[website] https enabled for springrts.com!

[website] https enabled for springrts.com!

Happenin' news on what is happening in the community. Content releases, new tutorials, other cool stuff.
abma
Spring Developer
Posts: 3548
Joined: 01 Jun 2009, 00:08

[website] https enabled for springrts.com!

Post by abma » 05 Feb 2015, 01:58

with a lot of help of dansan and tim, we got a ssl-certificate from startssl and enabled https for https://springrts.com:

apache config is this:

Code: Select all

        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLHonorCipherOrder on
        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
                            EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
                            DHE-RSA-AES128-SHA256 \
                            !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
i hopefully fixed all pages which embeded still http images/resources, if you find some, please report in this thread.

ssl lab results are "A" atm, so should be ok.



https is optional but very likely this will change in the future, but there is no concrete plan for that yet.

any suggestions?

aaah, surfing on springrts.com feels much better :-)
Last edited by abma on 09 Feb 2015, 20:08, edited 1 time in total.
Reason: added DHE-RSA-AES128-SHA256
0 x

malric
Posts: 515
Joined: 30 Dec 2005, 22:22

Re: [website] https enabled for springrts.com!

Post by malric » 05 Feb 2015, 09:39

I get the following error on Arch Linux with Firefox 35.0.1

Code: Select all

Unable to Connect Securely

Firefox cannot guarantee the safety of your data on springrts.com because it uses SSLv3, a broken security protocol.
Advanced info: ssl_error_no_cypher_overlap
and then it links to this page https://support.mozilla.org/en-US/kb/wh ... es-firefox
0 x

dansan
Server Owner & Developer
Posts: 1191
Joined: 29 May 2010, 23:40

Re: [website] https enabled for springrts.com!

Post by dansan » 05 Feb 2015, 10:27

SSLv3 is deactivated on the server. Either your browser is broken or you are behind a corporate firewall that does mitm attacks.

Please check, that the SSL-certificate that is sent to you by springrts.com has the following properties:

Code: Select all

SHA-256 Fingerprint:	A5 19 86 94 0E 10 FF 81 BF CF D4 12 12 79 FA 47
6F 41 03 26 0A DE 0F 57 FB 02 AE 7F DE AD FA 85

SHA-1 Fingerprint: 	C6 C6 BB 95 A0 E0 12 D9 6E 74 4C ED E8 9E A7 DB
2F 4F 09 3D

Validity: 04.02.2015 - 05.02.2016
0 x

malric
Posts: 515
Joined: 30 Dec 2005, 22:22

Re: [website] https enabled for springrts.com!

Post by malric » 05 Feb 2015, 13:48

Checked (this time on another computer, different network/OS) through the command line (see here http://pastebin.com/94pnuJdM) and the fingerprints seem good.

Still, the browser on this other computer (Firefox 31.4.0 on CentOS 6.6), for the url "https://springrts.com" gives the following message:

Code: Select all

Secure Connection Failed

An error occurred during a connection to springrts.com. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
Something similar happens in Konqueror and on Internet Explorer 8 (on some remote computer).

(note: I do not need https that much, would like to use it if available, I just check as I think but I think that if you put some effort to set this up it is nice to give feedback if it does not work).
0 x

abma
Spring Developer
Posts: 3548
Joined: 01 Jun 2009, 00:08

Re: [website] https enabled for springrts.com!

Post by abma » 05 Feb 2015, 14:46

for internet explorer 8 this error message is ok, as it doesn't support TLS1.2. in firefox >31.3 it should work. is tls disabled in firefox?

in firefox, can you please open about:config and check the value of "security.tls.version.max" ? (should be set to the default, "3")

no clue about Konqueror.
0 x

malric
Posts: 515
Joined: 30 Dec 2005, 22:22

Re: [website] https enabled for springrts.com!

Post by malric » 05 Feb 2015, 15:30

Thanks! That fixed the problem. No clue why it was set to 1 (did not set it myself). Will check on the other computer, might be the same issue.
0 x

abma
Spring Developer
Posts: 3548
Joined: 01 Jun 2009, 00:08

Re: [website] https enabled for springrts.com!

Post by abma » 06 Feb 2015, 01:50

after looking into log files it seems very few people uses https. to get some feedback i've made a "light" enforcement to use it by sending out https:// links in notification emails, hopefully users don't have trouble using it.
0 x

User avatar
smoth
Posts: 22298
Joined: 13 Jan 2005, 00:46

Re: [website] https enabled for springrts.com!

Post by smoth » 06 Feb 2015, 05:10

Why do I care about https when I browse and post here? Not being negative but I don't have a lot of sensitive info here
0 x

gajop
Moderator
Posts: 3023
Joined: 05 Aug 2009, 20:42

Re: [website] https enabled for springrts.com!

Post by gajop » 06 Feb 2015, 07:04

You will know that this is the official site, and not an attempt of phishing/MITM. This is pretty important, especially if we desire donations, and expect you to entrust us with your forum credentials.
0 x

User avatar
Forboding Angel
Evolution RTS Developer
Posts: 14589
Joined: 17 Nov 2005, 02:43

Re: [website] https enabled for springrts.com!

Post by Forboding Angel » 06 Feb 2015, 07:25

Wouldn't donations be in the form of a paypal button anyway? At which point I'm taken to paypal.com anyway.

Don't get me wrong, https is a good thing, but at the same time, unless you redirect all http traffic to https, it's usefulness is somewhat dubious.
0 x

gajop
Moderator
Posts: 3023
Joined: 05 Aug 2009, 20:42

Re: [website] https enabled for springrts.com!

Post by gajop » 06 Feb 2015, 07:50

Yes, but, also, if someone created a phishing site they could have a PayPal button that is linked with a different account.
0 x

User avatar
Forboding Angel
Evolution RTS Developer
Posts: 14589
Joined: 17 Nov 2005, 02:43

Re: [website] https enabled for springrts.com!

Post by Forboding Angel » 06 Feb 2015, 09:50

True, but one would assume that the donor would pay attention to who they are donating to.
0 x

User avatar
Anarchid
Posts: 1380
Joined: 30 Nov 2008, 04:31

Re: [website] https enabled for springrts.com!

Post by Anarchid » 06 Feb 2015, 10:41

True, but one would assume that the donor would pay attention to who they are donating to.
And that's why phishing doesn't actually ever work. What crazy world it would be if there was such an industry! Preposterous.
0 x

User avatar
PicassoCT
Journeywar Developer & Mapper
Posts: 10226
Joined: 24 Jan 2006, 21:12

Re: [website] https enabled for springrts.com!

Post by PicassoCT » 06 Feb 2015, 14:22

I really cant understand, why in such a sane and well organized world filled with sentient people- anyone would waste any time at all on such mordor-in-the-sky szenario. Clearly, the need for discussion, is proof that such a need doesent exist and thus needs to be fullfilled.

What entices me even more though is - where is the protection goal? We are all rather blank and run-down characters, engaging in a non-profitable endavour. The only valuables we posses are stored on git-hub. So a stick up job, with us, is - lets say, easy to accomplish, when it comes to carrying the loot?

Thus i propose, we keep what we got, but dont worry any further on wether the NSA cheats when playing ("They do. Always did. League of ColdWar went down cause of that")
0 x

User avatar
qray
Posts: 377
Joined: 02 Feb 2009, 18:49

Re: [website] https enabled for springrts.com!

Post by qray » 06 Feb 2015, 15:12

Tried it, surfed several pages (forum, wiki, media, front), works like a charm. Thanks!
Encryption is always good (even is data is not the most sensitive).

Tried https also on springfiles, but get this message:

Code: Select all

springfiles.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for JJ (Error code: sec_error_unknown_issuer)
Would it be a problem to get there a proper certificate, too?
0 x

abma
Spring Developer
Posts: 3548
Joined: 01 Jun 2009, 00:08

Re: [website] https enabled for springrts.com!

Post by abma » 06 Feb 2015, 15:33

Don't get me wrong, https is a good thing, but at the same time, unless you redirect all http traffic to https, it's usefulness is somewhat dubious.
agreed, but: its not enforced yet to find possible bugs/problems first.
0 x

User avatar
Jools
XTA Developer
Posts: 2804
Joined: 23 Feb 2009, 16:29

Re: [website] https enabled for springrts.com!

Post by Jools » 06 Feb 2015, 16:08

You need to redirect from http to https: a lot of people don't type in the url by hand, but they follow a link either from forum or their history...
0 x

abma
Spring Developer
Posts: 3548
Joined: 01 Jun 2009, 00:08

Re: [website] https enabled for springrts.com!

Post by abma » 06 Feb 2015, 16:17

><((((*>


maybe what i wrote in the first post is very unclear, in other words:

https is enabled for testing purposes, if everything is fine it will be enforced and a 301 redirect from http to https configured. but for that, no concrete plan (= exact date) exists as it depends on the problems found.

route is to enforce https for:

0. notification emails (done 5.2.2015)
1. startpage (done 6.2.2015)
2. /phpbb (done 9.2.2015)
3. /wiki (done 16.2.2015)
4. /mantis (done 16.2.2015)
5. whole springrts.com server
0 x


SirMaverick
Posts: 834
Joined: 19 May 2009, 21:10

Re: [website] https enabled for springrts.com!

Post by SirMaverick » 07 Feb 2015, 14:56

https is optional but very likely this will change in the future, but there is no concrete plan for that yet.
Very good.
any suggestions?
You could also use https://www.letsencrypt.org/ as CA once it's available.
0 x

Post Reply

Return to “Community Blog”

cron