable it on the main site.
Is there any specific location for posting bugs? Because I already found two: the 'View posts since last visit' link redirects to the normal (non-HTTPS) forums for the search results, and the 'search' link uses the non-HTTPS search form.
Perhaps start a new thread with the title HTTPS bugs.
Thanks for these, I will look into them.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
That would be undesirable, of course, but if I understand correctly, simply hijacking your session doesn't allow the attacker to change your password (I haven't actually tried to change my password on tasvideos.org, but I'm assuming you need to enter your old one to be able to do it).
In an ideal world, they should not be able to change anything sensitive, such as passwords. But it all depends on how well the server handles security, because the hacker is not "someone else", the hacker is YOU, the hacker has identified themselves as YOU, not some stranger. There are usually these back doors. What if, say, the hacker tries to PM an admin and say they've lost their password and email (arguing, for example, that they have auto-login ticked on their computer)? In the ideal scenario, that won't work. But as we've seen before (e.g. Apple), sometimes security routines fail.
Warp wrote:
Your account could be used to post spam etc. this way, which is bad, but logging out and in again ought to quickly fix that. If I'm mistaken, please correct me.
Sure, until the hacker steals your next session ID. If they've stolen one, I don't see why they wouldn't steal the next.
The argument is that just protecting the login page won't be much safer and much better. It won't really do much to aid security at all unless the entire site runs on https (at least where login information and hence the session cookie is used).
As the rest of the web is transitioning to an HTTPS-only world, I'm surprised TASVideos still doesn't properly support HTTPS.
HTTPS has a bunch of advantages, including:
- Preventing man-in-the-middle attacks, including password/session theft and ad/spyware/cryptominer injection
- Allowing HTTP/2, which uses less bandwidth overall despite the security overhead thanks to Brotli compression
- Granting access to users blocking all HTTP traffic for security and privacy reasons
- Better rankings in search engines
- No annoying browser warnings
- It's free!
I highly recommend TASVideos to implement HTTPS with HSTS as soon as possible.
Hey.
Okay, this is not really a bug so to speak, but something important every website/forum should enforce these days. SSL/TLS encryption, instead of unencrypted HTTP transport, which can easily be sniffed and sensitive information can get into the wrong people's hands.
I'm pretty sure you all heard/read about the recent new EU GDPR regulations that went into effect at the end of May this year. Here in Germany it is expected that you use SSL/TLS encryption on your websites and as a commercial website you are basically legally bound to having a proper encryption on your website, otherwise you can face a hefty fine of like 10k+€.
Luckily SSL/TLS encryption certificates are easy to obtain and with Lets Encrypt there is a great provider who gives out certificates without charging any money. The process of getting a certificate and managing it is straight forward and mostly automated. (There's a command line tool for Linux-based systems that automatically obtains the certificate and modifies the configuration of the webserver to use it.)
I'd highly appreciate if you point your system admin to https://letsencrypt.org/ and get this set up soon.
Edit
After some discussions in the IRC channel I dug a bit more, because of the EU GDPR laws and they apply to companies AND website owners. While private website owners might not comply completely with everything, they still have to make sure to protect the personal data of their users that live in the EU. Since TASVideos obviously servers people from the EU it applies.
Here's a detailed article about what things are required: https://www.disclaimertemplate.com/the-gdpr-affects-your-website-how-you-can-comply-avoid-fines/
When I try to load tasvideos.org on my linux/firefox browser it just shows "Hi". I'm guessing this is some anti-spam protection. But I am not a robot.
User agent:
Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Edit Actually it happens on chrome, too, but only in HTTPS mode. Maybe that's intentional. Let's Encrypt is free!
Thirding what Warp and SmashManiac said on the previous page - TASVideos should really get itself a proper SSL certificate and go fully https. There's no reason to not use https these days. I personally use Let's Encrypt for all my sites (mostly because it's built into the web host I use and is literally just a checkbox there, but anyway). There's probably other services that provide free certificates as well.
Det man inte har i begåvning får man ta ut i energi.
"I think I need to get to Snoop Dogg's level of high to be able to research this post." -Samsara
Read my fanfic, One Piece: Pure Corruption
More and more software are starting to give huge-ass warnings when logging in through non-https, including browsers themselves, as well as antivirus/firewall software to an increasing extent.
But, as you say, it's a moot point as it appears that tasvideos isn't actually accessible by https.
