Page 1 of 3
[website] https enabled for springrts.com!
Posted: 05 Feb 2015, 01:58
by abma
with a lot of help of dansan and tim, we got a ssl-certificate from startssl and enabled https for
https://springrts.com:
apache config is this:
Code: Select all
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
DHE-RSA-AES128-SHA256 \
!RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
i hopefully
fixed all pages which embeded still http images/resources, if you find some, please report in this thread.
ssl lab results are "A" atm, so should be ok.
https is optional but very likely this will change in the future, but there is no concrete plan for that yet.
any suggestions?
aaah, surfing on springrts.com feels much better 
Re: [website] https enabled for springrts.com!
Posted: 05 Feb 2015, 09:39
by malric
I get the following error on Arch Linux with Firefox 35.0.1
Code: Select all
Unable to Connect Securely
Firefox cannot guarantee the safety of your data on springrts.com because it uses SSLv3, a broken security protocol.
Advanced info: ssl_error_no_cypher_overlap
and then it links to this page
https://support.mozilla.org/en-US/kb/wh ... es-firefox
Re: [website] https enabled for springrts.com!
Posted: 05 Feb 2015, 10:27
by dansan
SSLv3 is deactivated on the server. Either your browser is broken or you are behind a corporate firewall that does mitm attacks.
Please check, that the SSL-certificate that is sent to you by springrts.com has the following properties:
Code: Select all
SHA-256 Fingerprint: A5 19 86 94 0E 10 FF 81 BF CF D4 12 12 79 FA 47
6F 41 03 26 0A DE 0F 57 FB 02 AE 7F DE AD FA 85
SHA-1 Fingerprint: C6 C6 BB 95 A0 E0 12 D9 6E 74 4C ED E8 9E A7 DB
2F 4F 09 3D
Validity: 04.02.2015 - 05.02.2016
Re: [website] https enabled for springrts.com!
Posted: 05 Feb 2015, 13:48
by malric
Checked (this time on another computer, different network/OS) through the command line (see here
http://pastebin.com/94pnuJdM) and the fingerprints seem good.
Still, the browser on this other computer (Firefox 31.4.0 on CentOS 6.6), for the url "
https://springrts.com" gives the following message:
Code: Select all
Secure Connection Failed
An error occurred during a connection to springrts.com. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
Something similar happens in Konqueror and on Internet Explorer 8 (on some remote computer).
(note: I do not need https that much, would like to use it if available, I just check as I think but I think that if you put some effort to set this up it is nice to give feedback if it does not work).
Re: [website] https enabled for springrts.com!
Posted: 05 Feb 2015, 14:46
by abma
for internet explorer 8 this error message is ok, as it doesn't support TLS1.2. in firefox >31.3 it should work. is tls disabled in firefox?
in firefox, can you please open about:config and check the value of "security.tls.version.max" ? (should be set to the default, "3")
no clue about Konqueror.
Re: [website] https enabled for springrts.com!
Posted: 05 Feb 2015, 15:30
by malric
Thanks! That fixed the problem. No clue why it was set to 1 (did not set it myself). Will check on the other computer, might be the same issue.
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 01:50
by abma
after looking into log files it seems very few people uses https. to get some feedback i've made a
"light" enforcement to use it by sending out https:// links in notification emails, hopefully users don't have trouble using it.
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 05:10
by smoth
Why do I care about https when I browse and post here? Not being negative but I don't have a lot of sensitive info here
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 07:04
by gajop
You will know that this is the official site, and not an attempt of phishing/MITM. This is pretty important, especially if we desire donations, and expect you to entrust us with your forum credentials.
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 07:25
by Forboding Angel
Wouldn't donations be in the form of a paypal button anyway? At which point I'm taken to paypal.com anyway.
Don't get me wrong, https is a good thing, but at the same time, unless you redirect all http traffic to https, it's usefulness is somewhat dubious.
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 07:50
by gajop
Yes, but, also, if someone created a phishing site they could have a PayPal button that is linked with a different account.
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 09:50
by Forboding Angel
True, but one would assume that the donor would pay attention to who they are donating to.
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 10:41
by Anarchid
True, but one would assume that the donor would pay attention to who they are donating to.
And
that's why phishing doesn't actually ever work. What crazy world it would be if there was such an industry! Preposterous.
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 14:22
by PicassoCT
I really cant understand, why in such a sane and well organized world filled with sentient people- anyone would waste any time at all on such mordor-in-the-sky szenario. Clearly, the need for discussion, is proof that such a need doesent exist and thus needs to be fullfilled.
What entices me even more though is - where is the protection goal? We are all rather blank and run-down characters, engaging in a non-profitable endavour. The only valuables we posses are stored on git-hub. So a stick up job, with us, is - lets say, easy to accomplish, when it comes to carrying the loot?
Thus i propose, we keep what we got, but dont worry any further on wether the NSA cheats when playing ("They do. Always did. League of ColdWar went down cause of that")
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 15:12
by qray
Tried it, surfed several pages (forum, wiki, media, front), works like a charm. Thanks!
Encryption is always good (even is data is not the most sensitive).
Tried https also on springfiles, but get this message:
Code: Select all
springfiles.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for JJ (Error code: sec_error_unknown_issuer)
Would it be a problem to get there a proper certificate, too?
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 15:33
by abma
Don't get me wrong, https is a good thing, but at the same time, unless you redirect all http traffic to https, it's usefulness is somewhat dubious.
agreed, but: its not enforced yet to find possible bugs/problems first.
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 16:08
by Jools
You need to redirect from http to https: a lot of people don't type in the url by hand, but they follow a link either from forum or their history...
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 16:17
by abma
><((((*>
maybe what i wrote in the first post is very unclear, in other words:
https is enabled for testing purposes, if everything is fine it will be enforced and a 301 redirect from http to https configured. but for that, no concrete plan (= exact date) exists as it depends on the problems found.
route is to enforce https for:
0. notification emails (done 5.2.2015)
1. startpage (done 6.2.2015)
2. /phpbb (done 9.2.2015)
3. /wiki (done 16.2.2015)
4. /mantis (done 16.2.2015)
5. whole springrts.com server
Re: [website] https enabled for springrts.com!
Posted: 06 Feb 2015, 18:33
by 8611
Re: [website] https enabled for springrts.com!
Posted: 07 Feb 2015, 14:56
by SirMaverick
https is optional but very likely this will change in the future, but there is no concrete plan for that yet.
Very good.
any suggestions?
You could also use
https://www.letsencrypt.org/ as CA once it's available.
