News Archive

Mar
22nd
2017

We have implemented TLS site-wide as an unconditional redirect. (http -> https) This improves security site-wide for all users, and shouldn't have any negative effects, performance or otherwise.

Report Xaquseg · 2,543 views ·
#1 · 4w, 6d ago · 2 · ·

Wooo!

More secure!

~Skeeter The Lurker

#2 · 4w, 6d ago · 1 · ·

Sweet!

#3 · 4w, 6d ago · 6 · 1 ·

cool! I'll say that to hide the fact I have idea what this does.

#4 · 4w, 6d ago · · ·

:heart:

#5 · 4w, 6d ago · · ·

Nice.

#6 · 4w, 6d ago · · ·

Excellent.

#7 · 4w, 6d ago · 3 · 1 ·

And could you explain that to those of us that are not tech savvy, please? lol

Tell it like you're trying to explain it to a Neanderthal or a Marine :rainbowlaugh:

#8 · 4w, 6d ago · · ·

...Could someone who actually understands this explain what it means, please?

Xaquseg
Server Administrator
#9 · 4w, 6d ago · 14 · ·

>>4466953

Before only some users were using encryption to access the site, now all users are using encryption to access the site.

#10 · 4w, 6d ago · · ·

Wow, thanks for the update... I'm surprised I didn't notice the switch. :\

But that's cool. It should make things better all around, security wise. ^^

#11 · 4w, 6d ago · · ·

what does it mean please

#12 · 4w, 6d ago · · ·

>>4466962

So, in short: Encryption went from 'optional', to 'mandatory', correct?

#13 · 4w, 6d ago · 1 · ·

>>4466970

This improves security site-wide for all users

#14 · 4w, 6d ago · · ·

>>4466972 i know what does that mean i'm sorry if i'm not getting it

#15 · 4w, 6d ago · · 1 ·

>>4466973

Basically means the site has less of a chance of being taken down by illegal means.

#16 · 4w, 6d ago · · ·

>>4466962 I'll confess that I was among the some who were not using encryption access (using http instead of https), mostly out of a habit of leaving a bunch of tabs open and not wanting to go through the effort of re-finding all of them under the encrypted version of the site.

But now I've just noticed that every time I try to go an http page, it automatically redirects me to the https version. In other words, all the tabs I have open can now be switched over to the encrypted version simply by refreshing the pages, so that'll make this change a lot easier for me to deal with.

#17 · 4w, 6d ago · · ·

>>4466974 oh okay thanks i needed to know thats good i guess

#18 · 4w, 6d ago · 12 · ·

I'm secure in the knowledge that the level of security on this site can lay all my insecurities to rest.

#21 · 4w, 6d ago · 6 · ·

I've been using HTTPS from the beginning, I'm surprised it took this long for it to be automatic.

#22 · 4w, 6d ago · 7 · ·

I have no idea what the hell that means, BUT IT MAKES ME FEEL 20% SAFER!!!!

#23 · 4w, 6d ago · 6 · ·

....It wasn't before?

(HTTPS Everywhere woohoo!)

#24 · 4w, 6d ago · · ·

>>4466976 Security protocol meaning initial log on between your computer and the website has an individual encryption coding put on all back and forth data. The idea being no-one can eavesdrop or tamper with it in between. Notice the url title on this page now starts with https instead of http. Mainly this is to protect your name and other private details from being taken for identity theft. So it's a good move.:pinkiehappy:

#25 · 4w, 6d ago · · ·

>>4467005 thanks for explaining

#26 · 4w, 6d ago · · ·

Great change.

#27 · 4w, 6d ago · 1 · ·

Anyone else still unsure this is the page for Firefox explaining it in more detail for their browser but the basics should hold true for all browsers.

mixed content for Firefox

:pinkiehappy:

>>4466994 Just spotted you here, just a heads up for interest.:twilightsmile:

#28 · 4w, 6d ago · 5 · ·

Nice!  Thanks, site staff!

#29 · 4w, 6d ago · 13 · ·

:unsuresweetie: Time for an SSL image proxy next! (He says while linking to a non-secure static file host.)

>>4466953

>>4466960

>>4466961

>>4466970

>>4466994

It provides reasonable protection against an actor from reading the information you're transmitting (eg, your account password), or from hijacking your connection to the website and serving you something different.

It doesn't even necessarily have to be technically malicious. For example, some wireless networks will attempt to hijack your connection in order to insert their own ads on the pages you visit. They can't do that on HTTPS.

However, HTTPS does not prevent someone from getting the IP of the website you go to, and that can be trivially matched to the website itself. So bad guys can still know you're reading horsewords, they just don't know which ones and can't steal your account info over the network.

#30 · 4w, 6d ago · · ·

Neat.

#32 · 4w, 6d ago · 4 · ·

This does not mean we can change passes to 123456 now or the what not, it just means https everywhere is not nessiceary.

#33 · 4w, 6d ago · 9 · ·

When you realize that before this change somebody could potentially see what clopfics you were reading :pinkiegasp:

#34 · 4w, 6d ago · 22 · ·

It didn't work.  I'm still insecure.  

#35 · 4w, 6d ago · · ·

Righto. Thanks, lads. But it does not say I am secure, unlike before.

#36 · 4w, 6d ago · · ·

Jolly Good.  

#37 · 4w, 6d ago · · ·

'kay.

#38 · 4w, 6d ago · · ·

Nice! It's always good to see better security features implemented.

#39 · 4w, 6d ago · · ·

Well, that explains the random crash last night.

#40 · 4w, 6d ago · · ·

Hrm. Firefox is claiming now that parts of the site are not secure.

Xaquseg
Server Administrator
#41 · 4w, 6d ago · 7 · 1 ·

We do have plans to resolve the mixed content warnings caused by images over http, but those don't create very many security risks, so it's not a large enough issue to delay this change.

#42 · 4w, 6d ago · · ·

I've always wondered what the difference between Http and Https was

#43 · 4w, 6d ago · · ·

Hopefully it turns out for the better.

At least It should. It's important and nothing too major just some harmless coding updates.

That or FimFic Skynet happens.

#46 · 4w, 6d ago · · ·

>>4467119 Maybe it doesn't create too much of a security risk, but privacy...

Anyway, thanks for doing this; I couldn't tell you how many times I'd be on this site and realize I forgot to type https!

Xaquseg
Server Administrator
#47 · 4w, 6d ago · · ·

>>4467187

It's only a privacy risk vs. not having mixed content. This change does not reduce user privacy, there's just more we can do to improve it.

#48 · 4w, 6d ago · 1 · ·

>>4467119

Comments like those are just daring someone to launch something like a CSRF attack.

I linked to an image on lithl.info earlier. I have root on lithl.info, and I could easily reconfigure it from serving static content to serving dynamic content, then write a malicious script and have the previously linked image execute that script any time someone views the image. It helps that the image isn't actually being added to the DOM until someone clicks the URL, but that just means the malicious image won't execute on page load, and it doesn't stop a malicious image in a blog post or story chapter.

It's one thing to allow mixed content on your page. Publicly dismissing the danger of mixed content is something else entirely.

Xaquseg
Server Administrator
#49 · 4w, 6d ago · 1 · ·

>>4467193

<img> tags cannot execute client-side code, anything that is not an image is rejected by the browser. Additionally, images are the only resource the browser will allow a https: page to load off an http: domain.

What you are describing is the danger of cross-site resource inclusion, which is an entirely different problem. Additionally, you are describing XSS, not CSRF.

The two things you can do with the image included over http that wouldn't be possible if it was https are:

1. Observe the image being loaded if you can passively snoop on the user's internet connection, possibly identifying which page they loaded based on the URL of the image requested.

2. Replace the image with another image if you can actively modify the user's internet traffic.

#50 · 4w, 6d ago · · ·

>>4467191

I may have phrased that badly; I didn't mean to imply that you'd somehow created a privacy risk, sorry for making it sound like I was

Login or register to comment