chrome to start naming and shaming

Post by **psyolent** » Mon Sep 12, 2016 10:08 am

fyi dudes

http://www.itnews.com.au/news/chrome-to ... tes-436765

in essence all non https sites will be flagged as being, well, not secured.

don't 'password' share your password with other sites, as, if the site is HTTP only, then, passwords are sent in plain text.

admins, any thoughts to a SSL cert for our fine site? happy to donate to make it possible. just say when.

Post by **antus** » Mon Sep 12, 2016 7:09 pm

We have had one for some time. Ive just been reluctant to force https as it could break someone somewhere. Untill i flick the forum switch some images etc remain http so right now you might see a mixed content warning. Trivial to lock it in properly though. Feel free to use it

Maybe this is just the reason to start forcing it.

https://pcmhacking.net/forums/

It should score highly here too:
https://www.ssllabs.com/ssltest/analyze ... net&latest

Click the hosts once its run to see the details.

Dylan · Post by **Dylan** » Mon Sep 12, 2016 7:20 pm

New bookmark saved.

Post by **psyolent** » Mon Sep 12, 2016 9:11 pm

good stuff antus.
it will sook over the non HTTPS stuff until you get that action solved mate, and all that HSTS shit.
as i mentioned b4 alot of people share their welcome1 passwords across sites and ; given the pwnedlists which are coming out these days every user almost needs to have a full blown password manager .....

Post by **antus** » Mon Sep 12, 2016 9:23 pm

Well, what do you know. Its was only the ipv6 logo at the bottom that was hard coded http (and didnt have a secure https server backing it). I moved the image over locally and that has resolved the mixed content warning. I dont think HSTS is a problem, and the apache build is too old to support it. Its fine for now and the next few years.

I wonder if I should force https though? Cant be a bad thing right? If anyone still wants to use the forum on android 2.x or internet explorer 6, or internet explorer 8 on windows XP speak now.... you're the folks who will have problems.

j_ds_au · Post by **j_ds_au** » Mon Sep 12, 2016 10:52 pm

Only the login need/should be SSL/TLS.

As for Chrome, couldn't care less ...

Joe.

Post by **antus** » Mon Sep 12, 2016 11:03 pm

Well ive forced the whole site https (I dont have the time or care to find and add hooks for the various bits of login). Lets see what happens. Now the mixed content thing is solved it should work pretty well.

Post by **Tazzi** » Mon Sep 12, 2016 11:08 pm

antus wrote:Well ive forced the whole site https (I dont have the time or care to find and add hooks for the various bits of login). Lets see what happens. Now the mixed content thing is solved it should work pretty well.

Was the first thing I noticed.. bright green https up in the top corner!. Seems to be working hunky dorey

immortality · Post by **immortality** » Tue Sep 13, 2016 5:17 am

Working here for me.

Post by **psyolent** » Tue Sep 13, 2016 7:01 am

Only the login need/should be SSL/TLS.

no, not really buddy, the whole shebang does, as, traffic can be intercepted (read hijacked) with mixed content ....
working all AOK here antus - good work. note the MITM web gateway has injected its cert in place of yours so it can inspect ; and ; it still works. no ssl bypass for me

chrome to start naming and shaming

chrome to start naming and shaming

Re: chrome to start naming and shaming

Re: chrome to start naming and shaming

Re: chrome to start naming and shaming

Re: chrome to start naming and shaming

Re: chrome to start naming and shaming

Re: chrome to start naming and shaming

Re: chrome to start naming and shaming

Re: chrome to start naming and shaming

Re: chrome to start naming and shaming