thecjgcjg
Veteran Member
Posts: 1,459
| Likes: 1,130
|
Post by thecjgcjg on Apr 30, 2018 15:48:38 GMT
|
|
StevenNL2000
Forum Admin
Posts: 6,415
| Likes: 6,936
IGN: StevenNL2000
Timezone: UTC+01:00
Member is Staff. Need immediate assistance? Send a PM
|
Post by StevenNL2000 on Apr 30, 2018 16:26:35 GMT
I'll work on the themes, but it's not possible to make the forum redirect to HTTPS by default without adding very janky JavaScript to every page.
|
|
untuned
Veteran Member
I untune the tunes.
Posts: 588
| Likes: 283
|
Post by untuned on Apr 30, 2018 16:35:50 GMT
I'll work on the themes, but it's not possible to make the forum redirect to HTTPS by default without adding very janky JavaScript to every page. an easy way is to just start using totalfreedom.boards.net/ whenever you need to link something, eventually people will switch
|
|
StevenNL2000
Forum Admin
Posts: 6,415
| Likes: 6,936
IGN: StevenNL2000
Timezone: UTC+01:00
Member is Staff. Need immediate assistance? Send a PM
|
Post by StevenNL2000 on Apr 30, 2018 21:26:55 GMT
Mixed content warnings are now gone with all themes for me. Please confirm. Don't test pages with avatars or signatures: we don't have control over user-linked images. I also fixed a few links so that they no longer strip your HTTPS.
|
|
rylie.
Veteran Member
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Posts: 3,932
| Likes: 5,664
IGN: breedingslave/breedme
Old IGN: Typhlosion147
Discord: Xeoda#2839
Birthdate (MM/DD): 04/26
Timezone: UTC-05:00
|
Post by rylie. on Apr 30, 2018 22:23:04 GMT
Mixed content warnings are now gone with all themes for me. Please confirm. Don't test pages with avatars or signatures: we don't have control over user-linked images. I also fixed a few links so that they no longer strip your HTTPS. If you can, can you also make the non-http version have the links redirect to https?
|
|
Deleted
Deleted Member
Posts: 0
|
Post by Deleted on May 1, 2018 0:56:24 GMT
Bin ProBoards.
|
|
thecjgcjg
Veteran Member
Posts: 1,459
| Likes: 1,130
|
Post by thecjgcjg on May 1, 2018 10:03:07 GMT
That's an option, that had it been considered a few years ago, would have been achievable, i'd consider it basically impossible to do that now given the content, and community on here.
|
|
StevenNL2000
Forum Admin
Posts: 6,415
| Likes: 6,936
IGN: StevenNL2000
Timezone: UTC+01:00
Member is Staff. Need immediate assistance? Send a PM
|
Post by StevenNL2000 on May 1, 2018 11:04:32 GMT
Mixed content warnings are now gone with all themes for me. Please confirm. Don't test pages with avatars or signatures: we don't have control over user-linked images. I also fixed a few links so that they no longer strip your HTTPS. If you can, can you also make the non-http version have the links redirect to https? I can't do that for every link, only for a few navigation ones, but everything would royally break because it requires custom buttons and then I can't recreate the default behavior anymore. I've currently put it in a state where you will keep using HTTPS if you enable it once.
|
|
Cowgomooo12
Club 4000 Member
Vaarwel, afscheid
Posts: 4,894
| Likes: 5,266
|
Post by Cowgomooo12 on May 5, 2018 1:23:33 GMT
HTTPS Everywhere automatically redirects you to the SSL version of the forums. However, be wary. Mixed content is still a possibility due to posts, avatars, and signatures. We do not force users to upload their images to an SSL compliant website. Additionally, we are using CloudFlare's SSL certificate. It's entirely possible that ProBoards could leave CloudFlare and we would lose the SSL compatibility mode. Lastly, and most significantly, a major drawback to CloudFlare's SSL is that it potentially provides no protection against a MiTM attack. We have no idea if CloudFlare is configured to be using SSL 'strict' or SSL 'flexible'. For more information about the drawbacks of CloudFlare's flexible SSL ordeal, please visit: scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/
|
|
StevenNL2000
Forum Admin
Posts: 6,415
| Likes: 6,936
IGN: StevenNL2000
Timezone: UTC+01:00
Member is Staff. Need immediate assistance? Send a PM
|
Post by StevenNL2000 on May 5, 2018 11:48:39 GMT
HTTPS Everywhere automatically redirects you to the SSL version of the forums. However, be wary. Mixed content is still a possibility due to posts, avatars, and signatures. We do not force users to upload their images to an SSL compliant website. Additionally, we are using CloudFlare's SSL certificate. It's entirely possible that ProBoards could leave CloudFlare and we would lose the SSL compatibility mode. Lastly, and most significantly, a major drawback to CloudFlare's SSL is that it potentially provides no protection against a MiTM attack. We have no idea if CloudFlare is configured to be using SSL 'strict' or SSL 'flexible'. For more information about the drawbacks of CloudFlare's flexible SSL ordeal, please visit: scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/It's true that we don't know if the Cloudflare configuration here is flexible or full, but I would argue that a MITM is much more likely between the user and Cloudflare than between Cloudflare and ProBoards. On top of that, we can profit of the speed of HTTP/2 while SSL is enabled. I don't think we should hold off enabling security features "in case compatibility is removed at some point", because then we could also close the server in case Minecraft stops being popular at some point.
|
|
Cowgomooo12
Club 4000 Member
Vaarwel, afscheid
Posts: 4,894
| Likes: 5,266
|
Post by Cowgomooo12 on May 5, 2018 19:50:52 GMT
HTTPS Everywhere automatically redirects you to the SSL version of the forums. However, be wary. Mixed content is still a possibility due to posts, avatars, and signatures. We do not force users to upload their images to an SSL compliant website. Additionally, we are using CloudFlare's SSL certificate. It's entirely possible that ProBoards could leave CloudFlare and we would lose the SSL compatibility mode. Lastly, and most significantly, a major drawback to CloudFlare's SSL is that it potentially provides no protection against a MiTM attack. We have no idea if CloudFlare is configured to be using SSL 'strict' or SSL 'flexible'. For more information about the drawbacks of CloudFlare's flexible SSL ordeal, please visit: scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/It's true that we don't know if the Cloudflare configuration here is flexible or full, but I would argue that a MITM is much more likely between the user and Cloudflare than between Cloudflare and ProBoards. On top of that, we can profit of the speed of HTTP/2 while SSL is enabled. I don't think we should hold off enabling security features "in case compatibility is removed at some point", because then we could also close the server in case Minecraft stops being popular at some point. Speed is not necessarily quicker or slower. It varies greatly depending on situation. Flexible and full are not protect against a MiTM attack, only strict would be protect it. The mention about users being the most likely attack point is very true. In all honesty, I don’t see any direct reason as why not to use it. SSL should be the default for every website that has a login. SSL would protect against a cookie hijacking attack or similar MiTM attack from users.
|
|
Deleted
Deleted Member
Posts: 0
|
Post by Deleted on May 5, 2018 21:52:50 GMT
It's true that we don't know if the Cloudflare configuration here is flexible or full, but I would argue that a MITM is much more likely between the user and Cloudflare than between Cloudflare and ProBoards. On top of that, we can profit of the speed of HTTP/2 while SSL is enabled. I don't think we should hold off enabling security features "in case compatibility is removed at some point", because then we could also close the server in case Minecraft stops being popular at some point. SSL should be the default for every website that has a login. SSL would protect against a cookie hijacking attack or similar MiTM attack from users. This. Over the years I've done my best to enforce encryption unto any service holding account information. For the unwary, CloudFlare does a good job of explaining man-in-the-middle (MITM) attacks and secure sockets layer (SSL).
|
|
Wild1145
Club 4000 Member
Inactive Player & Inactive Senior Admin
Posts: 10,414
| Likes: 9,680
|
Post by Wild1145 on May 6, 2018 10:36:17 GMT
That's an option, that had it been considered a few years ago, would have been achievable, i'd consider it basically impossible to do that now given the content, and community on here. It was being looked into doing a few months ago, but was so rushed it was dropped. No reason it could not be phased into a new forum suite...
|
|
Wild1145
Club 4000 Member
Inactive Player & Inactive Senior Admin
Posts: 10,414
| Likes: 9,680
|
Post by Wild1145 on May 6, 2018 10:42:11 GMT
HTTPS Everywhere automatically redirects you to the SSL version of the forums. However, be wary. Mixed content is still a possibility due to posts, avatars, and signatures. We do not force users to upload their images to an SSL compliant website. Additionally, we are using CloudFlare's SSL certificate. It's entirely possible that ProBoards could leave CloudFlare and we would lose the SSL compatibility mode. Lastly, and most significantly, a major drawback to CloudFlare's SSL is that it potentially provides no protection against a MiTM attack. We have no idea if CloudFlare is configured to be using SSL 'strict' or SSL 'flexible'. For more information about the drawbacks of CloudFlare's flexible SSL ordeal, please visit: scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/Your link only evidences that an organization such as the NSA could viably intercept the traffic, and if they really wanted to, they could just do it anyway with the support of Cloudflare. Using any of the options will prevent against a MiTM attack between your PC and the Cloudflare edge routers, which is the main risk we're trying to mitigate here and even then I'd argue that there are very very few people on these forums I think could complete a MiTM attack anyway, and even fewer that could do it without it being detected. It also doesnt mitigate against the entirety of MiTM anyway as you can still perform a MiTM attack even with cloudflare on its full / strict settings if you own / have breached the internal network you're coming out of, as you can force a fake certificate to be signed between the client and yourselves, and then you simply pass the traffic on to Cloudlfare. In reality the risk you're talking about here is exponentially slim and the vast majority of the issues and risks you would be trying to mitigate you do just by having Cloudflare on Flexible. Its also worth noting that even if we moved off of Cloudflare unless we've enabled HSTS and transferred the domain with us (And I cant see proboards giving us their domain), you can get new SSL Certificates issued for the new domain anyway. Ultimately we should be trying to force everyone through the https version of the site as there is no logical reason not to...
|
|
Cowgomooo12
Club 4000 Member
Vaarwel, afscheid
Posts: 4,894
| Likes: 5,266
|
Post by Cowgomooo12 on May 6, 2018 10:59:28 GMT
HTTPS Everywhere automatically redirects you to the SSL version of the forums. However, be wary. Mixed content is still a possibility due to posts, avatars, and signatures. We do not force users to upload their images to an SSL compliant website. Additionally, we are using CloudFlare's SSL certificate. It's entirely possible that ProBoards could leave CloudFlare and we would lose the SSL compatibility mode. Lastly, and most significantly, a major drawback to CloudFlare's SSL is that it potentially provides no protection against a MiTM attack. We have no idea if CloudFlare is configured to be using SSL 'strict' or SSL 'flexible'. For more information about the drawbacks of CloudFlare's flexible SSL ordeal, please visit: scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/Your link only evidences that an organization such as the NSA could viably intercept the traffic, and if they really wanted to, they could just do it anyway with the support of Cloudflare. Using any of the options will prevent against a MiTM attack between your PC and the Cloudflare edge routers, which is the main risk we're trying to mitigate here and even then I'd argue that there are very very few people on these forums I think could complete a MiTM attack anyway, and even fewer that could do it without it being detected. It also doesnt mitigate against the entirety of MiTM anyway as you can still perform a MiTM attack even with cloudflare on its full / strict settings if you own / have breached the internal network you're coming out of, as you can force a fake certificate to be signed between the client and yourselves, and then you simply pass the traffic on to Cloudlfare. In reality the risk you're talking about here is exponentially slim and the vast majority of the issues and risks you would be trying to mitigate you do just by having Cloudflare on Flexible. Its also worth noting that even if we moved off of Cloudflare unless we've enabled HSTS and transferred the domain with us (And I cant see proboards giving us their domain), you can get new SSL Certificates issued for the new domain anyway. Ultimately we should be trying to force everyone through the https version of the site as there is no logical reason not to... Yes, you are correct about the improbability of a nation-state MiTM attack. More than likely, the courts will force ProBoards to do XYZ without involving CloudFlare. If you read my later comments, you can see that I said there is no reason (little reason) not to use the SSL. It's later and not in the original post. I fully understand what you are saying and agree with it. It's just healthy to provide the other side of the argument. As for clarification, CloudFlare has three configurations: flexible, full, and strict. Flexible will enable severs that have no SSL to appear as it does. Full will enable severs with self-signed and or misconfigured certificates to appear as legitimate but if the traffic is unencrypted and does not have any SSL it'll be invalid. Lastly, strict will force a properly managed certificate from a verified CA. I mentioned the possibility of losing the compatibility and this is the only concern I have. If users bookmarked the SSL version of the website and we lost the SSL compatibility the users would error. Potentially even a disconnection depending on how ProBoards handles the situation. Regardless, some will be confused and simply not use our forums. Managing this issue is entirely outside our abilities and really isn't something we can prepare for. Any website that requires login details should have SSL. We are no exception.
|
|