implodedok Posted February 6, 2016 Author Report Share Posted February 6, 2016 On 2/4/2016 at 7:31 PM, fabio said: The web server should rewrite http URLs into https. This is apparently done by the forum, but this is not enough and causes some issues, e.g. the meetinglogs dir but also some links on the forum sometime wrongly behave. What are the issues here exactly? I just accessed & browsed the meetinglogs dir and it all seems to work fine. If there are problems with some links, please specify what exactly the problems are and with which links. On 2/5/2016 at 3:40 PM, fabio said: It will also need a special rule for wildfiregames.com domain, someone should submit it to the EFF! And the web server should also set HTTP Strict Transport Security. It is really simple to set up and together with http->https rewrite the proper thing to do when you want to serve your domain only with https. We don't want to serve our entire domain with exclusively https currently. For now it's enabled by default for the forums and for the 0 A.D. website, since those run web applications that handle user logins. Everything else doesn't force https currently. This may change in the future, but is not a priority and requires some further testing and evaluation. On 2/5/2016 at 3:10 PM, niektb said: I'm getting 400 errors (Bad Request). Refreshing the page resolves it most of the time but it happens fairly often (and it's a tad annoying). It might be related to my logout issues This is a strange issue. I haven't experienced this myself, nor do I have problems staying logged in to the forums. Could this be related to virus scanners, firewall software or browser plugins? Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted February 7, 2016 Report Share Posted February 7, 2016 I can confirm this in iOS Safari , about log out. Im not sure if is a security behavior may be. Quote Link to comment Share on other sites More sharing options...
Itms Posted February 7, 2016 Report Share Posted February 7, 2016 I confirm that I got the same problems as niektb had and I fixed them by making my bookmarks "https://wildfiregames.com/foo" instead of "wildfiregames.com/foo" 1 Quote Link to comment Share on other sites More sharing options...
rugk Posted February 14, 2016 Report Share Posted February 14, 2016 So I've created the rulesets for HTTPS Everýwhere. Please let me know if a domain or subdomain, which supports HTTPS, is missing from them. As for the HTTPS config in general I'd like to point some things out: As already mentioned in this thread you could send the HSTS header. This would also give you an A+ at SSLLabs. Adding the HSTS header also does not mean you have to serve your entire domain (*.wildfiregames.com and *.play0ad.com e.g.) over HTTPS. This is only the case if you include the "includeSubDomains" option. If you leave this option out the header is only valid for the visited domain. The links to your releases (releases.wildfiregames.com) are still HTTP links. At least the one to the windows installer I checked. SSLLabs also reports you have some issues with Session resumption (caching): No (IDs assigned but not accepted) Fixing this should make all HTTPS connection faster. The emoticons cause mixed content issues as they are tried to load over HTTP. Also nice you support HTTP/2 BTW. The only thing, which looks quite bad IMHO are the smileys. Especially when you compare them to the rest of the forum design they look very outdated... 1 Quote Link to comment Share on other sites More sharing options...
implodedok Posted February 15, 2016 Author Report Share Posted February 15, 2016 10 hours ago, rugk said: So I've created the rulesets for HTTPS Everýwhere. Please let me know if a domain or subdomain, which supports HTTPS, is missing from them. Nothing is missing as far as I know, but these rulesets are not needed. Currently the forums redirect to https automatically, so does play0ad.com. When we're ready, we'll do the same with other websites and/or subdomains. 10 hours ago, rugk said: As already mentioned in this thread you could send the HSTS header. This would also give you an A+ at SSLLabs. Adding the HSTS header also does not mean you have to serve your entire domain (*.wildfiregames.com and *.play0ad.com e.g.) over HTTPS. This is only the case if you include the "includeSubDomains" option. If you leave this option out the header is only valid for the visited domain. I have no idea how to do this with OpenLiteSpeed (the web server we're using). I will look into this later, but this is not high on my priority list. 10 hours ago, rugk said: The links to your releases (releases.wildfiregames.com) are still HTTP links. At least the one to the windows installer I checked. This is on purpose. Using SSL for the downloads could have a huge impact on the webserver, especially when a new release comes out and there are lots of downloads. Besides, I honestly don't see the point in encrypting file downloads that are publicly available anyways. I understand there's quite a hype around making everything https, but I do want to use our available resources as efficient as possible. 10 hours ago, rugk said: SSLLabs also reports you have some issues with Session resumption (caching): No (IDs assigned but not accepted). Fixing this should make all HTTPS connection faster. I don't see it. Session resumption (caching): Yes 10 hours ago, rugk said: The emoticons cause mixed content issues as they are tried to load over HTTP. You'd have to tell me where this is happening, so I can investigate. You can check the link of this emoticon: It is https. 10 hours ago, rugk said: The only thing, which looks quite bad IMHO are the smileys. Especially when you compare them to the rest of the forum design they look very outdated... Do you mean the default smileys under "overview" or the extensive library that's shown when you open the "emoticons" category? If the latter, then yes, I agree. Quote Link to comment Share on other sites More sharing options...
rugk Posted February 15, 2016 Report Share Posted February 15, 2016 2 hours ago, implodedok said: Nothing is missing as far as I know, but these rulesets are not needed. Okay, but that this is not needed is not true. Because especially if you do not use HSTS HTTPS Everywhere still protects against SSL stripping. 2 hours ago, implodedok said: I have no idea how to do this with OpenLiteSpeed (the web server we're using). I will look into this later, but this is not high on my priority list. HSTS is basically just a HTTP header. And if I understand it correctly OpenLiteSpeed also uses Apache config files and there are many guides how to add a (HSTS) header in Apache. Also for only serving it via HTTPS (which is recommend anyway, because HSTS headers served over HTTP are ignored by clients anyway). 2 hours ago, implodedok said: purpose. Using SSL for the downloads could have a huge impact on the webserver, especially when a new release comes out and there are lots of downloads. Besides, I honestly don't see the point in encrypting file downloads that are publicly available anyways. I understand there's quite a hype around making everything https, but I do want to use our available resources as efficient as possible. Although TLS is indeed fast, especially if you also support HTTP/2 like you do I understand that you may not want to serve your releases over HTTPS by default. As for HTTPS Everywhere users they'll get them over HTTPS (as they use this extension, it seems useful). The purpose of serving binaries over HTTPS is simple: Integrity. Because HTTPS does not only prevent eavesdropping on the traffic, but also makes sure the integrity of the packages is guaranteed. This means with HTTPS an attacker cannot modify the binary. So I would at least recommend to put the hash (SHA-1 and preferable SHA-256) on the (HTTPS) download site, so that the user can verify the (HTTP) download manually. 2 hours ago, implodedok said: I don't see it. Session resumption (caching): Yes I just rescanned and it is still there: 2 hours ago, implodedok said: You'd have to tell me where this is happening, so I can investigate. You can check the link of this emoticon: It is https. E.g. in this thread there is this smiley: http://www.wildfiregames.com/forum/uploads//emoticons/default_smile.png It seems that all smileys inserted before the forum relaunch are still HTTP links... BTW on this page there is another mixed content: The social media icons, e.g.: http://www.wildfiregames.com/0ad/images/new_icons/facebook.png are served over HTTP. FYI if you cannot rewrite all links or it is to difficult there is a "workaround" by using the CSP header. 3 hours ago, implodedok said: Do you mean the default smileys under "overview" or the extensive library that's shown when you open the "emoticons" category? If the latter, then yes, I agree. It does not really matter. All the smileys are the default, old forum-smileys... But I can live with them... 1 Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted February 17, 2016 Report Share Posted February 17, 2016 I can't edit a post... says " required" Quote Link to comment Share on other sites More sharing options...
feneur Posted February 17, 2016 Report Share Posted February 17, 2016 It's really hard to tell anything from that screenshot, but it looks like you might have had a post that only consists of a quote, maybe that is what's wrong? I.e. there needs to be more text than just a quote. It's better to split up the quote and reply to the different parts individually anyway -- it can be really hard to tell what is the comment and what is the reply when someone is replying within a comment. If what you were doing was something else, then please post more information since it's hard to tell, especially when the keyboard hides half the post. Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted February 17, 2016 Report Share Posted February 17, 2016 (edited) 7 hours ago, feneur said: It's really hard to tell anything from that screenshot, but it looks like you might have had a post that only consists of a quote, maybe that is what's wrong? I.e. there needs to be more text than just a quote. It's better to split up the quote and reply to the different parts individually anyway -- it can be really hard to tell what is the comment and what is the reply when someone is replying within a comment. If what you were doing was something else, then please post more information since it's hard to tell, especially when the keyboard hides half the post. I solved but don't let me edit my reply, because when try to save changes, say "required " i link the post where have this problem. the problem was presented in quote like this, I'm not sure if was because I modify true quote, and the problem appears only in my iPad. I solved in my PC browser. there is the link Edited February 17, 2016 by Lion.Kanzen Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted February 17, 2016 Report Share Posted February 17, 2016 it was happen again but this time let me reply(Im in a computer) Quote Link to comment Share on other sites More sharing options...
feneur Posted February 17, 2016 Report Share Posted February 17, 2016 5 minutes ago, Lion.Kanzen said: it was happen again but this time let me reply(Im in a computer) Ah, that's just to tell you that there needs to be something there, you should still be able to edit the post and click save. If that doesn't work, then there is an issue, but if it's just the message everything is fine. Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted February 17, 2016 Report Share Posted February 17, 2016 In my iPad don't let me but in my computer I can,mother problem start when I try to copy something, my iPad copy entire page, so I try delete, when I solved that little issue, and starting to give a reply out the box of quote, don't let me send my reply and says is required, so... What is missing, the warning need be more specific, yes I se something is required, but what is that thing, all look fine, and why my safari browser don't let me and my computer Firefox let me reply, as you see in the picture all looks fine. Quote Link to comment Share on other sites More sharing options...
rugk Posted February 19, 2016 Report Share Posted February 19, 2016 Again about HTTPS: What's possibly even more important to properly secure with HTTPS is the data collected in the game, whcih is (as I assume) send to http://feedback.wildfiregames.com/. So when will we have HTTPS for this subdomain too and when will it be used with HTTPS in the game? Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted February 27, 2016 Report Share Posted February 27, 2016 How I can tag someone else? Quote Link to comment Share on other sites More sharing options...
feneur Posted February 27, 2016 Report Share Posted February 27, 2016 You write an @ symbol, then a space, followed by their username. It seems a bit hard to get to work all times, but if you get a list of names popping up after you have written the @ and a space it is working. It seems as if it only occurs in some cases, after commas and after some words. Not really sure 1 Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted February 27, 2016 Report Share Posted February 27, 2016 Ok now is clear Thank You Feneur. ( is awesome feature) now is not highly needed quote somebody. Quote Link to comment Share on other sites More sharing options...
niektb Posted June 14, 2016 Report Share Posted June 14, 2016 I noticed that the wiki (on Trac) links to the forum still use HTTP instead of HTTPS. (redirecting to https seems to go alright though) Quote Link to comment Share on other sites More sharing options...
feneur Posted June 14, 2016 Report Share Posted June 14, 2016 As far as I know only Philip can change that for now. Quote Link to comment Share on other sites More sharing options...
Stan` Posted June 14, 2016 Report Share Posted June 14, 2016 See http://trac.wildfiregames.com/ticket/1000 It was closed as forum now uses https but trac still doesn't. Quote Link to comment Share on other sites More sharing options...
feneur Posted June 15, 2016 Report Share Posted June 15, 2016 That's not it Stan :-) This issue is that the links on Trac to the forums aren't updated to the https:// ones :-) Quote Link to comment Share on other sites More sharing options...
Stan` Posted June 15, 2016 Report Share Posted June 15, 2016 (edited) Well since trac is not https I don't see how they could ? EDIT : Ah my bad X) Edited June 15, 2016 by stanislas69 Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted July 21, 2017 Report Share Posted July 21, 2017 Can be nice if a report can bring down a topic. Age of empires forums have a nice system where users can report and take down a spamer or a "joker"( not the Batman enemy) I can post images how it works. Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted February 1, 2018 Report Share Posted February 1, 2018 (edited) I saw this in AoE forum , they have a lot of bots attacking spamming fake content like black magic and stuff like that. So a user suggest this. Quote They really need a captcha or equivalent to be passed before posts are submitted. Something like what I attached would be perfect. It isn't known exactly how they work, but people are pretty sure it analyzes past user behavior/mouse movement to prove legitimacy of the poster. Genuine (i.e. human) mouse behavior is quite difficult to fake. Recaptcha_anchor@2x.gif We are implementing this? Edited February 1, 2018 by Lion.Kanzen Quote Link to comment Share on other sites More sharing options...
Stan` Posted November 23, 2018 Report Share Posted November 23, 2018 If we implement this we will lose all people who disabled JavaScript on their browser. Also Google. 1 Quote Link to comment Share on other sites More sharing options...
Feldfeld Posted November 23, 2018 Report Share Posted November 23, 2018 Also, i need to tick the images literally everytime, i don't want a tool that makes me lose time on top of regularly reminding me that i don't have human behaviour. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.