retro-kit.co.uk has gone SSL

for all subjects/topics not covered by the other forum categories
User avatar
paulv
Posts: 3606
Joined: Tue Jan 25, 2011 6:37 pm
Location: Leicestershire
Contact:

retro-kit.co.uk has gone SSL

Postby paulv » Wed Nov 08, 2017 4:02 pm

With Google Chrome and all the other browsers moving towards the target of forcing all sites to have some form of SSL on them even if it's just got a simple contact form on it, I've upgraded my site to SSL.

I've put a couple of URL re-write rules into place so all non-SSL links should still work but if there's anything anyone spots or there are links that now break, please do let me know and I'll be sure to fix things so the old links still work.

Starting October 2017, Chrome (version 62) will show a 'NOT SECURE' warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.

The following URLs on your site include text input fields (such as < input type="text" > or < input type="email" >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.


Paul
Last edited by paulv on Wed Nov 08, 2017 5:17 pm, edited 1 time in total.

User avatar
vanekp
Posts: 342
Joined: Thu Nov 30, 2000 7:09 am
Location: The Netherlands

Re: retro-kit.co.uk has gone SSL

Postby vanekp » Wed Nov 08, 2017 4:51 pm

Interesting site :wink:

User avatar
1024MAK
Posts: 6793
Joined: Mon Apr 18, 2011 4:46 pm
Location: Looking forward to summer in Somerset, UK...

Re: retro-kit.co.uk has gone SSL

Postby 1024MAK » Wed Nov 08, 2017 11:00 pm

paulv wrote:With Google Chrome and all the other browsers moving towards the target of forcing all sites to have some form of SSL on them even if it's just got a simple contact form on it, I've upgraded my site to SSL.

I've put a couple of URL re-write rules into place so all non-SSL links should still work but if there's anything anyone spots or there are links that now break, please do let me know and I'll be sure to fix things so the old links still work.

Starting October 2017, Chrome (version 62) will show a 'NOT SECURE' warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.

The following URLs on your site include text input fields (such as < input type="text" > or < input type="email" >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.


Paul

Seems a bit O.T.T. when a user could just be entering a publicly visible comment... or entering non-private data for a survey, or a million other things where there is no log-in, no name, and no other personal details...
Not that I care, as nothing I use has Chrome and I tend to ignore other people that like to tell me what to do, let alone a computer that is supposed to be under my control...

Okay, so who's gonna hack Chrome to display a more useful message?

Mark
For a "Complete BBC Games Archive" visit www.bbcmicro.co.uk NOW!
BeebWiki‬ - for answers to many questions...

User avatar
BigEd
Posts: 1497
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: retro-kit.co.uk has gone SSL

Postby BigEd » Wed Nov 08, 2017 11:07 pm

...and all the other browsers...

It's not just Chrome! It's a bit of extra work for people who run forums and websites, but I think it's a good idea. We, the people, want to be able to trust that our device is reaching the website we intend to reach, always, and that the data we exchange arrives in the same state it was sent. No eavesdropping, no leakage, no injection, no falsification. This is a step in that direction.

User avatar
sweh
Posts: 1847
Joined: Sat Mar 10, 2012 12:05 pm
Location: New York, New York
Contact:

Re: retro-kit.co.uk has gone SSL

Postby sweh » Thu Nov 09, 2017 1:44 am

My site uses TLS; I wrote a rationale why at https://www.sweharris.org/post/2016-05- ... webserver/

Why use TLS at all? Isn’t this just paranoia? Unfortunately not; if you are on a mobile network or using a WiFi hotspot then the network, itself, may insert adverts into the browser; Verizon have added tracking cookies on their mobile network.

By using TLS you are helping to prevent this, and so give your users the site you want them to see, untampered by third party injected adverts. It also helps protect your users from malware that has hit major Ad networks.


"TLS all the things" :-)
Rgds
Stephen

User avatar
sweh
Posts: 1847
Joined: Sat Mar 10, 2012 12:05 pm
Location: New York, New York
Contact:

Re: retro-kit.co.uk has gone SSL

Postby sweh » Thu Nov 09, 2017 1:52 am

For people going down the TLS path, there's a good test site at https://www.ssllabs.com/ssltest which can validate your config is strong, and you're not running broken TLS setups. retro-kit.co.uk scores an A grade; not quite an A+ but still very good!

There's also other things you can add ("Security Headers") to the http response that'll help the browser be secure. It can do things like tell the browser "always use TLS when connecting to this site". They can be checked at https://securityheaders.io - unfortunately none of them are set for retro-kit.co.uk
Rgds
Stephen

User avatar
BigEd
Posts: 1497
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: retro-kit.co.uk has gone SSL

Postby BigEd » Thu Nov 09, 2017 5:35 am

There's some advice here about how to go secure - the very easiest way AIUI is to use Cloudflare's free proxy service:
https://www.troyhunt.com/the-6-step-hap ... -to-https/
(Yes, you end up trusting Cloudflare if you do this. It's still an improvement. And there are many other ways, depending on how much time and effort you have for the conversion.)

User avatar
paulv
Posts: 3606
Joined: Tue Jan 25, 2011 6:37 pm
Location: Leicestershire
Contact:

Re: retro-kit.co.uk has gone SSL

Postby paulv » Thu Nov 09, 2017 7:33 pm

sweh wrote:For people going down the TLS path, there's a good test site at https://www.ssllabs.com/ssltest which can validate your config is strong, and you're not running broken TLS setups. retro-kit.co.uk scores an A grade; not quite an A+ but still very good!


Yes, it's not too shabby for a $15 SSL cert and some config on my server. I use the Nartac Software tool to help achieve good scores on sites I host SSL with. https://www.nartac.com/Products/IISCrypto

I also had to use the webringo.com static html version of the webring code because webringo.com does not (and it seems may never) support SSL for their embedding code. In the end, to get a fully secure home page I had to use their code, modified to serve the images from my server rather than theirs. :-(

sweh wrote:There's also other things you can add ("Security Headers") to the http response that'll help the browser be secure. It can do things like tell the browser "always use TLS when connecting to this site". They can be checked at https://securityheaders.io - unfortunately none of them are set for retro-kit.co.uk


That's a nice site. In several sites I've built and manage, we use several of those headers (I'm guessing we'd score a C or D for those) but sometimes we find them exceptionally restrictive in what we can and cannot do especially regarding embedding widgets from other sites such as twitter, facebook, addthis, sharethis etc. It's a real battle to find the balance between security and functionality. For retro-kit.co.uk, I'd have to drop some third party widgets to be able to use some of those headers. This is especially painful when you have to manually add more things to those headers every time you want to add a third party widget that is served using an IFRAME or uses a CDN for delivery of content.

I tend to use retro-kit.co.uk as a way of fulfilling part of my hobby and also testing out techniques and methods for other sites I build so I'll probably look at adding some of the headers I'm not familiar with to see what they do; X-Xss-Protection and Referrer-Policy for instance are new to me so playing with them might be fun.

BigEd wrote:There's some advice here about how to go secure - the very easiest way AIUI is to use Cloudflare's free proxy service


Based on some of the things the proxy service does, it's not something I'd consider. For instance, they obfuscate e-mail addresses found in the source of a web page. This would be good except...

Code: Select all

       
        /// <summary>
        /// Cloudflare obfuscate e-mail addresses to stop simple bots from ripping email addresses... It's a simple XOR type algo...
        /// </summary>
        /// <param name="cfEmail"></param>
        /// <returns></returns>
        private string decodeCloudFlareEmail(string cfEmail)
        {
            string decodedEmail = "";

            int k = int.Parse(cfEmail.Substring(0, 2), System.Globalization.NumberStyles.HexNumber);
            for (int i = 2; i < cfEmail.Length - 1; i = i + 2)
            {
                decodedEmail = decodedEmail + Convert.ToChar(int.Parse(cfEmail.Substring(i, 2), System.Globalization.NumberStyles.HexNumber) ^ k);
            }

            return decodedEmail;
        }


Yes, it's that easy to decode their protection... hmm, I should use StringBuilder in that code...

Paul

User avatar
paulv
Posts: 3606
Joined: Tue Jan 25, 2011 6:37 pm
Location: Leicestershire
Contact:

Re: retro-kit.co.uk has gone SSL

Postby paulv » Thu Nov 09, 2017 8:04 pm

sweh wrote:unfortunately none of them are set for retro-kit.co.uk


Should be an A now... I need to go through an make sure I've not broken anything now :shock: :lol:

Paul


Return to “off-topic”

Who is online

Users browsing this forum: No registered users and 2 guests