Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: HTTPS is now supported on Hydrogen Audio (Read 20406 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

HTTPS is now supported on Hydrogen Audio

Thanks to the work of Spoon and Garf, our server administrators, Hydrogen Audio now supports HTTPS. We even get a glorious "A" rating on SSL Labs. So edit your bookmarks to point to https://www.hydrogenaud.io/, and enjoy not being spied on.

HTTPS is also enabled on foobar2000.org.

If you notice any HTTPS-related problems, do let us know.

HTTPS is now supported on Hydrogen Audio

Reply #1
Praise upon the Garf!

> chacker

I have a mighty need to use this word for something, but I'm not sure what,

HTTPS is now supported on Hydrogen Audio

Reply #2
You will still see mixed content warnings in every thread where users link to external images. I don't think much can be done about that unless it's just disallowed.

 

HTTPS is now supported on Hydrogen Audio

Reply #4
The Wiki is on a different server and doesn't support HTTPS yet.

Edit: It would actually need a separate cert too because it's a different domain.

HTTPS is now supported on Hydrogen Audio

Reply #5
ah, ok then.

how about automatic re-direction of http > https? that doesn't appear to be implemented at the moment but is usually standard when a site supports https.

HTTPS is now supported on Hydrogen Audio

Reply #6
how about automatic re-direction of http > https? that doesn't appear to be implemented at the moment but is usually standard when a site supports https.


You'll get redirected when you just enter the domain name. Not if you follow an HTTP link to inside the forums. Maybe the latter can be done if it's verified nothing important is broken.

HTTPS is now supported on Hydrogen Audio

Reply #7
For the layman (and I surely am a big, fat one when it comes to internet protocols) what does it actually change?

I mean, whom we're 'not being spied on' by any more: Government? Evil empires? Ministry of Truth?
Listen to the music, not the media it's on.
União e reconstrução

HTTPS is now supported on Hydrogen Audio

Reply #8
I mean, whom we're 'not being spied on' by any more: Government? Evil empires? Ministry of Truth?

That's what it addresses...

Creature of habit.

HTTPS is now supported on Hydrogen Audio

Reply #9
Note that without https, not just the usual suspects (your ISP, governments) can see which sites you visit and which messages you exchange. In some instances, such as when using an open WLAN, *anyone* with access to that network can see all your traffic as clear text.
Also note that https doesn't protect your privacy with regard to the domains you visit. So it's still open that you visit HA. What's not open is that you visited this thread and inquired about what the https protocol does for you.

HTTPS is now supported on Hydrogen Audio

Reply #10
The main thing it does for a site like HA is indeed avoid your connection getting intercepted on something like a public Wifi.

There are also some phone/data providers (particularly in the USA) that will add advertising/tracking information to your connection. Using HTTPS stops this cold, too.

HTTPS is now supported on Hydrogen Audio

Reply #11
If you notice any HTTPS-related problems, do let us know.

Well, it would be nice for backwards-compatibility's sake if the site would fall back to HTTP when browsers don't support the encryption. It's now almost impossible to browse HA on a text-only browser such as Lynx, as all URLs default to HTTPs, and Lynx doesn't support it, so you have to type every URL manually without the "s" to get the regular version of each page. HA is also equally difficult to navigate now with older browsers that only support SSLv3 and TLS 1.0-era encryption standards, as your certificate doesn't allow them, so you'll get encryption failure errors when clicking any link on the site and when loading every... single... post (if you manually paste thread links without the "s" in order to be able to access the thread at all). Changing the URLs doesn't work for making posts, though, as the "Post" button forces HTTPS, so the post won't go through.

Unless you're planning to force HTTPS, it would be nice if the site could fall back more gracefully than it does at present.

HTTPS is now supported on Hydrogen Audio

Reply #12
The site works just fine with my version of Lynx.

No offence but allowing fall back to insecure modes essentially defeats the whole purpose of TLS. At some point you have to stop supporting inherently insecure clients for the benefit of everyone else. Unless you're running IE 6 on Windows XP you can support reasonably secure communications. And if you are running IE6 on WinXP, well, frankly that's your problem, not ours.

HTTPS is now supported on Hydrogen Audio

Reply #13
There's a difference between HTTPS being supported and being forced, and since this isn't a site where financial transactions or other sensitive information gets exchanged, I don't think there's any particular reason why fallbacks would be problematic for those who don't have a problem with browsing and posting over HTTP.

HTTPS is now supported on Hydrogen Audio

Reply #14
Fallback is probably impossible for this script without forcing http:// in the forum script and somehow forcing the transparent reverse proxy that handles the https to convert all forum links to https on outbound pages.

HTTPS is now supported on Hydrogen Audio

Reply #15
There's a difference between HTTPS being supported and being forced, and since this isn't a site where financial transactions or other sensitive information gets exchanged, I don't think there's any particular reason why fallbacks would be problematic for those who don't have a problem with browsing and posting over HTTP.


HTTPS on and forced by default on every site I visit would make me very happy.  If your browser is too old to support HTTPS on a forum, I'm actually very concerned for you.

Although some sites let you toggle it on and off.  To each their own.

In this day of cyber breaches and other stuff.  I rather have some old browsers not work at all than try to support them because that can endanger others.

HTTPS is now supported on Hydrogen Audio

Reply #16
older browsers that only support SSLv3 and TLS 1.0-era encryption standards
I am pleased to report that the site is working well in Opera 12, in either TLS 1.0 or 1.2 (if the later is enabled). HA is also still responsive enough. Actually, Opera 10 works too. I pray that an update of the forum engine isn't planned, which will definitely slow down everything with "web 2.0" features. Along with Doom9, this is one of the last remaining classic, uncluttered forums.

I also think that SSL isn't essential on sites that don't deal with finances or particulary controversial subjects. Unfortunately it is forced on most of the web now, and almost everybody things it is a good thing.

HTTPS is now supported on Hydrogen Audio

Reply #17
I pray that an update of the forum engine isn't planned, which will definitely slow down everything with "web 2.0" features. Along with Doom9, this is one of the last remaining classic, uncluttered forums.

I see we share some of the same sensibilities. I've actually found that using an ancient browser on some modern forum software is quite advantageous, as all of the time-wasting JavaScript screen dimming and animated loading bars don't work, so pages load quickly and cleanly, as they should.

I also think that SSL isn't essential on sites that don't deal with finances or particulary controversial subjects. Unfortunately it is forced on most of the web now, and almost everybody things it is a good thing.

Sadly, yes. I am of the opinion that compatibility should always take priority when functionality and security are not at stake (i.e. that a compatible solution doesn't sacrifice major features or security benefits), and considering that everything we post is publicly viewable on the web, I see no reason to force HTTPS on a forum. I know that some people need to hide their activity from nosy ISPs and restrictive governments, but that's what TOR and other encryption + anonymisation software is for.

HTTPS is now supported on Hydrogen Audio

Reply #18
I see we share some of the same sensibilities. I've actually found that using an ancient browser on some modern forum software is quite advantageous, as all of the time-wasting JavaScript screen dimming and animated loading bars don't work, so pages load quickly and cleanly, as they should.

What's your IP Address?  *hides a vulnerability list*  JK.  Seriously, though.  Don't some modern browsers allow disabling Javascripts via methods of sorts?

Sadly, yes. I am of the opinion that compatibility should always take priority when functionality and security are not at stake (i.e. that a compatible solution doesn't sacrifice major features or security benefits), and considering that everything we post is publicly viewable on the web, I see no reason to force HTTPS on a forum. I know that some people need to hide their activity from nosy ISPs and restrictive governments, but that's what TOR and other encryption + anonymization software is for.

It's more to prevent a man in the middle type of attack and other kinds of snooping of that nature.  It's called privacy and yes it's a public forum...  But I don't think you want someone snooping on you constantly every time you're online.  Imagine if you had a stalker (hope no one here has one BTW) who was capable of reading everything you did online, even your Private Messages on a board because there's no HTTPS anywhere you visit... 

HTTPS is now supported on Hydrogen Audio

Reply #19
I am of the opinion that compatibility should always take priority when functionality and security are not at stake

Compatibility with what? As far as I know, HTTPS works with all current browsers, including Lynx if it's compiled with OpenSSL support.

HTTPS is now supported on Hydrogen Audio

Reply #20
Quote
HTTPS is now supported on Hydrogen Audio

Thank you.

HTTPS is now supported on Hydrogen Audio

Reply #21
Note that without https, not just the usual suspects (your ISP, governments) can see which sites you visit and which messages you exchange. In some instances, such as when using an open WLAN, *anyone* with access to that network can see all your traffic as clear text.
Also note that https doesn't protect your privacy with regard to the domains you visit. So it's still open that you visit HA. What's not open is that you visited this thread and inquired about what the https protocol does for you.

Many thanks.
Listen to the music, not the media it's on.
União e reconstrução

HTTPS is now supported on Hydrogen Audio

Reply #22
Imagine if you had a stalker (hope no one here has one BTW) who was capable of reading everything you did online, even your Private Messages on a board because there's no HTTPS anywhere you visit...

Plenty of people have those kind of stalkers. They are called employers. Or parents.

HTTPS is now supported on Hydrogen Audio

Reply #23
Imagine if you had a stalker (hope no one here has one BTW) who was capable of reading everything you did online, even your Private Messages on a board because there's no HTTPS anywhere you visit...

Plenty of people have those kind of stalkers. They are called employers. Or parents.


The first is avoidable if you're careful enough unless you work for the feds or the mob (not sure who is more competent there).  The second not so much because you're screwed and if you're living in group home, good luck because you're super screwed.

I'm talking about a lot worse like the creep you told to go away and doesn't get the message and finds a way into your Wi-Fi or internet connection without anyone noticing.

HTTPS is now supported on Hydrogen Audio

Reply #24
So, when Windows asks me, when I join a new Wifi network, whether I want to designate it as  'public', 'work', or 'home',  what protections if any does selecting 'public' provide?