CPCWiki joins the modern era - over HTTPS!

Started by Gryzor, 09:29, 23 February 19

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Gryzor

So, it had to happen of course at some point.


Thanks to the nagging (and help!) of @ASiC we switched over to HTTPS.


To be more precise, we enabled HTTPS, but traffic is not automatically redirected to it just yet. You can access the new, improved and secure site by manually using https:// in front of the address or you can continue using the old, bleh, meh, full of insecurities site as usual.


I will default the site and redirect all traffic once it's made clear that there are no issues, so please, please, any feedback on the secure version is more than welcome.


I'm aware that the forum does not qualify as fully secure yet because of some over-http references that I'll have to change, but otherwise things look fine.


Cheers
T

tjohnson

Question, what is the importance of encrypting traffic on a site like this ?  It isnt my bank afterall and I've not been concerned is someone intercepts a message about a 30 year old computer :)

Gryzor

Well, risk is minimal I'd say. Security-wise you risk exposing your password if someone targets the wiki and if you use the same one elsewhere it's going to be a problem. Also Paypal has issues with http referrers but that only kind of affects people trying to donate.


All in all, that's why I put it off for so long - it wasn't really *needed* from a security point of view. More important is what Google thinks of you, I'd say, since it demotes non-secure sites.


Oh, I forgot to mention, I had to remove the Topsites button because it was being served over HTTP.

tjohnson

Cool thanks, yeah I think you are right about Google.  Does the software encrypt and compress, with modern computers having so much grunt you think it would be easy to do that to reduce traffic.

Gryzor

Yes, our server has gzip enabled, but this works well mainly with code, not images. There are savings to be had, but nothing earth shattering.

gerald

#5
Quote from: Gryzor on 10:46, 23 February 19
More important is what Google thinks of you, I'd say, since it demotes non-secure sites.
My biased understanding was that Google pushed https (and demoted http) only to prevent site owner to do any useful analytic, and push them to use google tools instead  :-X
Like they promote web page that start with a big full screen illustration just to check that the user scroll down to see any valuable info. Something called engagement ... and a mean to check you're not a robot and mark served ads as viewed by a human.
Getting sick of having to pass Turing test on all those Google tailored web pages.

But hey, https on cpcwiki is a good thing, at least for password protection  :)

Gryzor

Not really, analytics and all other services work fine without https to this day. That was part of the 'better web'initiative of theirs and nobody said anything bad about it, to be honest...

Sent from my ONEPLUS A6000 using Tapatalk


robcfg

It complains that the site is not fully secure and someone could see the images I'm watching and modify them.

Gryzor

Quote from: robcfg on 16:31, 23 February 19
It complains that the site is not fully secure and someone could see the images I'm watching and modify them.
Yes, I mentioned that in my first post [emoji4] I'll fix it soon!

Sent from my ONEPLUS A6000 using Tapatalk


ASiC


LambdaMikel

Quote from: tjohnson on 10:23, 23 February 19
Question, what is the importance of encrypting traffic on a site like this ?  It isnt my bank afterall and I've not been concerned is someone intercepts a message about a 30 year old computer :)
Site indexing will be worse (Google and friends stopped indexing non-HTTPS sites a while ago AFAIK - even my personal page uses HTTPS)  ;)

Gryzor

Not, not yet at least, they're still indexing, but you get a ranking penalty...

Sent from my ONEPLUS A6000 using Tapatalk


Gryzor

By the way, anyone noticed any issues?

Sent from my ONEPLUS A6000 using Tapatalk


GUNHED

Hi Gryzor,
Thanks a lot for rushing through all that. Here it works very smooth and nice. I can't sense a difference. Also the "forum-freeze" moments seem to be less than before. Great work!  :)
http://futureos.de --> Get the revolutionary FutureOS (Update: 2022.03.09)
http://futureos.cpc-live.com/files/LambdaSpeak_RSX_by_TFM.zip --> Get the RSX-ROM for LambdaSpeak :-) (Updated: 2021.12.26)

gerald

Quote from: Gryzor on 06:29, 24 February 19
By the way, anyone noticed any issues?
It's just me or forum links go to http instead of https :
On this thread the line : CPCWiki forum » General Category » CPCWiki Discussion ....
CPCWiki discussion links to the http version while the previous links to https
(firefox 65.0.1 64bit )

ASiC

Quote from: gerald on 16:19, 24 February 19
It's just me or forum links go to http instead of https :
On this thread the line : CPCWiki forum » General Category » CPCWiki Discussion ....
CPCWiki discussion links to the http version while the previous links to https
(firefox 65.0.1 64bit )
Yeah, some links and images need to be fixed (http://www.cpcwiki.eu/forum/logo_new_hor_sm.png, gravatar.com)

Other than that, I haven't had any issues with the forum over https


Gryzor

Yeah, internal links should be fixed once https becomes default. Gravatar, though... hm, that's something different, got to see where to specify that. Thanks for the feedback guys!

berks

Hello CPCWiki team!


Thank you for enabling HTTPS for the site :)


Sadly, it switches back to HTTP as many of the internal links point to the HTTP version and there is no redirect to point the browser back to HTTPS.


Hopefully this is something that can be fixed :) but I understand this is not exactly a for-profit project so the resources may be limited. I would be happy to help if the team thinks that would come in handy! my background is in networking and infrastructure.

Gryzor

Hello Berks,


You're right, it does do that. The reason is, when I installed the certificate I didn't know what problems to expect so I left http enabled as well - so links are not automatically forwarded, of course.


But, it looks like we havent met with any issues so I may as well make https the only allowed protocol :)

SRS

Is it just here ? Firefox starts to tell me its a DANGEROUS site ?
See screenshot

Gryzor

Argh.

I changed something in the config a few minutes ago, can you check again?

This error appeared because you visited the canonical uri which auto redirected to the www part. So it carried the canonical certificate, though I have issued one for the www as well.

Got to think it through, but my mind right now is more like a mushed potato after 10 hours in Excel.

SRS

#21
logging out , relaodaing firefox, and .. nope:
https://cpcwiki.eu/index.php/Main_Page not working
https://cpcwiki.eu/ not working
https://www.cpcwiki.eu/ -> working


Gryzor

Yeah, I don't know why... It's what I said before, but why doesn't it read the certificate?

Nich

Quote from: Gryzor on 10:51, 07 September 19
Yeah, I don't know why... It's what I said before, but why doesn't it read the certificate?

I get the same error in Firefox 69.0:

"Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for cpcwiki.eu. The certificate is only valid for www.cpcwiki.eu.

Error code: SSL_ERROR_BAD_CERT_DOMAIN"

Gryzor

Will have to check my redirects... Do you see this on the wiki, the forum or both?

Powered by SMFPacks Menu Editor Mod