rugk

No formations IIRC. And yes, may also happen with rams and yeah, boats are also a very difficult thing for the pathfinder as it seems. So this is not limited to any specific object/animal/…, but rather a general problem with the pathfinder… Sometimes also other things just "got stuck" somewhere or so. Such donkeys!

IMHO the pathfinder is still not that good. E.g. here I ordered the elephants just to go through the fence, but for some reason some (or, at least, one) turned back, went away, turned again and only got through the fence afterwards. (I did not manually order that, this was done "automatically"). The same thing seems to happen when the bigger group of elephants cannot go through the houses. They go back again and try again. This looks really silly… BTW: Why cannot I use (Unicode) emojis here? (Wanted to use :elephant:…) elephantsThroughDoor.webm

v0.22 Sometime after starting a single- or multiplayer game 0ad just freeze (black screen, sometimes I can still move the mouse pointer). I think this did not happen with previous releases (v0.21), but I am not that sure. In any case it seems to happen more frequently in Wayland (or, as you likely use X.org, with xwayland). So using X.org as a desktop system prevents these freezes. It seems not to freeze. Linux/Fedora 26 (Linux 4.11.11-300.fc26.x86_64) 0ad 0.0.22-1.fc26 nouveau Gallium 0.4 on NVD9 3.0 Mesa 17.1.5; OpenGL 3.0 Mesa 17.1.5 BTW: Generally Wayland-compatibility would be nice.

Again about HTTPS: What's possibly even more important to properly secure with HTTPS is the data collected in the game, whcih is (as I assume) send to http://feedback.wildfiregames.com/. So when will we have HTTPS for this subdomain too and when will it be used with HTTPS in the game?

Okay, but that this is not needed is not true. Because especially if you do not use HSTS HTTPS Everywhere still protects against SSL stripping. HSTS is basically just a HTTP header. And if I understand it correctly OpenLiteSpeed also uses Apache config files and there are many guides how to add a (HSTS) header in Apache. Also for only serving it via HTTPS (which is recommend anyway, because HSTS headers served over HTTP are ignored by clients anyway). Although TLS is indeed fast, especially if you also support HTTP/2 like you do I understand that you may not want to serve your releases over HTTPS by default. As for HTTPS Everywhere users they'll get them over HTTPS (as they use this extension, it seems useful). The purpose of serving binaries over HTTPS is simple: Integrity. Because HTTPS does not only prevent eavesdropping on the traffic, but also makes sure the integrity of the packages is guaranteed. This means with HTTPS an attacker cannot modify the binary. So I would at least recommend to put the hash (SHA-1 and preferable SHA-256) on the (HTTPS) download site, so that the user can verify the (HTTP) download manually. I just rescanned and it is still there: E.g. in this thread there is this smiley: http://www.wildfiregames.com/forum/uploads//emoticons/default_smile.png It seems that all smileys inserted before the forum relaunch are still HTTP links... BTW on this page there is another mixed content: The social media icons, e.g.: http://www.wildfiregames.com/0ad/images/new_icons/facebook.png are served over HTTP. FYI if you cannot rewrite all links or it is to difficult there is a "workaround" by using the CSP header. It does not really matter. All the smileys are the default, old forum-smileys... But I can live with them...

So I've created the rulesets for HTTPS Everýwhere. Please let me know if a domain or subdomain, which supports HTTPS, is missing from them. As for the HTTPS config in general I'd like to point some things out: As already mentioned in this thread you could send the HSTS header. This would also give you an A+ at SSLLabs. Adding the HSTS header also does not mean you have to serve your entire domain (*.wildfiregames.com and *.play0ad.com e.g.) over HTTPS. This is only the case if you include the "includeSubDomains" option. If you leave this option out the header is only valid for the visited domain. The links to your releases (releases.wildfiregames.com) are still HTTP links. At least the one to the windows installer I checked. SSLLabs also reports you have some issues with Session resumption (caching): No (IDs assigned but not accepted) Fixing this should make all HTTPS connection faster. The emoticons cause mixed content issues as they are tried to load over HTTP. Also nice you support HTTP/2 BTW. The only thing, which looks quite bad IMHO are the smileys. Especially when you compare them to the rest of the forum design they look very outdated...

Oh, you switched to HTTPS without telling me. Anyway nice!

FYI LE is in the public beta now! https://letsencrypt.org/2015/12/03/entering-public-beta.html And the certs are trusted by all major browsers already, so you can now easily get your cert.

A feature which I know from Age of Empires I think is missing: Patrolling of units. It would be nice if such a feature could be implemented, so that you can order instruct a unit to patrol from one place to another (and back again obviously).

Yes the price of many CAs is really bad. But there are some which offer free certificates. Besides Let's Encrypt also StartSSL or WoSign are known to me.

I think it would be good if you could provide HTTPS on the websites. And as you can even get free SSL certificates from CAs like Startcom (Startssl) or Let's Encrypt, which will be available soon, it should be even possible without any extra costs. There are some things you could protect from modification and interception: user passwords and session keys (on this forum)binary downloads/instructions for downloading (If you don't want to offer HTTPS binary downloads you can also just print a hash on an HTTPS site anddonation instructions/links (to be sure your donations arrive correctly, ...)the system information submitted by 0 A.D. (I did not tested it but I assume it just uses a normal HTTP connection)and of course you would have more advantages