Welcome, guest! Please login or register.

    * Shoutbox

    RefreshHistory
    • Riskdemon:[link] Varrock OSRS RSPS releasing May 22nd! Discord link provided!
      May 18, 2019, 11:43:14 PM
    • violence.:[link] Most addictive RSPS brand new just opend free m box to every new player
      May 18, 2019, 08:07:04 PM
    • LukrativeHD: Zenyte, the most anticipated RSPS of 2019! The server has been in development for over 2 years! Zenyte will be launching on June 7, 2019! Join our huge community on discord : [link]
      May 17, 2019, 11:18:39 AM
    • SnowRSPS: **Snow-PS | Custom & Improved RSPS | FREE $5 Scroll | Daily Giveaways, Updates & MORE!** **Site:** **<https://SnowRSPS.com><https://Snowscape.net>** **Discord:** [link] ```HTTP |FREE TO PLAY| -317 loading 602 graphics -GambleBots Fully Coded -Fullscreen -Prestige -AutoTrivia -AutoDonations -Custom ::NewHome -50+ Bosses -Unique Pets -Working Skills -Daily Giveaways -10+ Websites -(SnowPS.org|Snow317.com|& MANY MORE) -Staff Needed Always -Super Friendly Community -& We like to Update Weekly HOPE YOU COME N ENJOY! ``` **Facebook:**<https://facebook.com/snowrsps2012>
      May 16, 2019, 06:36:31 PM
    • PalidinoDH:[link]
      May 14, 2019, 10:53:37 PM
    • Coder Nick: ancientisle . com new OSRS server with heaps of content! raids etc!
      May 14, 2019, 04:19:55 AM
    • aXo: Are there any "vanilla" servers for the current OSRS style? Like, servers including tutorial island and all that, without much in the way of ridiculous customs and portals
      May 12, 2019, 05:28:13 PM
    • PavSwag: BRAND NEW RSPS AUTOSCAPE,ORG FREE MBOX WHEN YOU GET 99
      May 10, 2019, 03:28:22 PM
    • Blasta: Hey im available for staff positions want my discord? robzzd#1501
      May 08, 2019, 09:29:13 PM
    • Coder Nick: Brand new rsps ancientisle . com need players and staff!
      May 07, 2019, 09:42:54 PM
    • IceDynasty: LOG IN NOW FOR FREE DONOR! 4 GUYS ON LIMAS-SCAPE
      May 07, 2019, 06:53:08 PM
    • IceDynasty: [youtube]KJNP6Mpg09A[/youtube] CHECK NEW 614 RSPS
      May 07, 2019, 06:24:21 PM
    • Smokey_:[link]
      May 04, 2019, 08:37:40 PM
    • Smokey_: New toplists with unique incentive review system that requires no external libraries in an easy to use plug n play system
      May 04, 2019, 08:37:35 PM
    • dan v jad:[link]  Join us on Discord! [link]  Real OS Server - #178 Data
      May 04, 2019, 11:44:19 AM
    • PavSwag: Try out OSRS brand new server need STAFF autoscape,0RG
      May 04, 2019, 03:48:02 AM
    • Chassy13: this site is dead
      May 01, 2019, 04:50:57 PM
    • Shadowspkin: Cant believe this sites still alive. @Gerrjat email me at [link] if you want
      May 01, 2019, 10:15:22 AM
    • Gerrjat 360: currently looking for developers!
      April 30, 2019, 01:01:37 AM
    • Smokey_: New toplist with unbreakable unspammable incentive review program: Website:  [link] Discord: [link] We have toplists for any type of service and reviews are star rating based and can leave comments (optional) and stackoverflow style help sections where questions/answers can be upvoted and downvoted and unique search options
      April 28, 2019, 06:25:00 PM

    Author Topic: Mandatory HTTPS!  (Read 15254 times)

    0 Members and 1 Guest are viewing this topic.

    OfflineMoparisthebest

    • Global Moderator
    • *****
    • *
    • Posts: 17,146
    • Thanks: +0/-0
      • View Profile
    Mandatory HTTPS!
    « on: October 23, 2015, 03:42:57 PM »
    MoparScape.org has supported TLS/HTTPS for years now, but I've finally flipped the switch and now it is mandatory.  I've also added it to the chrome preload list and enabled the Public-Key-Pins HPKP header so if you've visited the site before, your browser will not allow you to be man-in-the-middled.

    If you have any questions, go ahead and ask them, but you really shouldn't notice a difference except maybe a slight increase in speed. :)
    forum.moparisthebest.com
    You can have my gun when you pry it from my cold, dead hands.
    Linux users, we do it in the open.
    Runescape Gambling

    Offlinedoom_j

    • i like the company of men
    • Member
    • ****
    • *
    • Posts: 7,202
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #1 on: October 23, 2015, 03:45:00 PM »
    Great! Now both irc and site force it. NSA won't be able to read our chats about taking over the government and creating a new one based around the #mopar channel.
    [12:18:14 21:04:45]<<Tom>>i dont care about your rights
    [12:18:14 21:04:49] <<Tom>> you have NO RIGHTS
    Runescape Gambling

    Offlinet4

    • Member
    • ****
    • *
    • *
    • *
    • Posts: 6,798
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #2 on: October 23, 2015, 07:38:53 PM »
    i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
    Runescape Gambling

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #3 on: October 23, 2015, 07:52:42 PM »
    i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
    yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security :rolleyes:

    Offlinet4

    • Member
    • ****
    • *
    • *
    • *
    • Posts: 6,798
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #4 on: October 23, 2015, 10:11:19 PM »
    i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
    yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security :rolleyes:
    So you're suggesting that it should be up to the user to enable secure transmissions? What if the user makes a mistake or is unaware (not technically versed)? Why even run the plaintext service if the secure service doesn't generate that much overhead?

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #5 on: October 23, 2015, 11:52:55 PM »
    i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
    yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security :rolleyes:
    So you're suggesting that it should be up to the user to enable secure transmissions?
    Yes, that is exactly what I'm saying. Or rather, users should be able to disable it if they wish. If the option is there, im pretty sure any modern browser will default to https.

    Offlinesini

    • Member
    • ****
    • *
    • *
    • Posts: 5,785
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #6 on: October 24, 2015, 12:46:24 AM »
    I thought HTTP 2.0 mandated that SSL be enforced.

    OfflineJustin Bieber

    • Member
    • ****
    • Posts: 2,941
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #7 on: October 24, 2015, 02:54:07 AM »
    Awesome

    OfflineGraham

    • Member
    • ****
    • *
    • Posts: 581
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #8 on: October 24, 2015, 05:09:57 AM »
    I thought HTTP 2.0 mandated that SSL be enforced.

    The spec doesn't, however, all major browsers only implement HTTP/2 over TLS.
    Code: Ruby
    1. s="s=%c%s%c;printf s,34,s,34,10%c";printf s,34,s,34,10

    OfflineLothy

    • Member
    • ****
    • *
    • *
    • Posts: 7,006
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #9 on: October 25, 2015, 01:48:03 AM »
    You guys who want it to be optional need to appreciate the benefits of HTTPS-everywhere internet. Namely the gross amount of noise created to assist in obscuring the transmissions of people living under less fortunate regimes.
    <&Speljohan_> i wouldnt want to live in a society where Mopman isnt monitored 24/7

    OfflineMoparisthebest

    • Global Moderator
    • *****
    • *
    • Posts: 17,146
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #10 on: October 26, 2015, 07:54:03 AM »
    For anyone wanting it to be optional I'd ask this honest question, and I really do want an answer:

    Why?

    I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren't any downsides, and there are a bunch of upsides.  For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.
    forum.moparisthebest.com
    You can have my gun when you pry it from my cold, dead hands.
    Linux users, we do it in the open.

    OfflineBowser jr

    • Member
    • ****
    • Posts: 6,001
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #11 on: October 26, 2015, 08:15:21 AM »
    Soon Moparscape will be illegal under the current Cameron regime.

    OfflineJustin Bieber

    • Member
    • ****
    • Posts: 2,941
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #12 on: October 28, 2015, 04:17:51 AM »
    For anyone wanting it to be optional I'd ask this honest question, and I really do want an answer:

    Why?

    I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren't any downsides, and there are a bunch of upsides.  For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.
    No one has an answer to that question because there is no valid answer. These people start with a shitty argument, maybe re-state the shitty argument a bit, make some jokes and/or personal attacks, and then just stop posting. I really don't understand their thought process.. maybe it's government brainwashing??

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #13 on: October 28, 2015, 08:27:01 PM »
    No one has an answer to that question because there is no valid answer. These people start with a shitty argument, maybe re-state the shitty argument a bit, make some jokes and/or personal attacks, and then just stop posting. I really don't understand their thought process.. maybe it's government brainwashing??
    Maybe it's Maybelline.


    For anyone wanting it to be optional I'd ask this honest question, and I really do want an answer:

    Why?

    I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren't any downsides, and there are a bunch of upsides.  For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.
    Ok, you can ask "Why?", but the exact same can be asked about not supporting HTTP as a fallback. Why? Nobody is denying the upsides of HTTPS here. You can keep it enabled and it'll stay default. But still, I see absolutely no reason for this website (and I do use 'this' on purpose, because some websites should force https) to not offer http as an option if https is already enabled and default. As far as I can tell, there aren't any downsides, and it's a good fallback if for some reason we have a cert problem and everyone wont be able to view the site because "THIS CONNECTION IS UNTRUSTED"
    « Last Edit: October 28, 2015, 08:29:53 PM by Davidi2 »

    Offlinet4

    • Member
    • ****
    • *
    • *
    • *
    • Posts: 6,798
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #14 on: October 28, 2015, 11:32:37 PM »
    The expired cert problem is a webmaster problem, not a TLS problem. Also, I don't think the content of the data has any bearing of whether or not to implement and enforce security. I don't see any negatives of TLS.

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #15 on: October 29, 2015, 01:14:43 AM »
    Also, I don't think the content of the data has any bearing of whether or not to implement and enforce security.
    Really? I personally believe you need to factor in everything when you weigh the pros/cons of implementing any type of security. Not every worksite needs ID badges and fingerprint scanners if the benefit doesn't outweigh the hassle. Obviously when you deal with more sensitive information, you implement more security, no? We'll just assume you were speaking strictly about TLS though, because like it's been said the hassle is pretty low and probably wont be noticeable if everything goes as it should. So yes, I think it's fair to say there is no reason to not implement SSL.

    When you go from 'implement' to 'require' though, you have to reevaluate everything. You say "no negatives", but you listed one right there? If a cert expires, I don't really care whose problem it is, do I? Now it's my problem, because I can't access the website. Sure, it's not "directly" a negative of SSL, it's a negative of inattentiveness. Whatever. If only I had a HTTP version of the site to access in the meantime. So now we have one negative. We wont talk about any others because personally I don't know if the caching or ad-related mixed mode issues are still there. So now we weigh the benefits of enforcing TLS over allowing TLS, taking into account that it is used by default if available. What are those benefits? That's what I haven't heard yet, which why I am not yet convinced that the benefits of enforcing it outweigh even the slightest chance of something like an expired cert.


    As a side note, I was getting NGINX errors when trying to access the site early today. What was that?

    OfflineLothy

    • Member
    • ****
    • *
    • *
    • Posts: 7,006
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #16 on: October 29, 2015, 01:46:57 AM »
    Dude, if that's your one worry then don't sweat it - the current certificate won't expire until 2017.

    Stop prattling, it's unbecoming.
    <&Speljohan_> i wouldnt want to live in a society where Mopman isnt monitored 24/7

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #17 on: October 29, 2015, 01:57:49 AM »
    Hey, I said it was a slight chance. But even 0.00001 is greater than 0 if there's no benefit to enforcing over implementing it as a default. Which is what I'm asking about

    OfflineJustin Bieber

    • Member
    • ****
    • Posts: 2,941
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #18 on: October 29, 2015, 03:13:17 AM »
    Complaining about https because the cert might expire is like demanding a host support telnet because their ssh support is unreliable and sometimes doesn't let you login (man the 70s were great telnet always worked, none of this encryption shit). It might well be a real problem and you're within your rights to take it up with the host, but it would be foolish to downgrade to telnet.

    You're taking a very narrow minded view of this - as people have already stated in multiple topics, the reason for enforcement is that there's no reason for *any* website to support unencrypted comms in 2015. This isn't just about moparscape.

    OfflineDavidi2

    • Member
    • ****
    • *
    • Posts: 23,272
    • Thanks: +0/-0
      • View Profile
    Re: Mandatory HTTPS!
    « Reply #19 on: October 29, 2015, 03:56:30 AM »
    the reason for enforcement is that there's no reason for *any* website to support unencrypted comms in 2015.
    I guess I just disagree then. I see nothing wrong with supporting unencrypted comms in -insert year-, if that's what the client has explicitly requested. Whatever, it's done. I'm sure it wont actually cause problems, it's just a principle thing that I disagree with I guess.

     

    Copyright © 2017 MoparScape. All rights reserved.
    Powered by SMFPacks SEO Pro Mod |
    SimplePortal 2.3.5 © 2008-2012, SimplePortal