Welcome, guest! Please login or register.

    * Shoutbox

    RefreshHistory
    • Salayor: o.O
      December 13, 2018, 01:02:33 AM
    • ZHer0kool: This is by far one of my oldest existing forum accounts
      December 12, 2018, 08:40:43 PM
    • DeathsChaos9::|
      December 12, 2018, 06:41:54 PM
    • TheMane221: Dont know if this is allowed but I have an OSRS account I need to sell asap. 95 att, 92 str, 93 def, 94 hp, 77 range and 73 magic. Dm me please.
      December 09, 2018, 04:27:28 PM
    • runescape3dude: I haven't been on here in about 10 years
      December 08, 2018, 11:14:56 PM
    • runescape3dude: holy crap
      December 08, 2018, 11:14:47 PM
    • howi: Gosh i never been on this site since... ever
      December 08, 2018, 01:36:16 AM
    • TinyScape: ur gay
      December 07, 2018, 09:03:26 PM
    • Travas: drub is gay
      December 02, 2018, 11:48:32 PM
    • drubrkletern: asdf
      November 27, 2018, 02:44:00 PM
    • Black Paw: TokHaar aims to give you the best OSRS features in Real High Definition with a mixture of 550 content! (Quality Driven RSPS) -- Come join us for → PvP, PvMing, Skilling, Prosperous Economy, Minigames/Bosses & Much more.. [link]
      November 21, 2018, 06:55:31 PM
    • i5hy: AllstarLegends - Oldschool Nostalgia @ Allstarlegends.eu Long Lasting server been around since 2013-2014
      November 21, 2018, 01:49:59 PM
    • lordvirius: Is there a mobile private server?
      November 21, 2018, 09:34:33 AM
    • Coldmedicine: FREE ADVERTISEMENT ON DISCORD
      November 20, 2018, 03:30:50 AM
    • Coldmedicine:[link]
      November 20, 2018, 03:30:42 AM
    • Coldmedicine: ...
      November 20, 2018, 03:24:02 AM
    • dylanwill: message me bros
      November 19, 2018, 04:49:29 PM
    • dylanwill: I got banned from runeserver
      November 19, 2018, 04:49:08 PM
    • Wayne.RSPS: TokHaar aims to give you the best OSRS features in Real High Definition with a mixture of 550 content! (Quality Driven RSPS) -- Come join us for → PvP, PvMing, Skilling, Prosperous Economy, Minigames/Bosses & Much more.. [link]
      November 16, 2018, 11:24:39 AM
    • Fridder: a q  p
      November 14, 2018, 02:16:21 PM

    Author Topic: Mandatory HTTPS!  (Read 14828 times)

    0 Members and 1 Guest are viewing this topic.

    OfflineMoparisthebest

    • Global Moderator
    • *****
    • *
    • Posts: 17,146
    • Thanks: +0/-0
      • View Profile
    Mandatory HTTPS!
    « on: October 23, 2015, 03:42:57 PM »
    MoparScape.org has supported TLS/HTTPS for years now, but I've finally flipped the switch and now it is mandatory.  I've also added it to the chrome preload list and enabled the Public-Key-Pins HPKP header so if you've visited the site before, your browser will not allow you to be man-in-the-middled.

    If you have any questions, go ahead and ask them, but you really shouldn't notice a difference except maybe a slight increase in speed. :)
    forum.moparisthebest.com
    You can have my gun when you pry it from my cold, dead hands.
    Linux users, we do it in the open.
    Runescape Gambling

    Offlinedoom_j

    • i like the company of men
    • Member
    • ****
    • *
    • Posts: 7,202
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #1 on: October 23, 2015, 03:45:00 PM »
    Great! Now both irc and site force it. NSA won't be able to read our chats about taking over the government and creating a new one based around the #mopar channel.
    [12:18:14 21:04:45]<<Tom>>i dont care about your rights
    [12:18:14 21:04:49] <<Tom>> you have NO RIGHTS
    Runescape Gambling

    Offlinet4

    • Member
    • ****
    • *
    • *
    • *
    • Posts: 6,798
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #2 on: October 23, 2015, 07:38:53 PM »
    i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
    Runescape Gambling

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #3 on: October 23, 2015, 07:52:42 PM »
    i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
    yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security :rolleyes:

    Offlinet4

    • Member
    • ****
    • *
    • *
    • *
    • Posts: 6,798
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #4 on: October 23, 2015, 10:11:19 PM »
    i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
    yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security :rolleyes:
    So you're suggesting that it should be up to the user to enable secure transmissions? What if the user makes a mistake or is unaware (not technically versed)? Why even run the plaintext service if the secure service doesn't generate that much overhead?

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #5 on: October 23, 2015, 11:52:55 PM »
    i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
    yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security :rolleyes:
    So you're suggesting that it should be up to the user to enable secure transmissions?
    Yes, that is exactly what I'm saying. Or rather, users should be able to disable it if they wish. If the option is there, im pretty sure any modern browser will default to https.

    Offlinesini

    • Member
    • ****
    • *
    • *
    • Posts: 5,785
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #6 on: October 24, 2015, 12:46:24 AM »
    I thought HTTP 2.0 mandated that SSL be enforced.

    OfflineJustin Bieber

    • Member
    • ****
    • Posts: 2,941
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #7 on: October 24, 2015, 02:54:07 AM »
    Awesome

    OfflineGraham

    • Member
    • ****
    • *
    • Posts: 581
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #8 on: October 24, 2015, 05:09:57 AM »
    I thought HTTP 2.0 mandated that SSL be enforced.

    The spec doesn't, however, all major browsers only implement HTTP/2 over TLS.
    Code: Ruby
    1. s="s=%c%s%c;printf s,34,s,34,10%c";printf s,34,s,34,10

    OfflineLothy

    • Member
    • ****
    • *
    • *
    • Posts: 7,006
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #9 on: October 25, 2015, 01:48:03 AM »
    You guys who want it to be optional need to appreciate the benefits of HTTPS-everywhere internet. Namely the gross amount of noise created to assist in obscuring the transmissions of people living under less fortunate regimes.
    <&Speljohan_> i wouldnt want to live in a society where Mopman isnt monitored 24/7

    OfflineMoparisthebest

    • Global Moderator
    • *****
    • *
    • Posts: 17,146
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #10 on: October 26, 2015, 07:54:03 AM »
    For anyone wanting it to be optional I'd ask this honest question, and I really do want an answer:

    Why?

    I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren't any downsides, and there are a bunch of upsides.  For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.
    forum.moparisthebest.com
    You can have my gun when you pry it from my cold, dead hands.
    Linux users, we do it in the open.

    OfflineBowser jr

    • Member
    • ****
    • Posts: 6,001
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #11 on: October 26, 2015, 08:15:21 AM »
    Soon Moparscape will be illegal under the current Cameron regime.

    OfflineJustin Bieber

    • Member
    • ****
    • Posts: 2,941
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #12 on: October 28, 2015, 04:17:51 AM »
    For anyone wanting it to be optional I'd ask this honest question, and I really do want an answer:

    Why?

    I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren't any downsides, and there are a bunch of upsides.  For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.
    No one has an answer to that question because there is no valid answer. These people start with a shitty argument, maybe re-state the shitty argument a bit, make some jokes and/or personal attacks, and then just stop posting. I really don't understand their thought process.. maybe it's government brainwashing??

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #13 on: October 28, 2015, 08:27:01 PM »
    No one has an answer to that question because there is no valid answer. These people start with a shitty argument, maybe re-state the shitty argument a bit, make some jokes and/or personal attacks, and then just stop posting. I really don't understand their thought process.. maybe it's government brainwashing??
    Maybe it's Maybelline.


    For anyone wanting it to be optional I'd ask this honest question, and I really do want an answer:

    Why?

    I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren't any downsides, and there are a bunch of upsides.  For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.
    Ok, you can ask "Why?", but the exact same can be asked about not supporting HTTP as a fallback. Why? Nobody is denying the upsides of HTTPS here. You can keep it enabled and it'll stay default. But still, I see absolutely no reason for this website (and I do use 'this' on purpose, because some websites should force https) to not offer http as an option if https is already enabled and default. As far as I can tell, there aren't any downsides, and it's a good fallback if for some reason we have a cert problem and everyone wont be able to view the site because "THIS CONNECTION IS UNTRUSTED"
    « Last Edit: October 28, 2015, 08:29:53 PM by Davidi2 »

    Offlinet4

    • Member
    • ****
    • *
    • *
    • *
    • Posts: 6,798
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #14 on: October 28, 2015, 11:32:37 PM »
    The expired cert problem is a webmaster problem, not a TLS problem. Also, I don't think the content of the data has any bearing of whether or not to implement and enforce security. I don't see any negatives of TLS.

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #15 on: October 29, 2015, 01:14:43 AM »
    Also, I don't think the content of the data has any bearing of whether or not to implement and enforce security.
    Really? I personally believe you need to factor in everything when you weigh the pros/cons of implementing any type of security. Not every worksite needs ID badges and fingerprint scanners if the benefit doesn't outweigh the hassle. Obviously when you deal with more sensitive information, you implement more security, no? We'll just assume you were speaking strictly about TLS though, because like it's been said the hassle is pretty low and probably wont be noticeable if everything goes as it should. So yes, I think it's fair to say there is no reason to not implement SSL.

    When you go from 'implement' to 'require' though, you have to reevaluate everything. You say "no negatives", but you listed one right there? If a cert expires, I don't really care whose problem it is, do I? Now it's my problem, because I can't access the website. Sure, it's not "directly" a negative of SSL, it's a negative of inattentiveness. Whatever. If only I had a HTTP version of the site to access in the meantime. So now we have one negative. We wont talk about any others because personally I don't know if the caching or ad-related mixed mode issues are still there. So now we weigh the benefits of enforcing TLS over allowing TLS, taking into account that it is used by default if available. What are those benefits? That's what I haven't heard yet, which why I am not yet convinced that the benefits of enforcing it outweigh even the slightest chance of something like an expired cert.


    As a side note, I was getting NGINX errors when trying to access the site early today. What was that?

    OfflineLothy

    • Member
    • ****
    • *
    • *
    • Posts: 7,006
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #16 on: October 29, 2015, 01:46:57 AM »
    Dude, if that's your one worry then don't sweat it - the current certificate won't expire until 2017.

    Stop prattling, it's unbecoming.
    <&Speljohan_> i wouldnt want to live in a society where Mopman isnt monitored 24/7

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #17 on: October 29, 2015, 01:57:49 AM »
    Hey, I said it was a slight chance. But even 0.00001 is greater than 0 if there's no benefit to enforcing over implementing it as a default. Which is what I'm asking about

    OfflineJustin Bieber

    • Member
    • ****
    • Posts: 2,941
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #18 on: October 29, 2015, 03:13:17 AM »
    Complaining about https because the cert might expire is like demanding a host support telnet because their ssh support is unreliable and sometimes doesn't let you login (man the 70s were great telnet always worked, none of this encryption shit). It might well be a real problem and you're within your rights to take it up with the host, but it would be foolish to downgrade to telnet.

    You're taking a very narrow minded view of this - as people have already stated in multiple topics, the reason for enforcement is that there's no reason for *any* website to support unencrypted comms in 2015. This isn't just about moparscape.

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #19 on: October 29, 2015, 03:56:30 AM »
    the reason for enforcement is that there's no reason for *any* website to support unencrypted comms in 2015.
    I guess I just disagree then. I see nothing wrong with supporting unencrypted comms in -insert year-, if that's what the client has explicitly requested. Whatever, it's done. I'm sure it wont actually cause problems, it's just a principle thing that I disagree with I guess.

     

    Copyright © 2017 MoparScape. All rights reserved.
    Powered by SMFPacks SEO Pro Mod |
    SimplePortal 2.3.5 © 2008-2012, SimplePortal