Mar
22nd
2017
Xaquseg 714 followers
Xaquseg is the system administrator for FIMFiction, as well as various misc. development, especially related to security. Non-technical problems are probably best asked to other staff members.
News Archive
Join our SubscribeStar to remove these adverts!
Join our SubscribeStar to remove these adverts!
Stats
Page generated in 0.083 seconds
Total duration
790 users online
1,218,582 hits today, 2,054,621 yesterday
FIMFiction
My Little Pony: Friendship is Magic Fanfiction
Designed and coded by knighty & Xaquseg - © 2011-2024
Follow & Support Us
Support us
SubStar
Chat!
Discord
Follow us
Twitter
MLP: Friendship is Magic® - © 2024 Hasbro Inc.®
Fimfiction is in no way affiliated with or endorsed by Hasbro Inc.®
Wooo!
More secure!
~Skeeter The Lurker
Sweet!
cool! I'll say that to hide the fact I have idea what this does.
Nice.
Excellent.
And could you explain that to those of us that are not tech savvy, please? lol
Tell it like you're trying to explain it to a Neanderthal or a Marine
...Could someone who actually understands this explain what it means, please?
4466953
Before only some users were using encryption to access the site, now all users are using encryption to access the site.
Wow, thanks for the update... I'm surprised I didn't notice the switch. :\
But that's cool. It should make things better all around, security wise. ^^
what does it mean please
4466962
So, in short: Encryption went from 'optional', to 'mandatory', correct?
4466970
4466972 i know what does that mean i'm sorry if i'm not getting it
4466973
Basically means the site has less of a chance of being taken down by illegal means.
4466962 I'll confess that I was among the some who were not using encryption access (using http instead of https), mostly out of a habit of leaving a bunch of tabs open and not wanting to go through the effort of re-finding all of them under the encrypted version of the site.
But now I've just noticed that every time I try to go an http page, it automatically redirects me to the https version. In other words, all the tabs I have open can now be switched over to the encrypted version simply by refreshing the pages, so that'll make this change a lot easier for me to deal with.
4466974 oh okay thanks i needed to know thats good i guess
I'm secure in the knowledge that the level of security on this site can lay all my insecurities to rest.
Yay. More security.
orig01.deviantart.net/df40/f/2012/004/0/9/rarity_is_watching_you_by_ppppppppp22-d4lcbz7.png
4466980 oh my god
I've been using HTTPS from the beginning, I'm surprised it took this long for it to be automatic.
I have no idea what the hell that means, BUT IT MAKES ME FEEL 20% SAFER!!!!
derpicdn.net/img/2016/6/14/1178409/thumb.png
....It wasn't before?
(HTTPS Everywhere woohoo!)
4466976 Security protocol meaning initial log on between your computer and the website has an individual encryption coding put on all back and forth data. The idea being no-one can eavesdrop or tamper with it in between. Notice the url title on this page now starts with https instead of http. Mainly this is to protect your name and other private details from being taken for identity theft. So it's a good move.
4467005 thanks for explaining
Great change.
Anyone else still unsure this is the page for Firefox explaining it in more detail for their browser but the basics should hold true for all browsers.
mixed content for Firefox
4466994 Just spotted you here, just a heads up for interest.
Nice! Thanks, site staff!
lithl.info/images/partially-secure.jpg
Time for an SSL image proxy next! (He says while linking to a non-secure static file host.)
4466953
4466960
4466961
4466970
4466994
It provides reasonable protection against an actor from reading the information you're transmitting (eg, your account password), or from hijacking your connection to the website and serving you something different.
It doesn't even necessarily have to be technically malicious. For example, some wireless networks will attempt to hijack your connection in order to insert their own ads on the pages you visit. They can't do that on HTTPS.
However, HTTPS does not prevent someone from getting the IP of the website you go to, and that can be trivially matched to the website itself. So bad guys can still know you're reading horsewords, they just don't know which ones and can't steal your account info over the network.
Neat.
4467039 Thanks!
This does not mean we can change passes to 123456 now or the what not, it just means https everywhere is not nessiceary.
When you realize that before this change somebody could potentially see what clopfics you were reading
It didn't work. I'm still insecure.
Righto. Thanks, lads. But it does not say I am secure, unlike before.
Jolly Good.
'kay.
Nice! It's always good to see better security features implemented.
Well, that explains the random crash last night.
Hrm. Firefox is claiming now that parts of the site are not secure.
We do have plans to resolve the mixed content warnings caused by images over http, but those don't create very many security risks, so it's not a large enough issue to delay this change.
I've always wondered what the difference between Http and Https was
Hopefully it turns out for the better.
At least It should. It's important and nothing too major just some harmless coding updates.
That or FimFic Skynet happens.
4467132
https://www.instantssl.com/ssl-certificate-products/https.html
when everyone is a https... no one is.
vignette2.wikia.nocookie.net/villains/images/2/26/PDVD_093.png/revision/latest?cb=20120411225423
4467119 Maybe it doesn't create too much of a security risk, but privacy...
Anyway, thanks for doing this; I couldn't tell you how many times I'd be on this site and realize I forgot to type https!
4467187
It's only a privacy risk vs. not having mixed content. This change does not reduce user privacy, there's just more we can do to improve it.
4467119
Comments like those are just daring someone to launch something like a CSRF attack.
I linked to an image on lithl.info earlier. I have root on lithl.info, and I could easily reconfigure it from serving static content to serving dynamic content, then write a malicious script and have the previously linked image execute that script any time someone views the image. It helps that the image isn't actually being added to the DOM until someone clicks the URL, but that just means the malicious image won't execute on page load, and it doesn't stop a malicious image in a blog post or story chapter.
It's one thing to allow mixed content on your page. Publicly dismissing the danger of mixed content is something else entirely.
4467193
<img> tags cannot execute client-side code, anything that is not an image is rejected by the browser. Additionally, images are the only resource the browser will allow a https: page to load off an http: domain.
What you are describing is the danger of cross-site resource inclusion, which is an entirely different problem. Additionally, you are describing XSS, not CSRF.
The two things you can do with the image included over http that wouldn't be possible if it was https are:
1. Observe the image being loaded if you can passively snoop on the user's internet connection, possibly identifying which page they loaded based on the URL of the image requested.
2. Replace the image with another image if you can actively modify the user's internet traffic.
4467191
I may have phrased that badly; I didn't mean to imply that you'd somehow created a privacy risk, sorry for making it sound like I was