Author Topic: Report HTTPS errors here (SSL)  (Read 4661 times)

Offline FoRCe

  • Member
  • Posts: 146
  • Cookie?
Report HTTPS errors here (SSL)
« on: May 18, 2015, 07:45:37 pm »
Update:
Meanwhile both have a valid cert :)
Be aware that once you have visited the SSL versions the browser wont allow you to use http anymore because of our enforced HSTS setting.


I have enabled HTTPS for;
  • bakabt.me
  • forums.bakabt.me

Would be awesome if people could test this before we are getting a valid SSL cert and force redirect to https.

Reported sofar;
- Descriptions missing the correct font.
« Last Edit: May 19, 2015, 12:49:32 am by FoRCe »

Offline ChalamiuS

  • Member
  • Posts: 31
  • Hauu~ Omochikaeri~ *takes Wintereise home*
    • chalamius.se
Re: Report HTTPS errors here (SSL)
« Reply #1 on: May 18, 2015, 08:05:10 pm »
Flattr script appears to be loaded over http (changing src from http:// to // will solve that one).

Some of the mixed content warnings (images being loaded over http) can be fixed since it's hosted by bakabt.


HTTP links in descriptions to BakaSHOTS should be changed to HTTPS instead.

User profiles redirect to http if there's a case missmatch (ChalamiuS -> chalamius, https://bakabt.me/user/642669/ChalamiuS -> http://bakabt.me/user/642669/chalamius)
« Last Edit: May 19, 2015, 02:56:04 am by ChalamiuS »

[Homepage | Blog | Ava & Sig kindly provided by Enzedder]

Offline My1

  • Member
  • Posts: 34
  • sorry I am still unexperienced...
Re: Report HTTPS errors here (SSL)
« Reply #2 on: May 18, 2015, 08:18:30 pm »
I sencond the fact that the flattr buttons are being get by http, also I see that the images are being loaded unencrypted as well, firefox doesnt care much yet but I dunno about the other browsers...

Offline Deafboy91

  • Member
  • Posts: 83
  • I can't hear you!
Re: Report HTTPS errors here (SSL)
« Reply #3 on: May 18, 2015, 10:19:26 pm »
I using Chrome and it's said my connection is not private. NET::ERR_CERT_AUTHORITY_INVALID

Offline My1

  • Member
  • Posts: 34
  • sorry I am still unexperienced...
Re: Report HTTPS errors here (SSL)
« Reply #4 on: May 18, 2015, 10:54:27 pm »
yeah (s)he said before getting a valid cert for much money (and it does expire after some time)
(s)he wants to check everything else, so continue regardless of that error and have fun trying aroud...

Offline Pzc

  • Member
  • Posts: 830
Re: Report HTTPS errors here (SSL)
« Reply #5 on: May 19, 2015, 01:15:02 am »
I'm totally and utterly ignorant about thingies like this
so I might (and probably are) way off but I remembered
an old link from EFF regarding https, certificates and
related stuff:
Article on EFF's website and direct link to Let's Encrypt.

I don't know if it is at all relevant or not but I thought
I'd drop it in as a possible alternative to the usual cert
authority since it's supposedly free when it launches
now in mid 2015.
A casual stroll through a lunatic asylum shows that faith does not prove anything. -- Friedrich Nietzsche

Offline Tornado15550

  • Member
  • Posts: 171
Re: Report HTTPS errors here (SSL)
« Reply #6 on: May 19, 2015, 05:44:42 am »
Both the tracker and the forums aren't letting me switch my avatar from TinyPic (which doesn't support SSL) to Imgur (which does support SSL). When I input an https imgur URL into the avatar field, the avatar isn't activated. I would assume switching the avatars to HTTPS would help reduce the site errors.

Edit: This is how AnimeBytes managed to resolve the SSL errors:
Quote
External images are now automatically sent through an AB host. This is to reduce potential tracking of users browsing the site, ensure we have full HTTPS coverage (mixed content warnings should not appear now), and mitigate potential phishing attacks. If you notice any non-HTTPS or external images being loaded, feel free to report them to the staff.
« Last Edit: May 19, 2015, 05:46:41 am by Tornado15550 »

Online Duki3003

  • Admin
  • Member
  • Posts: 4855
Re: Report HTTPS errors here (SSL)
« Reply #7 on: May 19, 2015, 08:39:06 am »
We are aware of how ab resolved this, however there is a big difference - they're servicing around 12.000 people, while we have around 240.000
Because of this we can't exactly approach it in the same way, however we will likely use BakaSHOTS for that purpose, but this will take a bit of work to prepare before we set up SSL.
So for now we'll keep things the way they are, with mixed content warnings.

Offline DaFog

  • Member
  • Posts: 3
Re: Report HTTPS errors here (SSL)
« Reply #8 on: May 19, 2015, 09:55:58 am »
Hi.

I don't know if it has something to do with SSL activation... but since the SSL activation the RSS feed seems to have stopped working.

It always returns an empty list.

Offline qbin

  • Member
  • Posts: 2
Re: Report HTTPS errors here (SSL)
« Reply #9 on: May 19, 2015, 06:19:16 pm »
According to Symantec, something is fatally wrong with certificates installation order:
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

It seems like the third one shouldn't be there at all.

Offline yugonline

  • Member
  • Posts: 15
Re: Report HTTPS errors here (SSL)
« Reply #10 on: May 19, 2015, 07:19:56 pm »
Safari 8.0.6
I don't get that cute little padlock icon I usually get on other https websites.
I got it the first time I used https for forums but then it disappeared and on main website it didn't appear at all. This is probably not an error or anything since the url still shows https.But just thought I'd report it here.

Offline FoRCe

  • Member
  • Posts: 146
  • Cookie?
Re: Report HTTPS errors here (SSL)
« Reply #11 on: May 19, 2015, 08:02:21 pm »
According to Symantec, something is fatally wrong with certificates installation order:
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

It seems like the third one shouldn't be there at all.

Including that cert seems to be a old way of doing it and is not recommended anymore. I fixed the order and removed the legacy cert. :)

Online Duki3003

  • Admin
  • Member
  • Posts: 4855
Re: Report HTTPS errors here (SSL)
« Reply #12 on: May 19, 2015, 08:12:29 pm »
Safari 8.0.6
I don't get that cute little padlock icon I usually get on other https websites.
I got it the first time I used https for forums but then it disappeared and on main website it didn't appear at all. This is probably not an error or anything since the url still shows https.But just thought I'd report it here.

The padlock is missing because of the mixed content, this is what I explained in my previous post (the mixed content warnings)

Offline Ellimist

  • Member
  • Posts: 5
Re: Report HTTPS errors here (SSL)
« Reply #13 on: May 19, 2015, 11:10:25 pm »
Whenever I move sites to SSL with mixed content, as in, avatars/images from non SSL hosts, I set up a camo instance. It's a reverse proxy running on Node.js, that routes insecure content through a secure URL.

Offline FoRCe

  • Member
  • Posts: 146
  • Cookie?
Re: Report HTTPS errors here (SSL)
« Reply #14 on: May 20, 2015, 12:16:33 am »
Whenever I move sites to SSL with mixed content, as in, avatars/images from non SSL hosts, I set up a camo instance. It's a reverse proxy running on Node.js, that routes insecure content through a secure URL.

Interesting, ill take a look if its a option for us to run something like this :)

Offline polka_chan

  • Member
  • Posts: 17
Re: Report HTTPS errors here (SSL)
« Reply #15 on: May 20, 2015, 12:51:34 pm »
icons are missing for some reason, tried relogging in and used another browser, still the same.

Offline Tornado15550

  • Member
  • Posts: 171
Re: Report HTTPS errors here (SSL)
« Reply #16 on: May 21, 2015, 08:05:33 am »
One of the main concerns about enabling HTTPS was server load. How is the server coping with the addition of HTTPS?

Offline My1

  • Member
  • Posts: 34
  • sorry I am still unexperienced...
Re: Report HTTPS errors here (SSL)
« Reply #17 on: May 21, 2015, 08:57:43 am »
also I get a note that the Google analytics cert uses sha1, which seems not be be known to be very secure... and is quite weird considering that google itself doesnt recommend sha1 certs anymore nd the fact that it was made on the 6th may this year, so quite recently.

Offline FoRCe

  • Member
  • Posts: 146
  • Cookie?
Re: Report HTTPS errors here (SSL)
« Reply #18 on: May 21, 2015, 06:47:51 pm »
One of the main concerns about enabling HTTPS was server load. How is the server coping with the addition of HTTPS?

Barely any difference in load ^^

Offline Astara

  • Member
  • Posts: 252
Re: Report HTTPS errors here (SSL)
« Reply #19 on: July 11, 2015, 12:08:41 pm »
Update:
Meanwhile both have a valid cert :)
Be aware that once you have visited the SSL versions the browser wont allow you to use http anymore because of our enforced HSTS setting.

HSTS?  visited the SSL versions? 

Well, confused as ever, I just tried to visit this site and got this message:

Secure Connection Failed

An error occurred during a connection to bakabt.me.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher _overlap)

  •     The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  •     Please contact the website owners to inform them of this problem.

Note: I tried main page (bakabt.me) and the browse page.

It was only after re-enabling the "cracked" SSL protos:

security.ssl3.dhe_r sa_aes_128_sha &
security.ssl3.dhe_r sa_aes_256_sha

A recent update  disabled most of the ssl3 protos and left a few, but I think it is only a matter of time before they go.
Note,  I've tried TLS w/my imap server & Tbird... Tbird kept hanging.  Seems there are problems in the connection setup.

I turned off encryption and just let it use IMAP in cleartext, and now Tbird is all happy.

I had turned off all SSL3's for my browser (recently/currently using PaleMoon v25.0.1) == FF24.9, I think, but is x64 instead of ia32).  That didn't last long -- too many sites don't have TLS configured.  I went back to the setting from my last security update on this browser, but that cut out baka. 

Baka seems to not want to talk if I disable the lower-security (aes_128) proto (doesn't seem to have or try the 256 bit one, but from what I hear... both are no good.  Diffie Helman is such that software is upgrading to a 2048-bit key requirement.

Anyway, Don't know the solution, but was passing on the gory problem details...   :(

A*a