HTTPS Upgrade

This forum is for Administrators to post news concerning the site and forums.
Kison
.GIFted
 
User avatar
Joined: January 22, 2007
Location: San Diego, CA

Post Post #0  (ISO)  » Sun Feb 19, 2017 10:58 pm

As I mentioned here, the wiki & main site were upgraded to HTTPS about 2 weeks ago. The forum has also been upgraded, but is still running both HTTP & HTTPS.

Spoiler: What the heck is HTTPS?
It's essentially a more secure, encrypted method of communication between your web browser and the Mafiascum server, preventing anyone in between from seeing your passwords, private messages, posts, and anything else transferred to and from the site. There are some other advantages to doing this that may allow us to speed the site. If you feel like nerding out, you can read more about it on Wikipedia.

I'm tentatively planning to flip the switch Friday morning to redirect all HTTP traffic to HTTPS. Normally this wouldn't be a big deal, but because this is a forum, it may impact the way you post a little bit. The main thing to be concerned with is the img tag. This tag allows you to embed an image hosted on another site into your posts & private messages. Unfortunately, if your browser sees insecure content(transmitted over HTTP) embedded in a secure page, it will refuse to download & display it. Fortunately, if a site supports both HTTP & HTTPS, we can tell your browser to use HTTPS even if the image is embedded with an HTTP URL. If the site hosting the image does not support HTTPS, however, it will not show up!

Example of HTTP(insecure) image URL:
http://i.imgur.com/hkt0d2i.jpg

Example of its HTTPS(secure) equivalent:
https://i.imgur.com/hkt0d2i.jpg

The above will work if linked as either version since the "https" version works.

If you try embedding an image and it doesn't show up, a safe bet would be to download it and throw it up on imgur.com.

Other affected tags: bgimg, thumbnail, & hoverimg.

What about old posts?
We fixed all old posts & private messages going back to the beginning of time. We did this by moving the insecure images to mafiascum.net and replacing the URLs in the affected post & PMs.

Questions? Ask away!

Thanks to Borkjerfkin & ConnorJC for helping with this!

ConnorJC
Goon
 
User avatar
Joined: November 15, 2016
Location: US East Coast

Post Post #1  (ISO)  » Sun Feb 19, 2017 11:47 pm

I helped? Guess I did some work in my sleep.

Anyways, onwards to HSTS and better CSPs!
"Let's make MS secure again."
Want to help with site development? PM Kison
Want to test new features? https://forum.staging.mafiascum.net (Probably still want to PM Kison)

Frozen Angel
Queen Shifty
 
User avatar
Joined: October 26, 2015
Pronoun: She

Post Post #2  (ISO)  » Mon Feb 20, 2017 12:44 am

great job :]
False tears bring pain to those around you
False smile brings pain to one's self


"Frozen Like Your Heart." -Ginngie

randomidget
Jack of All Trades
 
User avatar
Joined: February 08, 2014
Pronoun: He

Post Post #3  (ISO)  » Mon Feb 20, 2017 9:30 am

gj
vonflare (21:40)
you suck randomidget

Annadog40
Owl of the Night Chat
 
User avatar
Joined: May 02, 2015
Location: https://frozen.fandom.com/wiki/Arendelle
Pronoun: She

Post Post #4  (ISO)  » Mon Feb 20, 2017 10:26 am

Would uploading images make them more secure than linking them?
This is my life now

Once you have 100 posts, click here to go to the page to join the speakeasy group.

ConnorJC
Goon
 
User avatar
Joined: November 15, 2016
Location: US East Coast

Post Post #5  (ISO)  » Mon Feb 20, 2017 12:53 pm

In post 4, Annadog40 wrote:Would uploading images make them more secure than linking them?

Uploading to another site, like imgur?

Theoretically, considering imgur is less likely to screw up proper https then some random site.
Want to help with site development? PM Kison
Want to test new features? https://forum.staging.mafiascum.net (Probably still want to PM Kison)

Annadog40
Owl of the Night Chat
 
User avatar
Joined: May 02, 2015
Location: https://frozen.fandom.com/wiki/Arendelle
Pronoun: She

Post Post #6  (ISO)  » Mon Feb 20, 2017 1:04 pm

Or upload to this site.
This is my life now

Once you have 100 posts, click here to go to the page to join the speakeasy group.

borkjerfkin
Xenophile
 
User avatar
Joined: April 03, 2012
Location: Madison, WI
Pronoun: He

Post Post #7  (ISO)  » Mon Feb 20, 2017 1:09 pm

depends what your definition of 'security' is in this case
we don't live here anymore

ConnorJC
Goon
 
User avatar
Joined: November 15, 2016
Location: US East Coast

Post Post #8  (ISO)  » Mon Feb 20, 2017 1:45 pm

In post 6, Annadog40 wrote:Or upload to this site.

Can normal users upload to the site?
Want to help with site development? PM Kison
Want to test new features? https://forum.staging.mafiascum.net (Probably still want to PM Kison)

Annadog40
Owl of the Night Chat
 
User avatar
Joined: May 02, 2015
Location: https://frozen.fandom.com/wiki/Arendelle
Pronoun: She

Post Post #9  (ISO)  » Mon Feb 20, 2017 1:56 pm

Probably not, but it would make images more secure.
This is my life now

Once you have 100 posts, click here to go to the page to join the speakeasy group.

Frozen Angel
Queen Shifty
 
User avatar
Joined: October 26, 2015
Pronoun: She

Post Post #10  (ISO)  » Mon Feb 20, 2017 2:05 pm

they can using wiki
False tears bring pain to those around you
False smile brings pain to one's self


"Frozen Like Your Heart." -Ginngie

ConnorJC
Goon
 
User avatar
Joined: November 15, 2016
Location: US East Coast

Post Post #11  (ISO)  » Mon Feb 20, 2017 3:51 pm

In post 9, Annadog40 wrote:Probably not, but it would make images more secure.

Imgur is (for the moment) more secure than MafiaScum.
Want to help with site development? PM Kison
Want to test new features? https://forum.staging.mafiascum.net (Probably still want to PM Kison)

xRECKONERx
GD is my Best Man
 
User avatar
Joined: March 15, 2009
Location: Bull City
Pronoun: He

Post Post #12  (ISO)  » Mon Feb 20, 2017 9:27 pm

Nice, was wondering when this would happen. gj team
get to know a reckoner

FUCK CANCER. #greenshirtthursdays

Majiffy
Go with the Flow
 
User avatar
Joined: November 23, 2011
Location: Buffalo, NY
Pronoun: He

Post Post #13  (ISO)  » Mon Feb 20, 2017 11:58 pm

Oh good
Only playing in games at personal moderator and/or 50%+ playerlist request.

GTKAS Jiffy! (Part 1) || GTKAS Jerfy (The Sequel!) || How To Win Every Game At Mafiascum (The Flowchart) || In case anyone was unsure...
Svenskt Stål (23:38) majiffy, worst mod on ms? we talk to a surviving victim of his game

inte
Mafia Scum
 
User avatar
Joined: November 15, 2011
Location: C-bus

Post Post #14  (ISO)  » Thu Feb 23, 2017 7:42 pm

its 2017, how is no HTTPS still a thing
Show

Zachrulez
Jack of All Trades
 
User avatar
Joined: December 05, 2008
Location: Minnesota
Pronoun: He

Post Post #15  (ISO)  » Fri Feb 24, 2017 1:22 am

I just don't think anyone here thought to implement it. It's definitely a worthwhile thing to have been done now in light of the recent site breach.

ConnorJC
Goon
 
User avatar
Joined: November 15, 2016
Location: US East Coast

Post Post #16  (ISO)  » Fri Feb 24, 2017 9:37 am

In post 14, inte wrote:its 2017, how is no HTTPS still a thing

Because HTTP/2 is still not a thing.

Fortunately let's encrypt is fighting the good fight for SSL everywhere.
Want to help with site development? PM Kison
Want to test new features? https://forum.staging.mafiascum.net (Probably still want to PM Kison)

Kison
.GIFted
 
User avatar
Joined: January 22, 2007
Location: San Diego, CA

Post Post #17  (ISO)  » Fri Feb 24, 2017 9:48 am

All traffic to http should now be redirected to https.

Please let us know if you notice any issues and we'll work to get them resolved. :)

Majiffy
Go with the Flow
 
User avatar
Joined: November 23, 2011
Location: Buffalo, NY
Pronoun: He

Post Post #18  (ISO)  » Fri Feb 24, 2017 10:33 pm

Just a note, if the HTTPS uses SHA-1, Google will be posting the break in 90 days.

http://www.theverge.com/2017/2/23/14712 ... -shattered
Only playing in games at personal moderator and/or 50%+ playerlist request.

GTKAS Jiffy! (Part 1) || GTKAS Jerfy (The Sequel!) || How To Win Every Game At Mafiascum (The Flowchart) || In case anyone was unsure...
Svenskt Stål (23:38) majiffy, worst mod on ms? we talk to a surviving victim of his game

Zachrulez
Jack of All Trades
 
User avatar
Joined: December 05, 2008
Location: Minnesota
Pronoun: He

Post Post #19  (ISO)  » Sat Feb 25, 2017 1:34 am

From what I'm reading all the major broswers would pop up and inform users they were on a SHA-1 site if MS was using it.

Majiffy
Go with the Flow
 
User avatar
Joined: November 23, 2011
Location: Buffalo, NY
Pronoun: He

Post Post #20  (ISO)  » Sat Feb 25, 2017 3:15 pm

I must have missed that part.
Only playing in games at personal moderator and/or 50%+ playerlist request.

GTKAS Jiffy! (Part 1) || GTKAS Jerfy (The Sequel!) || How To Win Every Game At Mafiascum (The Flowchart) || In case anyone was unsure...
Svenskt Stål (23:38) majiffy, worst mod on ms? we talk to a surviving victim of his game

McMenno
One For Aren't-We-All
 
User avatar
Joined: February 18, 2015
Location: In spaaaace

Post Post #21  (ISO)  » Sat Feb 25, 2017 7:42 pm

In post 17, Kison wrote:All traffic to http should now be redirected to https.

Please let us know if you notice any issues and we'll work to get them resolved. :)

thanks mafia scum dot net

inte
Mafia Scum
 
User avatar
Joined: November 15, 2011
Location: C-bus

Post Post #22  (ISO)  » Sat Feb 25, 2017 7:57 pm

lets encrypt is 5 danks out of 5 real talk
Show

ConnorJC
Goon
 
User avatar
Joined: November 15, 2016
Location: US East Coast

Post Post #23  (ISO)  » Sun Feb 26, 2017 9:14 pm

In post 18, Majiffy wrote:Just a note, if the HTTPS uses SHA-1, Google will be posting the break in 90 days.

http://www.theverge.com/2017/2/23/14712 ... -shattered


I don't think you can even get a SHA1 signature nowadays. Don't worry, the encryption is secure.
(Although, note that HTTP links to MS are currently not secure, so do be careful around those.)
Last edited by ConnorJC on Mon Feb 27, 2017 8:11 am, edited 1 time in total.
Want to help with site development? PM Kison
Want to test new features? https://forum.staging.mafiascum.net (Probably still want to PM Kison)

tn5421
Mafia Scum
 
User avatar
Joined: March 31, 2014
Location: Florida
Pronoun: He

Post Post #24  (ISO)  » Mon Feb 27, 2017 3:10 am

In post 19, Zachrulez wrote:From what I'm reading all the major broswers would pop up and inform users they were on a SHA-1 site if MS was using it.


The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).

Although it seems the certificate is issued to wiki.mafiascum.net, even when viewing the forums.
Recovering rageposter.

Next
[ + ]

Return to News