Page 1 of 2

The forum might break for you! Test your browser now!

Posted: Thu Sep 17, 2015 10:03 pm
by aj
TL;DR - Make sure https://twokinds.net/forum/ works, otherwise you might lose access to the forum on Oct 3rd
===
For the past few months, the forum has been available over a properly secured connection instead of the normal unprotected connection. Securing the connection generally improves your security and privacy, which I think most people would agree are good things.

On Oct 3, I'll be enabling HTTPS by default for twokinds.net unless something happens. The vast majority of people will not be affected, but this message is for those who are using old browsers:
Test your browser by going to https://twokinds.net/forum/

The 0.2% of visitors that are still using Internet Explorer 6, sorry, you'll lose access. I suggest upgrading to Chrome: https://www.google.com/chrome/

If you have issues/the link doesn't work, reply and let me know.
===
For the techy people: I bought a Comodo PositiveSSL cert for the twokinds.net domain (instead of the old self-signed cert), and will be redirecting all traffic to HTTPS on Oct 3rd.

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 6:37 am
by amenon
I was trying to take a guess at what TinyVoices' issue was, so I took a look at it with openssl s_client and got the plesk certificate. Which... could even be the problem, actually, though I'm putting my money on a missing root CA. Is SNI actually necessary, though?

Will you be doing HSTS?

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 2:34 pm
by aj
amenon wrote:I was trying to take a guess at what TinyVoices' issue was, so I took a look at it with openssl s_client and got the plesk certificate. Which... could even be the problem, actually, though I'm putting my money on a missing root CA. Is SNI actually necessary, though?

Will you be doing HSTS?
I've made the new cert the default cert for the server, so the SNI stuff should be worked around.

There's a bunch of other domains running off the same IP (like 2kinds.com), so yeah, SNI *support* is necessary.

HSTS will probably be added at some later point after the SSL switchover. If something does truly go wrong I want to be able to back it out, though setting HSTS to have a ~1 minute expiry would be functionally similar.

FWIW, I've been going off the SSLlabs checker report, so if you have other suggestions I'll be glad to listen to them.

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 4:28 pm
by TinyVoices
I originally posted in the rant thread because I felt it too trivial to post it here. Afterall, my post was a rant...

I figured that the way my phone was acting was... normal? In some way it was behaving properly, as I could still access the site after going through a few web pages of "yes, I trust this site. Yes, they are not dangerous." And then I just lived with the fact that the url showed a red text and slashthrough for the http:// portion.

Thank you for the explanation, AJ. I just found it funny that the warning signs for chrome on my phone said that it was less safe to use an unknown https:// than a familiar certified site.

But, yes, I first came to this thread, then the https:// version of the forum, then that version's rant thread. I am conscious, just ignorant of the details.

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 6:20 pm
by amenon
aj wrote: There's a bunch of other domains running off the same IP (like 2kinds.com), so yeah, SNI *support* is necessary.

HSTS will probably be added at some later point after the SSL switchover. If something does truly go wrong I want to be able to back it out, though setting HSTS to have a ~1 minute expiry would be functionally similar.

FWIW, I've been going off the SSLlabs checker report, so if you have other suggestions I'll be glad to listen to them.
I didn't want to jump to suggesting changing the default cert because getting a valid cert for the wrong domain in case of SNI failure is... weird. Not worse, clearly, but weird.

The ~1 minute expiry also wouldn't do anything, but that's a good approach.

Why no ECDHE? Server doesn't reveal versions anymore, so can't really suggest ciphers. Mozilla SSL Config Generator may be useful.

Not impressed with the use of browser-update.org (was about to report a forum infection before I thought to double-check :P) but that's a separate, religious issue.

Edit: After thinking about it a bit more, I think I have generally reasonable grounds for objecting. The last thing you want to train anyone to do on the internet is to click on something unexpected telling them to update. I have never seen anything legitimate that looks more like a scam.
TinyVoices wrote:[...]
But does it work now :?

And yes, the fact that plain HTTP is represented as more trustworthy than broken HTTPS is one of those things where you just have to laugh to stop from crying. Come ooooon, HTTP/2!

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 6:51 pm
by TinyVoices
amenon wrote:But does it work now :?
Technically it always worked. But it's all green now, if that helps you sleep. It only ever asked for access that first time.

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 7:04 pm
by aj
TinyVoices wrote:I originally posted in the rant thread because I felt it too trivial to post it here. Afterall, my post was a rant...

I figured that the way my phone was acting was... normal? In some way it was behaving properly, as I could still access the site after going through a few web pages of "yes, I trust this site. Yes, they are not dangerous." And then I just lived with the fact that the url showed a red text and slashthrough for the http:// portion.

Thank you for the explanation, AJ. I just found it funny that the warning signs for chrome on my phone said that it was less safe to use an unknown https:// than a familiar certified site.

But, yes, I first came to this thread, then the https:// version of the forum, then that version's rant thread. I am conscious, just ignorant of the details.
Tiny: Thank you very much for testing it, both your post and amenon's post helped identify issues. It might have been trivial to you, but it would have been more of an issue come Oct 3rd.

I don't visit other parts of the forum often, so it's *really* easy for me to miss stuff unless it's brought to my attention.
amenon wrote:I didn't want to jump to suggesting changing the default cert because getting a valid cert for the wrong domain in case of SNI failure is... weird. Not worse, clearly, but weird.

The ~1 minute expiry also wouldn't do anything, but that's a good approach.

Why no ECDHE? Server doesn't reveal versions anymore, so can't really suggest ciphers. Mozilla SSL Config Generator may be useful.

Not impressed with the use of browser-update.org (was about to report a forum infection before I thought to double-check :P) but that's a separate, religious issue.

Edit: After thinking about it a bit more, I think I have generally reasonable grounds for objecting. The last thing you want to train anyone to do on the internet is to click on something unexpected telling them to update. I have never seen anything legitimate that looks more like a scam.!
Well, we were always getting a domain mismatch with the default certs, along with expiry warnings and self-signed warnings. So going to only a domain mismatch while solving the SNI issue is a bit of an improvement. :P

No ECDHE because the server is running OpenSSL 0.9.8. Yay CentOS security-only back ports.

As for the browser-update.org header... Non-optimal? Definitely. Do I have a better way at this point to nudge people to upgrade? Nope. Am I open to suggestions? Most definitely.

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 7:18 pm
by amenon
aj wrote:As for the browser-update.org header... Non-optimal? Definitely. Do I have a better way at this point to nudge people to upgrade? Nope. Am I open to suggestions? Most definitely.
I think having it is strictly worse than not having it. You've already posted the bulletin and given people a few weeks of notice, and almost nobody will even notice the switchover. I think you're good.

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 7:21 pm
by TinyVoices
aj wrote:Tiny: Thank you very much for testing it, both your post and amenon's post helped identify issues. It might have been trivial to you, but it would have been more of an issue come Oct 3rd.
Sure thing. I figured it'd be good to know how it was going to affect me. I first tried it on my laptop, then my phone. I use incognito on chrome for both to go onto the forum, but only my phone gave issue.

And for you not going to many boards that often: I'm sure there are a number of people who won't see this thread in this board. Expect random threads scattered about come October 3rd.

Edit: just tried the https:// link again. Gave me the same warnings again.... I don't know enough about this stuff to debug properly. But could it be possible that cache has anything to do with it? Or else my location when accessing it? How can using data versus using a wifi spot affect it as well. Those are my best guesses as to why things are weird again, unless it's server side or something.

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 7:31 pm
by aj
TinyVoices wrote:And for you not going to many boards that often: I'm sure there are a number of people who won't see this thread in this board. Expect random threads scattered about come October 3rd.
Undoubtedly. Even tried to make the title all scary if people just read the title of the most recent post.
amenon wrote:I think having it is strictly worse than not having it. You've already posted the bulletin and given people a few weeks of notice, and almost nobody will even notice the switchover. I think you're good.
I'll definitely be removing it after the switchover, and I'll consider removing it earlier.

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 7:38 pm
by puredeathly
aj wrote: Moving to HTTPS stops all this. The price of a SSL cert is now cheap enough that even as a uni student I can justify paying the cost out of my own pocket (Tom had nothing to do with this)
===
Also, anyone else seeing this - please test your browser, and post your issues in the proper thread. Not here. I only know about TinyVoice's issue because amenon linked to his post.
Also StartCom offers free ssl certs if you don't need a wildcard cert.
I recently upgraded my (really small) webpage to https + hsts (running on a Pi housed at EDIS.at :P)
Your cert stuff works fine. I've been connecting via https since I had an account here ^^ (although I had to save your self-signed cert before you had a trusted one :D)
(I hope the cross-posting from the rant thread isn't a no-go but it doesn't really fit there >.>)

-Jakob

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 7:43 pm
by amenon
aj wrote:
TinyVoices wrote:And for you not going to many boards that often: I'm sure there are a number of people who won't see this thread in this board. Expect random threads scattered about come October 3rd.
Undoubtedly. Even tried to make the title all scary if people just read the title of the most recent post.
Maybe a global announcement?
TinyVoices wrote:Edit: just tried the https:// link again. Gave me the same warnings again.... I don't know enough about this stuff to debug properly. But could it be possible that cache has anything to do with it? Or else my location when accessing it? How can using data versus using a wifi spot affect it as well. Those are my best guesses as to why things are weird again, unless it's server side or something.
Incognito almost certainly only remembers stuff for the duration of the session, so that would explain that. I'm resuming my original guess of a missing root CA. If you would, please make note of what exactly it's saying the next time it happens. Alternatively, clicking [redacted] might prompt you to install the root certificate, depending on how the browser works.

Edit: That link actually probably won't work. Looking for a better source...
Edit 2: Ugh, their site is... not useful for this. The link I gave probably results in a download. But if so, maybe you can poke at the downloaded file to do something. Unable to be more helpful without knowing what you're running.

Re: The forum might break for you! Test your browser now!

Posted: Fri Sep 18, 2015 10:48 pm
by GyroFox
:D :heart: :raine: :squirrel: Mhmm! It works!

Re: The forum might break for you! Test your browser now!

Posted: Sat Sep 19, 2015 2:28 am
by jacobc62
Works for me on Firefox v40.0.3

Re: The forum might break for you! Test your browser now!

Posted: Sat Sep 19, 2015 12:51 pm
by Bellhead
As it does for me, with Firefox 28.0. I would guess that anyone in between would be fine.