The forum might break for you! Test your browser now!

And now, a word from our moderators

Moderator: Moderators

Message
Author
User avatar
aj
Consistently Inconsistent
Posts: 1725
Joined: Wed Jul 30, 2008 10:13 am

The forum might break for you! Test your browser now!

#1 Post by aj »

TL;DR - Make sure https://twokinds.net/forum/ works, otherwise you might lose access to the forum on Oct 3rd
===
For the past few months, the forum has been available over a properly secured connection instead of the normal unprotected connection. Securing the connection generally improves your security and privacy, which I think most people would agree are good things.

On Oct 3, I'll be enabling HTTPS by default for twokinds.net unless something happens. The vast majority of people will not be affected, but this message is for those who are using old browsers:
Test your browser by going to https://twokinds.net/forum/

The 0.2% of visitors that are still using Internet Explorer 6, sorry, you'll lose access. I suggest upgrading to Chrome: https://www.google.com/chrome/

If you have issues/the link doesn't work, reply and let me know.
===
For the techy people: I bought a Comodo PositiveSSL cert for the twokinds.net domain (instead of the old self-signed cert), and will be redirecting all traffic to HTTPS on Oct 3rd.

User avatar
amenon
Grand Templar
Posts: 1692
Joined: Thu May 15, 2014 4:11 pm

Re: The forum might break for you! Test your browser now!

#2 Post by amenon »

I was trying to take a guess at what TinyVoices' issue was, so I took a look at it with openssl s_client and got the plesk certificate. Which... could even be the problem, actually, though I'm putting my money on a missing root CA. Is SNI actually necessary, though?

Will you be doing HSTS?
]]> Twokinds search (search the comic based on art or text!)
     
My most recent Twokinds smutfics, newest to oldest [NSFW]:

User avatar
aj
Consistently Inconsistent
Posts: 1725
Joined: Wed Jul 30, 2008 10:13 am

Re: The forum might break for you! Test your browser now!

#3 Post by aj »

amenon wrote:I was trying to take a guess at what TinyVoices' issue was, so I took a look at it with openssl s_client and got the plesk certificate. Which... could even be the problem, actually, though I'm putting my money on a missing root CA. Is SNI actually necessary, though?

Will you be doing HSTS?
I've made the new cert the default cert for the server, so the SNI stuff should be worked around.

There's a bunch of other domains running off the same IP (like 2kinds.com), so yeah, SNI *support* is necessary.

HSTS will probably be added at some later point after the SSL switchover. If something does truly go wrong I want to be able to back it out, though setting HSTS to have a ~1 minute expiry would be functionally similar.

FWIW, I've been going off the SSLlabs checker report, so if you have other suggestions I'll be glad to listen to them.
avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟

User avatar
TinyVoices
Templar Inner Circle
Posts: 6274
Joined: Sat Apr 09, 2011 6:08 pm
Location: https://goo.gl/7ARWF4
Favorite Character: Kat

Re: The forum might break for you! Test your browser now!

#4 Post by TinyVoices »

I originally posted in the rant thread because I felt it too trivial to post it here. Afterall, my post was a rant...

I figured that the way my phone was acting was... normal? In some way it was behaving properly, as I could still access the site after going through a few web pages of "yes, I trust this site. Yes, they are not dangerous." And then I just lived with the fact that the url showed a red text and slashthrough for the http:// portion.

Thank you for the explanation, AJ. I just found it funny that the warning signs for chrome on my phone said that it was less safe to use an unknown https:// than a familiar certified site.

But, yes, I first came to this thread, then the https:// version of the forum, then that version's rant thread. I am conscious, just ignorant of the details.

User avatar
amenon
Grand Templar
Posts: 1692
Joined: Thu May 15, 2014 4:11 pm

Re: The forum might break for you! Test your browser now!

#5 Post by amenon »

aj wrote: There's a bunch of other domains running off the same IP (like 2kinds.com), so yeah, SNI *support* is necessary.

HSTS will probably be added at some later point after the SSL switchover. If something does truly go wrong I want to be able to back it out, though setting HSTS to have a ~1 minute expiry would be functionally similar.

FWIW, I've been going off the SSLlabs checker report, so if you have other suggestions I'll be glad to listen to them.
I didn't want to jump to suggesting changing the default cert because getting a valid cert for the wrong domain in case of SNI failure is... weird. Not worse, clearly, but weird.

The ~1 minute expiry also wouldn't do anything, but that's a good approach.

Why no ECDHE? Server doesn't reveal versions anymore, so can't really suggest ciphers. Mozilla SSL Config Generator may be useful.

Not impressed with the use of browser-update.org (was about to report a forum infection before I thought to double-check :P) but that's a separate, religious issue.

Edit: After thinking about it a bit more, I think I have generally reasonable grounds for objecting. The last thing you want to train anyone to do on the internet is to click on something unexpected telling them to update. I have never seen anything legitimate that looks more like a scam.
TinyVoices wrote:[...]
But does it work now :?

And yes, the fact that plain HTTP is represented as more trustworthy than broken HTTPS is one of those things where you just have to laugh to stop from crying. Come ooooon, HTTP/2!
]]> Twokinds search (search the comic based on art or text!)
     
My most recent Twokinds smutfics, newest to oldest [NSFW]:

User avatar
TinyVoices
Templar Inner Circle
Posts: 6274
Joined: Sat Apr 09, 2011 6:08 pm
Location: https://goo.gl/7ARWF4
Favorite Character: Kat

Re: The forum might break for you! Test your browser now!

#6 Post by TinyVoices »

amenon wrote:But does it work now :?
Technically it always worked. But it's all green now, if that helps you sleep. It only ever asked for access that first time.

User avatar
aj
Consistently Inconsistent
Posts: 1725
Joined: Wed Jul 30, 2008 10:13 am

Re: The forum might break for you! Test your browser now!

#7 Post by aj »

TinyVoices wrote:I originally posted in the rant thread because I felt it too trivial to post it here. Afterall, my post was a rant...

I figured that the way my phone was acting was... normal? In some way it was behaving properly, as I could still access the site after going through a few web pages of "yes, I trust this site. Yes, they are not dangerous." And then I just lived with the fact that the url showed a red text and slashthrough for the http:// portion.

Thank you for the explanation, AJ. I just found it funny that the warning signs for chrome on my phone said that it was less safe to use an unknown https:// than a familiar certified site.

But, yes, I first came to this thread, then the https:// version of the forum, then that version's rant thread. I am conscious, just ignorant of the details.
Tiny: Thank you very much for testing it, both your post and amenon's post helped identify issues. It might have been trivial to you, but it would have been more of an issue come Oct 3rd.

I don't visit other parts of the forum often, so it's *really* easy for me to miss stuff unless it's brought to my attention.
amenon wrote:I didn't want to jump to suggesting changing the default cert because getting a valid cert for the wrong domain in case of SNI failure is... weird. Not worse, clearly, but weird.

The ~1 minute expiry also wouldn't do anything, but that's a good approach.

Why no ECDHE? Server doesn't reveal versions anymore, so can't really suggest ciphers. Mozilla SSL Config Generator may be useful.

Not impressed with the use of browser-update.org (was about to report a forum infection before I thought to double-check :P) but that's a separate, religious issue.

Edit: After thinking about it a bit more, I think I have generally reasonable grounds for objecting. The last thing you want to train anyone to do on the internet is to click on something unexpected telling them to update. I have never seen anything legitimate that looks more like a scam.!
Well, we were always getting a domain mismatch with the default certs, along with expiry warnings and self-signed warnings. So going to only a domain mismatch while solving the SNI issue is a bit of an improvement. :P

No ECDHE because the server is running OpenSSL 0.9.8. Yay CentOS security-only back ports.

As for the browser-update.org header... Non-optimal? Definitely. Do I have a better way at this point to nudge people to upgrade? Nope. Am I open to suggestions? Most definitely.

User avatar
amenon
Grand Templar
Posts: 1692
Joined: Thu May 15, 2014 4:11 pm

Re: The forum might break for you! Test your browser now!

#8 Post by amenon »

aj wrote:As for the browser-update.org header... Non-optimal? Definitely. Do I have a better way at this point to nudge people to upgrade? Nope. Am I open to suggestions? Most definitely.
I think having it is strictly worse than not having it. You've already posted the bulletin and given people a few weeks of notice, and almost nobody will even notice the switchover. I think you're good.
]]> Twokinds search (search the comic based on art or text!)
     
My most recent Twokinds smutfics, newest to oldest [NSFW]:

User avatar
TinyVoices
Templar Inner Circle
Posts: 6274
Joined: Sat Apr 09, 2011 6:08 pm
Location: https://goo.gl/7ARWF4
Favorite Character: Kat

Re: The forum might break for you! Test your browser now!

#9 Post by TinyVoices »

aj wrote:Tiny: Thank you very much for testing it, both your post and amenon's post helped identify issues. It might have been trivial to you, but it would have been more of an issue come Oct 3rd.
Sure thing. I figured it'd be good to know how it was going to affect me. I first tried it on my laptop, then my phone. I use incognito on chrome for both to go onto the forum, but only my phone gave issue.

And for you not going to many boards that often: I'm sure there are a number of people who won't see this thread in this board. Expect random threads scattered about come October 3rd.

Edit: just tried the https:// link again. Gave me the same warnings again.... I don't know enough about this stuff to debug properly. But could it be possible that cache has anything to do with it? Or else my location when accessing it? How can using data versus using a wifi spot affect it as well. Those are my best guesses as to why things are weird again, unless it's server side or something.

User avatar
aj
Consistently Inconsistent
Posts: 1725
Joined: Wed Jul 30, 2008 10:13 am

Re: The forum might break for you! Test your browser now!

#10 Post by aj »

TinyVoices wrote:And for you not going to many boards that often: I'm sure there are a number of people who won't see this thread in this board. Expect random threads scattered about come October 3rd.
Undoubtedly. Even tried to make the title all scary if people just read the title of the most recent post.
amenon wrote:I think having it is strictly worse than not having it. You've already posted the bulletin and given people a few weeks of notice, and almost nobody will even notice the switchover. I think you're good.
I'll definitely be removing it after the switchover, and I'll consider removing it earlier.
avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟

User avatar
puredeathly
Master
Posts: 249
Joined: Sun Mar 08, 2015 7:03 pm
Location: ::1
Favorite Character: Flora

Re: The forum might break for you! Test your browser now!

#11 Post by puredeathly »

aj wrote: Moving to HTTPS stops all this. The price of a SSL cert is now cheap enough that even as a uni student I can justify paying the cost out of my own pocket (Tom had nothing to do with this)
===
Also, anyone else seeing this - please test your browser, and post your issues in the proper thread. Not here. I only know about TinyVoice's issue because amenon linked to his post.
Also StartCom offers free ssl certs if you don't need a wildcard cert.
I recently upgraded my (really small) webpage to https + hsts (running on a Pi housed at EDIS.at :P)
Your cert stuff works fine. I've been connecting via https since I had an account here ^^ (although I had to save your self-signed cert before you had a trusted one :D)
(I hope the cross-posting from the rant thread isn't a no-go but it doesn't really fit there >.>)

-Jakob

User avatar
amenon
Grand Templar
Posts: 1692
Joined: Thu May 15, 2014 4:11 pm

Re: The forum might break for you! Test your browser now!

#12 Post by amenon »

aj wrote:
TinyVoices wrote:And for you not going to many boards that often: I'm sure there are a number of people who won't see this thread in this board. Expect random threads scattered about come October 3rd.
Undoubtedly. Even tried to make the title all scary if people just read the title of the most recent post.
Maybe a global announcement?
TinyVoices wrote:Edit: just tried the https:// link again. Gave me the same warnings again.... I don't know enough about this stuff to debug properly. But could it be possible that cache has anything to do with it? Or else my location when accessing it? How can using data versus using a wifi spot affect it as well. Those are my best guesses as to why things are weird again, unless it's server side or something.
Incognito almost certainly only remembers stuff for the duration of the session, so that would explain that. I'm resuming my original guess of a missing root CA. If you would, please make note of what exactly it's saying the next time it happens. Alternatively, clicking [redacted] might prompt you to install the root certificate, depending on how the browser works.

Edit: That link actually probably won't work. Looking for a better source...
Edit 2: Ugh, their site is... not useful for this. The link I gave probably results in a download. But if so, maybe you can poke at the downloaded file to do something. Unable to be more helpful without knowing what you're running.
]]> Twokinds search (search the comic based on art or text!)
     
My most recent Twokinds smutfics, newest to oldest [NSFW]:

User avatar
GyroFox
Apprentice
Posts: 103
Joined: Fri Aug 28, 2015 4:39 pm
Location: CA

Re: The forum might break for you! Test your browser now!

#13 Post by GyroFox »

:D :heart: :raine: :squirrel: Mhmm! It works!
Image

:potatoes: :potatoes: :natani: :potatoes: :potatoes:

Don't be silly, bullying sucks 8)

User avatar
jacobc62
Grand Templar
Posts: 1354
Joined: Tue Jan 22, 2013 2:47 pm
Location: Mekkan Raceway
Contact:

Re: The forum might break for you! Test your browser now!

#14 Post by jacobc62 »

Works for me on Firefox v40.0.3
Image
Image
"That poor, sexy [censored]...." -Evals Vaughan, October 2016

User avatar
Bellhead
Templar Inner Circle
Posts: 3515
Joined: Wed Oct 23, 2013 11:17 pm
Location: New England, US
Favorite Character: Keith and Natani

Re: The forum might break for you! Test your browser now!

#15 Post by Bellhead »

As it does for me, with Firefox 28.0. I would guess that anyone in between would be fine.
Gearhead in the digital world, who will probably grow up to be a very grumpy old man.

Post Reply