ADISC via HTTPS (SSL Encryption)

Status
Not open for further replies.

Moo

ADISC Admin
Staff
Messages
5,442
Role
  1. Private
ADISC.org is now available via HTTPS, for increased privacy.

We're offering using similar encryption to that used by e-commerce sites.

If you want to test out using ADISC via an encrypted, HTTPS connection, use this link: ADISC with Encryption.
Your browser should already support this, so you should not need to download or install anything to make this work.

Note that:
(1) The encryption might slow down page load times very slightly.
(2) It is not guarenteed to be bug-free. You may get warnings, such as "root certificate not recognized", or bugs (such as being redirected back to the http:// version) may occur.

If you do encounter bugs or problems with it, please post about them here so I can take a look. :)
 

Moo

ADISC Admin
Staff
Messages
5,442
Role
  1. Private
You're right, the "Top Stats" box on the homepage won't load when using SSL. I'll investigate...
 

Dude84

Banned
Messages
408
Role
  1. Adult Baby
I've just tried this and it redirects to the "standard" unencrypted http version...
 

Spiro910

Est. Contributor
Messages
381
Role
  1. Diaper Lover
  2. Babyfur
I'm sorry to ask this, but what would be the benefits of HTTPS over HTTP other than keeping your password safe? :)/ I srsly don't know D=)
 

Pojo

Est. Contributor
Messages
5,919
Role
  1. Private
Clicking on a picture in the Gallery sets it back to http://. It doesn't switch back afterwards.

So does the banned members log
 

recovery

Est. Contributor
Messages
1,234
Role
  1. Other
I'm sorry to ask this, but what would be the benefits of HTTPS over HTTP other than keeping your password safe? :)/ I srsly don't know D=)

It says for "increased privacy" basically meaning no one can snoop on your web activites, from a router logging all the URLs of all the HTTP data that passes though it? However, you can still log the IP it's connecting to. With that, you can do reverse DNS and/or get the SSL certificate and see what it is valid for, to which You'll find it's adisc.org.

But there is no way of telling who you are (what is your username) and what you post and what pages you are looking at. Provided everything is over https/SSL and therefore should be encrypted. An analogy being, people see you walk in and out of the doctors, but don't know what you are saying when you are behind those doors.


I am quiet surprised that Moo decided to implement this, because it's going to take allot of work to implement fully. A while ago I did think whether adisc should use HTTPS for privacy reasons, because at times I feel that clear text is inadequate, despite whether some one is or isn't snooping. It just increases confidence within the system.

I don't have the time at the moment, but I may have a little play around and see what things are and what does what on this site that breaks down the confidence of the system.
 
Last edited:

NoobSauce

Est. Contributor
Messages
328
Role
  1. Diaper Lover
  2. Sissy
(GoDaddy...? Ick.)

Firefox says there's some stuff on the page that was "not encrypted before being transmitted over the internet". What stuff would that be?
 

Dude84

Banned
Messages
408
Role
  1. Adult Baby
I must admit, I still have my doubts...

As NoobSauce commented. Also, "This web site does not supply identity information."

:-S

Edit: Was going to provide a screen capture of the relevant firefox window, the link to my main reference server is broken. :-(
 
Last edited:

Moo

ADISC Admin
Staff
Messages
5,442
Role
  1. Private
re: non-encrypted stuff... I haven't finished getting things so that when using HTTPS, *everything* is encrypted. If you can provide the URL of the page where you got that error, to me, via PM, I'll look into it :)

As to the "identity information" notice, the #1 Google result for that error message is this topic on the mozilla forums, which seems to indicate that the error is highly misleading, and not really a cause for concern.
 

DannyTheNinja

Banned
Messages
852
Role
  1. Private
The only remaining unencrypted element is the Skype status icons. That can be resolved easily with a simple PHP script:

Code:
<?php

// skypestatus.php

if ( !isset($_GET['u']) )
  die();

$user = $_GET['u'];
$url = "http://mystatus.skype.com/smallicon/$user";
// nul byte, eek!
if ( strstr($url, "\000") )
  die();

$image = @file_get_contents($url);
if ( empty($image) )
  // download failed!
  die();

header('Content-type: image/png');
// Expire 10 minutes from now, to throttle requests a bit...
header('Expires: ' . date('r', time() + 600));

echo $image;
Then just change your postbit to point to skypestatus.php?u=<skype username> instead of mystatus.skype.com/smallicon/<skype username>.

--Danny :ninja:
 

DannyTheNinja

Banned
Messages
852
Role
  1. Private
*bump*

I've found a few remaining HTTPS bugs:

  • The Banned Members Log links via http
  • Most everything in the gallery is http
  • Staff only really, but links in reported posts are http.
--Danny :ninja:
 

Moo

ADISC Admin
Staff
Messages
5,442
Role
  1. Private
HTTPS is now the default on ADISC.

For Firefox users, 'ADISC' (or just our logo) should appear with a blue background in your address bar, indicating that your connection is encrypted.

Only problem i've noticed so far with the https address is the "top 10 stats" and "latest posts" list on https://www.adisc.org/forum/ never seem to load. They work ok for others?

Fixed.

Clicking on a picture in the Gallery sets it back to http://. It doesn't switch back afterwards.

So does the banned members log

Fixed.


The only remaining unencrypted element is the Skype status icons. That can be resolved easily with a simple PHP script:

Code:
<?php

// skypestatus.php

if ( !isset($_GET['u']) )
  die();

$user = $_GET['u'];
$url = "http://mystatus.skype.com/smallicon/$user";
// nul byte, eek!
if ( strstr($url, "\000") )
  die();

$image = @file_get_contents($url);
if ( empty($image) )
  // download failed!
  die();

header('Content-type: image/png');
// Expire 10 minutes from now, to throttle requests a bit...
header('Expires: ' . date('r', time() + 600));

echo $image;
Then just change your postbit to point to skypestatus.php?u=<skype username> instead of mystatus.skype.com/smallicon/<skype username>.

--Danny :ninja:

Added.

*bump*

I've found a few remaining HTTPS bugs:

  • The Banned Members Log links via http
  • Most everything in the gallery is http
  • Staff only really, but links in reported posts are http.
--Danny :ninja:

1 & 2 are fixed.
3 should be fixed for future reports.

Moo can you make it so that all links in posts linking to adisc that are put as ADISC - Powered by our will to be young again are changed to https://www.adisc.org/ when browsing through https.

Future ones should come up in HTTPS. Past ones... well, I'm inclined to leave them as is for now.
 

mm3

Est. Contributor
Messages
1,795
Role
  1. Carer
  2. Other
HTTPS is now the default on ADISC.

For Firefox users, 'ADISC' (or just our logo) should appear with a blue background in your address bar, indicating that your connection is encrypted.

Yes and yes.
 

ade

Est. Contributor
Messages
3,901
Role
  1. Other
my security keeps prompting for a decision to install 'googleapis' certificate; though i like google search, i don't trust them one bit and am hesitant to allow this certificate in case it's a snooping/spying thing.
is my paranoia well placed?
 

kapi

Est. Contributor
Messages
631
Role
  1. Diaper Lover
Oh wow. Didnt expect a signed cert and default encryption :D
 
Status
Not open for further replies.
Top