The forum might break for you! Test your browser now!
Moderator: Moderators
The forum might break for you! Test your browser now!
TL;DR - Make sure https://twokinds.net/forum/ works, otherwise you might lose access to the forum on Oct 3rd
===
For the past few months, the forum has been available over a properly secured connection instead of the normal unprotected connection. Securing the connection generally improves your security and privacy, which I think most people would agree are good things.
On Oct 3, I'll be enabling HTTPS by default for twokinds.net unless something happens. The vast majority of people will not be affected, but this message is for those who are using old browsers:
Test your browser by going to https://twokinds.net/forum/
The 0.2% of visitors that are still using Internet Explorer 6, sorry, you'll lose access. I suggest upgrading to Chrome: https://www.google.com/chrome/
If you have issues/the link doesn't work, reply and let me know.
===
For the techy people: I bought a Comodo PositiveSSL cert for the twokinds.net domain (instead of the old self-signed cert), and will be redirecting all traffic to HTTPS on Oct 3rd.
===
For the past few months, the forum has been available over a properly secured connection instead of the normal unprotected connection. Securing the connection generally improves your security and privacy, which I think most people would agree are good things.
On Oct 3, I'll be enabling HTTPS by default for twokinds.net unless something happens. The vast majority of people will not be affected, but this message is for those who are using old browsers:
Test your browser by going to https://twokinds.net/forum/
The 0.2% of visitors that are still using Internet Explorer 6, sorry, you'll lose access. I suggest upgrading to Chrome: https://www.google.com/chrome/
If you have issues/the link doesn't work, reply and let me know.
===
For the techy people: I bought a Comodo PositiveSSL cert for the twokinds.net domain (instead of the old self-signed cert), and will be redirecting all traffic to HTTPS on Oct 3rd.
Re: The forum might break for you! Test your browser now!
I was trying to take a guess at what TinyVoices' issue was, so I took a look at it with openssl s_client and got the plesk certificate. Which... could even be the problem, actually, though I'm putting my money on a missing root CA. Is SNI actually necessary, though?
Will you be doing HSTS?
Will you be doing HSTS?
]]> Twokinds search (search the comic based on art or text!)
My most recent Twokinds smutfics, newest to oldest [NSFW]:
My most recent Twokinds smutfics, newest to oldest [NSFW]:
- Foxy Keith
- Establishing Relations [2020-12-25: New bonus story]
- A Taste of Freedom
- (Check links for more)
Re: The forum might break for you! Test your browser now!
I've made the new cert the default cert for the server, so the SNI stuff should be worked around.amenon wrote:I was trying to take a guess at what TinyVoices' issue was, so I took a look at it with openssl s_client and got the plesk certificate. Which... could even be the problem, actually, though I'm putting my money on a missing root CA. Is SNI actually necessary, though?
Will you be doing HSTS?
There's a bunch of other domains running off the same IP (like 2kinds.com), so yeah, SNI *support* is necessary.
HSTS will probably be added at some later point after the SSL switchover. If something does truly go wrong I want to be able to back it out, though setting HSTS to have a ~1 minute expiry would be functionally similar.
FWIW, I've been going off the SSLlabs checker report, so if you have other suggestions I'll be glad to listen to them.
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
- TinyVoices
- Templar Inner Circle
- Posts: 6276
- Joined: Sat Apr 09, 2011 6:08 pm
- Location: https://goo.gl/7ARWF4
- Fav. Twokinds Character: Kat
Re: The forum might break for you! Test your browser now!
I originally posted in the rant thread because I felt it too trivial to post it here. Afterall, my post was a rant...
I figured that the way my phone was acting was... normal? In some way it was behaving properly, as I could still access the site after going through a few web pages of "yes, I trust this site. Yes, they are not dangerous." And then I just lived with the fact that the url showed a red text and slashthrough for the http:// portion.
Thank you for the explanation, AJ. I just found it funny that the warning signs for chrome on my phone said that it was less safe to use an unknown https:// than a familiar certified site.
But, yes, I first came to this thread, then the https:// version of the forum, then that version's rant thread. I am conscious, just ignorant of the details.
I figured that the way my phone was acting was... normal? In some way it was behaving properly, as I could still access the site after going through a few web pages of "yes, I trust this site. Yes, they are not dangerous." And then I just lived with the fact that the url showed a red text and slashthrough for the http:// portion.
Thank you for the explanation, AJ. I just found it funny that the warning signs for chrome on my phone said that it was less safe to use an unknown https:// than a familiar certified site.
But, yes, I first came to this thread, then the https:// version of the forum, then that version's rant thread. I am conscious, just ignorant of the details.
Re: The forum might break for you! Test your browser now!
I didn't want to jump to suggesting changing the default cert because getting a valid cert for the wrong domain in case of SNI failure is... weird. Not worse, clearly, but weird.aj wrote: There's a bunch of other domains running off the same IP (like 2kinds.com), so yeah, SNI *support* is necessary.
HSTS will probably be added at some later point after the SSL switchover. If something does truly go wrong I want to be able to back it out, though setting HSTS to have a ~1 minute expiry would be functionally similar.
FWIW, I've been going off the SSLlabs checker report, so if you have other suggestions I'll be glad to listen to them.
The ~1 minute expiry also wouldn't do anything, but that's a good approach.
Why no ECDHE? Server doesn't reveal versions anymore, so can't really suggest ciphers. Mozilla SSL Config Generator may be useful.
Not impressed with the use of browser-update.org (was about to report a forum infection before I thought to double-check ) but that's a separate, religious issue.
Edit: After thinking about it a bit more, I think I have generally reasonable grounds for objecting. The last thing you want to train anyone to do on the internet is to click on something unexpected telling them to update. I have never seen anything legitimate that looks more like a scam.
But does it work nowTinyVoices wrote:[...]
And yes, the fact that plain HTTP is represented as more trustworthy than broken HTTPS is one of those things where you just have to laugh to stop from crying. Come ooooon, HTTP/2!
]]> Twokinds search (search the comic based on art or text!)
My most recent Twokinds smutfics, newest to oldest [NSFW]:
My most recent Twokinds smutfics, newest to oldest [NSFW]:
- Foxy Keith
- Establishing Relations [2020-12-25: New bonus story]
- A Taste of Freedom
- (Check links for more)
- TinyVoices
- Templar Inner Circle
- Posts: 6276
- Joined: Sat Apr 09, 2011 6:08 pm
- Location: https://goo.gl/7ARWF4
- Fav. Twokinds Character: Kat
Re: The forum might break for you! Test your browser now!
Technically it always worked. But it's all green now, if that helps you sleep. It only ever asked for access that first time.amenon wrote:But does it work now
Re: The forum might break for you! Test your browser now!
Tiny: Thank you very much for testing it, both your post and amenon's post helped identify issues. It might have been trivial to you, but it would have been more of an issue come Oct 3rd.TinyVoices wrote:I originally posted in the rant thread because I felt it too trivial to post it here. Afterall, my post was a rant...
I figured that the way my phone was acting was... normal? In some way it was behaving properly, as I could still access the site after going through a few web pages of "yes, I trust this site. Yes, they are not dangerous." And then I just lived with the fact that the url showed a red text and slashthrough for the http:// portion.
Thank you for the explanation, AJ. I just found it funny that the warning signs for chrome on my phone said that it was less safe to use an unknown https:// than a familiar certified site.
But, yes, I first came to this thread, then the https:// version of the forum, then that version's rant thread. I am conscious, just ignorant of the details.
I don't visit other parts of the forum often, so it's *really* easy for me to miss stuff unless it's brought to my attention.
Well, we were always getting a domain mismatch with the default certs, along with expiry warnings and self-signed warnings. So going to only a domain mismatch while solving the SNI issue is a bit of an improvement.amenon wrote:I didn't want to jump to suggesting changing the default cert because getting a valid cert for the wrong domain in case of SNI failure is... weird. Not worse, clearly, but weird.
The ~1 minute expiry also wouldn't do anything, but that's a good approach.
Why no ECDHE? Server doesn't reveal versions anymore, so can't really suggest ciphers. Mozilla SSL Config Generator may be useful.
Not impressed with the use of browser-update.org (was about to report a forum infection before I thought to double-check ) but that's a separate, religious issue.
Edit: After thinking about it a bit more, I think I have generally reasonable grounds for objecting. The last thing you want to train anyone to do on the internet is to click on something unexpected telling them to update. I have never seen anything legitimate that looks more like a scam.!
No ECDHE because the server is running OpenSSL 0.9.8. Yay CentOS security-only back ports.
As for the browser-update.org header... Non-optimal? Definitely. Do I have a better way at this point to nudge people to upgrade? Nope. Am I open to suggestions? Most definitely.
Re: The forum might break for you! Test your browser now!
I think having it is strictly worse than not having it. You've already posted the bulletin and given people a few weeks of notice, and almost nobody will even notice the switchover. I think you're good.aj wrote:As for the browser-update.org header... Non-optimal? Definitely. Do I have a better way at this point to nudge people to upgrade? Nope. Am I open to suggestions? Most definitely.
]]> Twokinds search (search the comic based on art or text!)
My most recent Twokinds smutfics, newest to oldest [NSFW]:
My most recent Twokinds smutfics, newest to oldest [NSFW]:
- Foxy Keith
- Establishing Relations [2020-12-25: New bonus story]
- A Taste of Freedom
- (Check links for more)
- TinyVoices
- Templar Inner Circle
- Posts: 6276
- Joined: Sat Apr 09, 2011 6:08 pm
- Location: https://goo.gl/7ARWF4
- Fav. Twokinds Character: Kat
Re: The forum might break for you! Test your browser now!
Sure thing. I figured it'd be good to know how it was going to affect me. I first tried it on my laptop, then my phone. I use incognito on chrome for both to go onto the forum, but only my phone gave issue.aj wrote:Tiny: Thank you very much for testing it, both your post and amenon's post helped identify issues. It might have been trivial to you, but it would have been more of an issue come Oct 3rd.
And for you not going to many boards that often: I'm sure there are a number of people who won't see this thread in this board. Expect random threads scattered about come October 3rd.
Edit: just tried the https:// link again. Gave me the same warnings again.... I don't know enough about this stuff to debug properly. But could it be possible that cache has anything to do with it? Or else my location when accessing it? How can using data versus using a wifi spot affect it as well. Those are my best guesses as to why things are weird again, unless it's server side or something.
Re: The forum might break for you! Test your browser now!
Undoubtedly. Even tried to make the title all scary if people just read the title of the most recent post.TinyVoices wrote:And for you not going to many boards that often: I'm sure there are a number of people who won't see this thread in this board. Expect random threads scattered about come October 3rd.
I'll definitely be removing it after the switchover, and I'll consider removing it earlier.amenon wrote:I think having it is strictly worse than not having it. You've already posted the bulletin and given people a few weeks of notice, and almost nobody will even notice the switchover. I think you're good.
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
- puredeathly
- Master
- Posts: 249
- Joined: Sun Mar 08, 2015 7:03 pm
- Location: ::1
- Fav. Twokinds Character: Flora
Re: The forum might break for you! Test your browser now!
Also StartCom offers free ssl certs if you don't need a wildcard cert.aj wrote: Moving to HTTPS stops all this. The price of a SSL cert is now cheap enough that even as a uni student I can justify paying the cost out of my own pocket (Tom had nothing to do with this)
===
Also, anyone else seeing this - please test your browser, and post your issues in the proper thread. Not here. I only know about TinyVoice's issue because amenon linked to his post.
I recently upgraded my (really small) webpage to https + hsts (running on a Pi housed at EDIS.at )
Your cert stuff works fine. I've been connecting via https since I had an account here ^^ (although I had to save your self-signed cert before you had a trusted one )
(I hope the cross-posting from the rant thread isn't a no-go but it doesn't really fit there >.>)
-Jakob
Re: The forum might break for you! Test your browser now!
Maybe a global announcement?aj wrote:Undoubtedly. Even tried to make the title all scary if people just read the title of the most recent post.TinyVoices wrote:And for you not going to many boards that often: I'm sure there are a number of people who won't see this thread in this board. Expect random threads scattered about come October 3rd.
Incognito almost certainly only remembers stuff for the duration of the session, so that would explain that. I'm resuming my original guess of a missing root CA. If you would, please make note of what exactly it's saying the next time it happens. Alternatively, clicking [redacted] might prompt you to install the root certificate, depending on how the browser works.TinyVoices wrote:Edit: just tried the https:// link again. Gave me the same warnings again.... I don't know enough about this stuff to debug properly. But could it be possible that cache has anything to do with it? Or else my location when accessing it? How can using data versus using a wifi spot affect it as well. Those are my best guesses as to why things are weird again, unless it's server side or something.
Edit: That link actually probably won't work. Looking for a better source...
Edit 2: Ugh, their site is... not useful for this. The link I gave probably results in a download. But if so, maybe you can poke at the downloaded file to do something. Unable to be more helpful without knowing what you're running.
]]> Twokinds search (search the comic based on art or text!)
My most recent Twokinds smutfics, newest to oldest [NSFW]:
My most recent Twokinds smutfics, newest to oldest [NSFW]:
- Foxy Keith
- Establishing Relations [2020-12-25: New bonus story]
- A Taste of Freedom
- (Check links for more)
Re: The forum might break for you! Test your browser now!
Mhmm! It works!
Don't be silly, bullying sucks
- jacobc62
- Grand Templar
- Posts: 1384
- Joined: Tue Jan 22, 2013 2:47 pm
- Location: Mekkan Raceway
- Contact:
Re: The forum might break for you! Test your browser now!
Works for me on Firefox v40.0.3
"That poor, sexy [censored]...." -Evals Vaughan, October 2016
- Bellhead
- Templar Inner Circle
- Posts: 4015
- Joined: Wed Oct 23, 2013 11:17 pm
- Location: New England, US
- Fav. Twokinds Character: Keith and Natani
Re: The forum might break for you! Test your browser now!
As it does for me, with Firefox 28.0. I would guess that anyone in between would be fine.
Gearhead mechanic in the digital era, who will probably grow up is in the process of growing up to be a very grumpy old man.