d2jsp
Log InRegister
d2jsp Forums > d2jsp > Site Suggestions > Site Suggestions Archive >
Poll > Force Https
Closed New Topic New Poll
  Guests cannot view or vote in polls. Please register or login.
Member
Posts: 42
Joined: Dec 19 2015
Gold: 733.00
Aug 17 2017 02:36pm
Hello,

I noticed the forum does not automatically enforce an SSL connection. Enabling a browser plugin gives some advantages but IMO more downsides.
Now when i wanted to buy a signature, typing in my FG password to transfer the FG to someone i noticed no https connection just when i was about to hit the send button.

I'm quite aware this is the responsibility of the user, but preventing these issues would take some tech support / scams out of the Admins hands.

I hope someone can shine a light on this matter as i'm quite sure i'm not the first one bringing this up.


Kind regards

This post was edited by techandme on Aug 17 2017 02:49pm
Member
Posts: 6,121
Joined: Mar 22 2016
Gold: 992.66
Trader: Trusted
Aug 18 2017 05:01am
I've noticed this aswell actually, quite cool to see you come out of nowhere typing techs-stuff. I am truly looking forward to read more of your inputs :)

I don't think ssl would be possible here since people upload their signatures and avatars to external servers, which would make modern webbrowsers alert a warning (correct me if I am wrong!)

Also, I don't think such sophisticated mitm scams are made on here, when it comes to a certaint intelligence level the kiddos won't waste their time scamming on here :) Again, correct me if I am wrong, when it comes to hacking and web-developing I am closer to zero then hero.

Force SSL would also slow down the loading speed drasticly, unfourtantly!

edit: voted yes

This post was edited by ium on Aug 18 2017 05:08am
Member
Posts: 42
Joined: Dec 19 2015
Gold: 733.00
Aug 18 2017 05:08am
Quote (ium @ 18 Aug 2017 12:01)
I've noticed this aswell actually, quite cool to see you come out of nowhere typing techs-stuff. I am truly looking forward to read more of your inputs :)

I don't think ssl would be possible here since people upload their signatures and avatars to external servers, which would make modern webbrowsers alert a warning (correct me if I am wrong!)

Also, I don't think such sophisticated mitm scams are made on here, when it comes to a certaint intelligence level the kiddos won't waste their time scamming on here :) Again, correct me if I am wrong, when it comes to hacking and web-developing I am closer to zero then hero.

Force SSL would also slow down the loading speed drasticly, unfourtantly!


Thanks!

Indeed would render some pages with users sigs with the warning in the address bar. But there are ways around this.
Also using the newest protocols having SSL enabled wont be a load time issue. I've optimized tons of sites/forums using google pagespeed to debug. They did not have almost a million users but he...

About the scamming indeed, but I don't feel secure sending my password all over the internet in plain text... that is that i know about it, tons of users would do so without knowing.
Member
Posts: 6,121
Joined: Mar 22 2016
Gold: 992.66
Trader: Trusted
Aug 18 2017 05:28am
Okey so, after your response I really see no downside with this rule being set! Also I want to point out that I voted yes even tho I made my first post. :)

external servers - there are ways around this
No scams in this area - Security is always better then no security

Let me cross the last stupid question stated by myself,
Loading speed is slower with ssl, but that would only be the first loading! Most people here are returning visitors, which means that the first load speed is really not important.

Slow down the loading speed
Member
Posts: 3,197
Joined: May 4 2013
Gold: 1,457.00
Aug 18 2017 05:40am
Quote (ium @ Aug 18 2017 04:01am)

Force SSL would also slow down the loading speed drasticly, unfourtantly!


You couldn't be more wrong. HTTP/2 requires SSL and it loads pages faster.

Quote

I don't think ssl would be possible here since people upload their signatures and avatars to external servers, which would make modern webbrowsers alert a warning (correct me if I am wrong!)



You are wrong. Browsers would "warn" (but not by popup or anything - just color of the icon) if you tried to load external http: page when you're on https:. imgur and most other sites on the internet support https just fine and default to it.

I voted yes of course, there is ZERO reason not to, especially when it's offloaded to cloudflare. But they should also configure proper HSTS headers.

I still have working exploit on d2jsp which I alerted about like 2 years ago, but no one gave a shit, moderators just closed the topic. It is entirely prevented when you use currently optional SSL. If I know it, other guys know it too.
Member
Posts: 42
Joined: Dec 19 2015
Gold: 733.00
Aug 18 2017 06:09am
Quote (nuvo @ 18 Aug 2017 12:40)
You couldn't be more wrong. HTTP/2 requires SSL and it loads pages faster.



You are wrong. Browsers would "warn" (but not by popup or anything - just color of the icon) if you tried to load external http: page when you're on https:. imgur and most other sites on the internet support https just fine and default to it.

I voted yes of course, there is ZERO reason not to, especially when it's offloaded to cloudflare. But they should also configure proper HSTS headers.

I still have working exploit on d2jsp which I alerted about like 2 years ago, but no one gave a shit, moderators just closed the topic. It is entirely prevented when you use currently optional SSL. If I know it, other guys know it too.



You couldn't be more right. I'm sure cloudflare would be the next best addition to SSL here. I use it on all my sites (free version ofcource)

The mixed content warning is an easy fix, i had this on one of my sites. Just let the webserver rewrite all links to https, then some hosters will fail but like you said the majority supports https.
Member
Posts: 6,121
Joined: Mar 22 2016
Gold: 992.66
Trader: Trusted
Aug 18 2017 12:11pm
Quote (nuvo @ Aug 18 2017 07:10pm)
You couldn't be more wrong. HTTP/2 requires SSL and it loads pages faster.



You are wrong. Browsers would "warn" (but not by popup or anything - just color of the icon) if you tried to load external http: page when you're on https:. imgur and most other sites on the internet support https just fine and default to it.

I voted yes of course, there is ZERO reason not to, especially when it's offloaded to cloudflare. But they should also configure proper HSTS headers.

I still have working exploit on d2jsp which I alerted about like 2 years ago, but no one gave a shit, moderators just closed the topic. It is entirely prevented when you use currently optional SSL. If I know it, other guys know it too.


they say ssl makes it faster, but I have never seen a positive pingdom change when adding ssl :unsure: Unless I am missing something?? I am really not saying that I am against ssl, I just mentioned that the speed could be an issue, sometimes even drasticly

Don't believe me? just watch https://community.centminmod.com/data/attachment-files/2017/06/5482_upload_2017-6-10_21-0-28.png
Go Back To Site Suggestions Archive Topic List
Closed New Topic New Poll