Site_Feedback

Topic   Forcing https (security)

bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
10-Jan-2017(#1)
It has been over a year since GameTZ started supporting https. In other words, https://gametz.com (instead of http://gametz.com ) works. It is better because it's more secure. It prevents certain kinds of hacking. encrypts communication between you and the site so people can't snoop on you, etc.

I've been using it myself for over an year and as far as I know, it works well and there are no current issues.

Many sites now push uses to use the https version of their site to promote better security. For example, if you type: http://www.google.com/ you end up at https://www.google.com/ Same goes for http://facebook.com -> https://www.facebook.com/ .

I think I can set GameTZ up to do the same thing. There's mechanism (called HSTS) that can be used to tell the browser to use the https version of the site instead.

I'm thinking of trying it. It's possible it will cause problems, but it's hard to know without trying it first. The problems could be so bad, that people affected could not use the site at all. Though, I don't think this is likely. Minor problems are also possible, though hard to predict. There's a good chance it will just work and everyone will be better off for the upgrade.


Opinions? Are many of you already using https with GameTZ?


Here are links to a couple previous topics on https at GameTZ
https://gametz.com/Site_Feedback/https-lets-encryp...
https://gametz.com/Site_Feedback/gametz-support-ht...
John
GameTZ Subscriber GameTZ Full Moderator 400 Trade Quintuple Gold Good Trader Gold Global Trader (13) Secret Santa
10-Jan-2017(#2)
I've just switched all of my bookmarks to the https version of the site. Will let you know if I see anything funny. yes
Jeff
GameTZ Subscriber 450 Trade Quintuple Gold Good Trader Gold Global Trader (7) Secret Santa
10-Jan-2017(#3)
Already using it.

bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
10-Jan-2017(#4)
Well, I just implemented it. So, let's see if it breaks anything.

http requests to gametz will now get redirected to https.

It seems to work fine from the tests I've done.

I had to do more than just the HSTS header thing. That seems to only work if you actually load a https page.
JD
350 Trade Quintuple Gold Good Trader Global Trader - willing to trade internationally
10-Jan-2017(#5)
Its not ps4 web browser friendly i can't click on spoilers and images are all gone all i see are words

John
GameTZ Subscriber GameTZ Full Moderator 400 Trade Quintuple Gold Good Trader Gold Global Trader (13) Secret Santa
* 10-Jan-2017(#6)
That may be a cache issue causing mixed-content.

(Assuming that you're also doing HTTPS for the image loads, Bill?)

EDIT: Confirmed that the images are also https. yes
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
10-Jan-2017(#7)
I just tried it on my ps4 and right off the bat I got a pop-up saying the root certificated didn't trust blah blah blah... I'm using Let's Encrypt for the SSL and it appears Sony may not support it (don't have the needed root cert). I said OK, and got a site that had no CSS style sheets (a mess)... dead face.

So, I changed the web server to not force https for Playstation browser... but, that's probably not a great solution. There are likely other browser/devices that won't work either.

I could just leave the HSTS stuff in-place and skip the forced redirect for now. OR just force known/good browsers like Chrome/Firefox and others. I'm still thinking about it.
John
GameTZ Subscriber GameTZ Full Moderator 400 Trade Quintuple Gold Good Trader Gold Global Trader (13) Secret Santa
10-Jan-2017(#8)
Oh, that makes sense. Most browsers trust the Let's Encrypt certs now -- but older ones wouldn't still.

Is there no recent update for the PS4??
John
GameTZ Subscriber GameTZ Full Moderator 400 Trade Quintuple Gold Good Trader Gold Global Trader (13) Secret Santa
10-Jan-2017(#9)
If you are doing per-browser checking, Bill, you may want to check this out to see the list of what is not supported.
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
10-Jan-2017(#10)
People talking about it here: ... Sony is just weird or something.

https://community.letsencrypt.org/t/lets-encrypt-a...

The PS4 browser is fairly crappy. I assume it's not used that much. I was trying to use speedtest.net on it a week ago and it was really terrible too.

There's also a list of "known issues"... a bit complicated...
https://community.letsencrypt.org/t/which-browsers...

I guess I'll just back-off with forcing it.

I think the HSTS config which I let in-place will make the https version of the site sticky (if you use it, your browser will switch to it in the future). I set it to stick for a week. I think that's safer.

In the web server config, I can do something like:
$HTTP["useragent"] =~ "(Chrome|Firefox|Safari)" { /* force https code here */ }

That would probably cover 95% of cases, though I'm not sure it's 100% safe. Like, pre SP3 WinXp also doesn't work, so I'm unsure what browser that means and trying to break it down by version is just too hard of a regexp...
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
10-Jan-2017(#11)
Yeah, that's a cleaner version of the page I was using... too complicated.
Archer
GameTZ Gold Subscriber 500 Trade Quintuple Gold Good Trader Has Written 1 Review
10-Jan-2017(#12)
This why we can't have nice things.
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
10-Jan-2017(#13)
I'd still encourage people to use https://gametz.com . Update your bookmarks and whatnot.
Porksta
GameTZ Gold Subscriber 350 Trade Quintuple Gold Good Trader Global Trader - willing to trade internationally This user is on the site NOW (25 seconds ago) Secret Santa
10-Jan-2017(#14)
Reed got banned because he didn't use https. True story.

SirConnery
GameTZ Subscriber 1000 Trade Quintuple Gold Good Trader Secret Santa
12-Jan-2017(#15)
So the only barrier to full implementation is the PS4 browser so far? Don't most users that would use that also have a smartphone handy?
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
12-Jan-2017(#16)
It's probably a number of other devices/browsers (John posted a good link to a page with a list). ps4 was just the first we found. The trouble is that it causes them not to work well at all. Breaking things for a few just to push most people to use the more-secure site isn't worth it.

I can try to motivate people in other ways. Also, I'm going to try to track how many are using the secure site over time.

Another option would be to pay for the SSL. That would get me into more well-known root certificates (e.g. would work on ps4 at least). But, I think I'm too cheap.

This whole thing is fairly optional, would be nice, sort of thing, so giving it too much priority would be a mistake.
SirConnery
GameTZ Subscriber 1000 Trade Quintuple Gold Good Trader Secret Santa
12-Jan-2017(#17)
How do low revenue non profit organizations get SSL? Is there a happy medium that can give you the same benefit they get without the crazy cost?
John
GameTZ Subscriber GameTZ Full Moderator 400 Trade Quintuple Gold Good Trader Gold Global Trader (13) Secret Santa
* 12-Jan-2017(#18)
What he is using IS the "happy medium." Let's Encrypt certificates are free and work for the vast majority of browsers.

If you're a "low revenue non-profit organization", then you might need to say that you don't support the PS4 browser. *shrug*

That being said, a single-domain SSL cert from a Comodo-based provider (so it should work in almost everything) can be bought for like under $10 per year... So, there's that. smile
SirConnery
GameTZ Subscriber 1000 Trade Quintuple Gold Good Trader Secret Santa
12-Jan-2017(#19)
That cheap now? Hell I think I'll buy one.
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
* 12-Jan-2017(#20)
I actually had an SSL cert several years ago when I used to accept credit cards. At the time, it was like $175/yr from thawte. Looks like they're still fairly expensive.

I think there are some subtle not-so-great things about the cheaper SSL options, but I forget the details (SSL certs are little complicated). Even Comodo has a $100/year option which is better for some fiddly reasons that take time to understand.

I remember to get that Thawte SSL, I had to create a letter with official Kenyon Hill LLC letterhead (what? ... I just used some Word template), then get it notarized at the bank, etc. It seemed like a load of BS to me. I wonder if they still make people do that.

It seems all backward to me. Secure should be the default/free/built-in way to do everything. Having this layer of paid providers just discourages security and hurts everyone.They don't really do much as far as I can tell.

Like I said, it's not actually a priority. Not just about the money either as it's complicated to setup right and all that, and you have to redo it when it renews. I actually have a script for the Let's Encrypt SSL Cert that runs every couple months (they only last 3 months, I think... again, for some reason that's part of the complication of the whole thing).

Even if I had SSL cert from a very well-known authority, I'm not 100% sure it would work everywhere. Probably, right? But, I'm not sure. I had some bugs with the Let's Encrypt one I used because of the chain not being right (again, complication), so I'm not super confident about any of it anymore.

It's also worth noting that I have a number of domains, so that can multiply the costs. Like, I have to do m.gametz.com gametz.com and www.gametz.com then images.kenyonhill.com and I have other sites I could/should do too...
John
GameTZ Subscriber GameTZ Full Moderator 400 Trade Quintuple Gold Good Trader Gold Global Trader (13) Secret Santa
12-Jan-2017(#21)
bill wrote:
> I remember to get that Thawte SSL, I had to create a letter with official Kenyon
> Hill LLC letterhead (what? ... I just used some Word template), then get it notarized
> at the bank, etc. It seemed like a load of BS to me. I wonder if they still make
> people do that.

That is usually an "Extended Validation" (EV) cert. You still have to do that if you want that level of "trust." You have to have this to get the "green bar" crap in browsers.

Or, actually, I guess, for you, it may have even just been a "Organization Validation" (OV) cert.

Basically, it goes:

Domain Validation (DV) -- encrypts that data between browser and server, but doesn't mean that it is "trusted".
Organization Validation (OV) -- the organization is verified in some way -- through government records and/or letterhead and such.
Extended Validation (EV) -- the Certificate Authority does specific "vetting" of the organization.

In my opinion, DV is fine for what most of us need. If we trust the domain (i.e. you feel comfortable with gametz.com knowing your data), then that's plenty.

If you're shopping online at some weird camera shop, then they better have an OV cert, at least.

The problem is -- you can't tell DV from OV in most browsers. And only some browsers even show the EV "green bar" stuff.

I think EV is just a way for companies like Symantec to sell more expensive certs like the "good old days."

You can get a DV cert for under $10 now. You can get an OV cert for under $40. EVs start at like $100 or so and go up.

> It seems all backward to me. Secure should be the default/free/built-in way to do
> everything. Having this layer of paid providers just discourages security and hurts
> everyone.They don't really do much as far as I can tell.

Agreed. I think this is the thinking behind Let's Encrypt -- to just get everyone using a cert to at least do end-to-end encryption.

> Even if I had SSL cert from a very well-known authority, I'm not 100% sure it would
> work everywhere. Probably, right? But, I'm not sure.

If you had one that is in the root CA already, then I think it would work. Most buy from a Comodo reseller to get the best deal on those these days.

> It's also worth noting that I have a number of domains, so that can multiply the
> costs. Like, I have to do m.gametz.com gametz.com and www.gametz.com then images.kenyonhill.com
> and I have other sites I could/should do too...

Yes, that does hike it up. I think for a one-domain wildcard, you're looking at around $100/year -- with just a DV cert. And that wouldn't cover KenyonHill. frown
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
* 17-Jan-2017(#22)
I started tracking https usage (and mobile). Here's what it looks like for the past 24 hours:

image

Note that there's overlap, so the "both" percent/wedge should be added to each https and mobile to get the total. e.g. 20% of pages were served via the mobile UI and 38% of pages were served over https. ...not bad!

These numbers are just looking at sign-on users. Guest usage is 84% neither, 8% https, 7% mobile, 0% both. But, I'm not that concerned about that. GameTZ is still indexed by non-mobile, non-https links and should be, so it's no great surprise.

I'm still considering ways to motivate more people to use https://gametz.com (and https://m.gametz.com ). I suspect it may go up over time on its own and now I can try to track that somewhat.
whitefire
GameTZ Subscriber 550 Trade Quintuple Gold Good Trader Global Trader - willing to trade internationally
17-Jan-2017(#23)
I think I use that one. The little lock symbol is there because of that, right?

bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
17-Jan-2017(#24)
yes.

if you click it and get details and view the certificate it will say "Let's Encrypt" somewhere eventually.
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
* 18-Jan-2017(#25)
OK, I did a little more with this.

I had tried redirecting to https in the web server config file, but that's a little sledgehammer-like (affects all users). And, we quickly ran into the PS4 issue too.

But, I can also do redirection from within my code. It's just like the way I will redirect a user to the mobile site, if I detect they are on a mobile device. I can check a lot of stuff in my code and be fairly careful about it. So, I think it's a better way to bring people over to https.

I have something that will first check if they are signed on, then if their browser supports the Let's Encrypt cert (e.g. will skip ps3/ps4/WinXP, old browers and other stuff from that page John linked). Also, I have it only do it 1 in 100 times (for slow roll-out) and only if they are doing something simple (e.g. not submitting a post or something like that).

The redirection is subtle and probably won't be noticed in most cases (should look the same, just that lock thing shows up). And, the HSTS thing will make it sticky, so even if they don't update bookmarks, it will switch to https.

I have it running on another site (that gets much less traffic) now to see how it goes. I'll do that for a couple weeks and if I don't have issues there, I'll turn it on for GTZ too. I'll monitor that usage graph thing daily to see if the percent https goes up over time.

I probably shouldn't do this as there can be real dangers using HSTS if something goes wrong, the user might not be able to use the site at all. But, I can't help myself and probably that's rare, especially since I'm being careful.
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
* 23-Jan-2017(#26)
I got an email from Google over the weekend:

Nonsecure Collection of Passwords will trigger warnings in Chrome 56 for http://gametz.com/

To: owner of http://gametz.com/

Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as "Not Secure" unless the pages are served over HTTPS.

The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, and so you can take action to help protect users' data. The list is not exhaustive.

http://gametz.com/Forums.html

The new warning is the first stage of a long-term plan to mark all pages served over the non-encrypted HTTP protocol as "Not Secure".

Here's how to fix this problem:

Use HTTPS pages to collect sensitive information
To prevent the "Not Secure" notification from appearing when Chrome users visit your site, move collection of password and credit card input fields to pages served using the HTTPS protocol.
John
GameTZ Subscriber GameTZ Full Moderator 400 Trade Quintuple Gold Good Trader Gold Global Trader (13) Secret Santa
23-Jan-2017(#27)
Luckily, I'm stuck on Chrome 49! wink
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
* 23-Jan-2017(#28)
So, Chrome will start warning about the password form and that basically is on every not-signed-on page given how the new layout does it (as a convenient drop-down).

To try to help with this, I added links to the secure site that will show up right above the drop-down sign-on form and on the Sign On page and in the footer and/or the username menu (new layout) or top-right nav bar thing (old layout). These only show up if you're on the non-secure site.

That will probably get more people to click over the the secure version of GameTZ. And, once they do, the HSTS should keep them there. And, Chrome won't complain at that point.
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
1-Feb-2017(#29)
I just turned on that thing (described in post #25) that will randomly switch people using the http version of the site to https. I've been running it on another site for a couple weeks without issues, so it's probably safe enough. I'll try to check usage stats to see if it changes things. I assume it will increase overall https usage of the site slowly over time. Currently it's around 50% with a lot of variability it seems.
Grenadier
GameTZ Subscriber GameTZ Full Moderator Triple Gold Good Trader Has Written 3 Reviews
1-Feb-2017(#30)
We got warned about this at work, and apparently Chrome is not the only browser doing it. The major browsers are all getting a lot tougher about security this year.
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
* 10-Feb-2017(#31)
bill wrote (January 17, 217) :

Update from the last 24 hours:

image

These numbers vary a lot, but roughly speaking, we've gone from 38% to 79% using https version of GameTZ.
Grenadier
GameTZ Subscriber GameTZ Full Moderator Triple Gold Good Trader Has Written 3 Reviews
8-Feb(#32)
Reopening this because of news that hit today. Apparently, Chrome will be marking all sites that are not on https as "not secure" starting in July. So now you're ahead of the curve on that one at least.
Scots
GameTZ Gold Subscriber Triple Gold Good Trader Global Trader - willing to trade internationally This user is on the site NOW (8 minutes ago)
8-Feb(#33)
I just tried this finally, and now I have a little tummy ache. Thanks a lot Bill.
Boss
GameTZ Gold Subscriber 650 Trade Quintuple Gold Good Trader Gold Global Trader (8) Secret Santa
9-Feb(#34)
yes
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
9-Feb(#35)
Google is fascist! Whatever happened to freedom?!!1!
willyum
GameTZ Gold Subscriber 300 Trade Quintuple Gold Good Trader Gold Global Trader (17) Secret Santa
17-Feb(#36)
Been using it since...I can't remember when, but I think when you first mentioned it. In any case, I've not had any issues with the site.

John
GameTZ Subscriber GameTZ Full Moderator 400 Trade Quintuple Gold Good Trader Gold Global Trader (13) Secret Santa
17-Feb(#37)
I finally moved away from my XP machine at work, so it it is fine with me. smile
bill
GameTZ Gold Subscriber GameTZ Full Moderator 600 Trade Quintuple Gold Good Trader Gold Global Trader (15) Has Written 26 Reviews
17-Feb(#38)
I probably said this in a previous post, but just to reiterate my understanding of this issue, here goes.

As far as I know (last time I checked), the https version of gametz does not work with ps3/ps4 browsers. The reason is related to me using Let's Encrypt for my certs. They are free but also newer and some older setups don't have their root certs in them (or something like that). I think that was the same issue with XP more or less. And, maybe there are other cases like that. I could get certs that work better with older/odd setups, but it would generally cost some amount per year.

And, I'm a cheap ass. And, it's not that important. https is good to use as much as you can, probably. And, gametz lets people do that. But, it also lets people using regular old http too. So, that's like the best of both worlds. I also do stuff to motivate users into using https. For modern browsers, the site will tend to redirect them to https and keep them there, for example. And, as stated, older setups still work.

Google is being kind of pushy about this and it's somewhat problematic because people who choose to use http with a modern browser will get some indicators that say it's insecure. But, that is likely their choice and OK. So, I'm not too worried. For old/odd setups, their not using Chrome so won't get those warnings.

I am a little surprised that we still seem to have about 20% of hits from http not https. It's hard to say why.

One related aspect to this is that I have Google search indexing the http version of the site not the https version. This may cause trouble with Google given how pushy they are... maybe they'll punish the site for it someday, I don't know. But, it's the most compatible thing to do because if the site indexes as https, then those old/odd setups will not work if they search via google (as far as I know). As it is, search returns http links and in most cases (using a modern browser), if you click them, it sends you to the https version of the site.

JD
350 Trade Quintuple Gold Good Trader Global Trader - willing to trade internationally
18-Feb(#39)
I just tested it on ps4 everything works fine im guessing sony did update web browser so i'll stick with https from now on

Topic   Forcing https (security)