Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Forum Discussion

Move to HTTPS - Page 1

Move to HTTPS

Posted by: SatoMew
Date: 2016-11-22 09:19:22
The stable releases of Firefox and Chrome will soon start marking password forms served over HTTP as insecure, which will obviously affect GCL (forums and wiki) in its current state. This is part of an ongoing effort by the major browser developers to increase the adoption of HTTPS on the Web and to eventually mark every HTTP site as non-secure.

I don't know how difficult would it be to implement HTTPS on GCL but I think it's something that needs to be considered as we don't want to scare visitors and our users into thinking that GCL is compromised. Recent trustworthy services like Let's Encrypt and its Let's Monitor may help, especially since they're free. There is also the moarTLS Analyzer browser extension that identifies HTTP content on HTTPS web sites and lets you check if they can be served over HTTPS.

Re: Move to HTTPS

Posted by: Yeniaul
Date: 2016-11-22 10:24:17
The DS family (at least the DS/DSi) gets kicked from any site using Let's Encrypt as soon as it broadcasts its browser version… for whatever reason (I think it's game systems in general, as it occurs for most of the Xbox and PlayStation family browsers too, which STILL make up 15% of the total traffic on the 'net.)
So some members (including me, as I use the DSi's neutered version of Opera. And no, I don't have an Android nor an iDevice I can use instead.) may find they cannot access the site any longer. Of course, you could implement an alternate HTTP-only version of the site, but that would be EXPENSIVE. Even then, the site needs fixed before we do this sort of thing, that way it's not a pain in the ass to fix broken pages and screwed directory structures.

Re: Move to HTTPS

Posted by: Abwayax
Date: 2016-11-22 13:31:36
https://glitchcity.info/wiki/Main_Page

edit: It's not HTTPS-only because firstly I think some parts of the site might still be loading through HTTP, and also because someone will inevitably complain that they can no longer access the site. Also because I don't make policy decisions for the site anymore so it's not really my call whether to move to HTTPS-only.

Re: Move to HTTPS

Posted by: SatoMew
Date: 2016-11-22 17:29:41
To clarify, the idea is for GCL to use HTTPS by default but still have HTTP as a fallback so that users of older or otherwise incompatible browsers aren't left out.


The DS family (at least the DS/DSi) gets kicked from any site using Let's Encrypt as soon as it broadcasts its browser version… for whatever reason (I think it's game systems in general, as it occurs for most of the Xbox and PlayStation family browsers too, which STILL make up 15% of the total traffic on the 'net.)


I'd say that the most likely causes are lack of support for TLS 1.2 and/or no updates for those browsers that allow them to trust Let's Encrypt certificates.


https://glitchcity.info/wiki/Main_Page

edit: It's not HTTPS-only because firstly I think some parts of the site might still be loading through HTTP, and also because someone will inevitably complain that they can no longer access the site. Also because I don't make policy decisions for the site anymore so it's not really my call whether to move to HTTPS-only.


Thanks for the quick response :)

At most, there will be mixed-content warnings but we can always gradually update the references to HTTP resources that can be served over HTTPS.

Re: Move to HTTPS

Posted by: Yeniaul
Date: 2016-11-22 22:48:32

I don't make policy decisions for the site anymore
Wait, the host doesn't have executive privelege anymore? The s***?