Hydrogenaudio Forums

Hydrogenaudio Forum => Validated News => Topic started by: Jens Rex on 2015-09-09 10:48:31

Title: HTTPS is now supported on Hydrogen Audio
Post by: Jens Rex on 2015-09-09 10:48:31
Thanks to the work of Spoon and Garf, our server administrators, Hydrogen Audio now supports HTTPS. We even get a glorious "A" rating on SSL Labs (https://www.ssllabs.com/ssltest/analyze.html?d=hydrogenaud.io). So edit your bookmarks to point to https://www.hydrogenaud.io/ (https://www.hydrogenaud.io/), and enjoy not being spied on.

HTTPS is also enabled on foobar2000.org (https://www.foobar2000.org/).

If you notice any HTTPS-related problems, do let us know.
Title: HTTPS is now supported on Hydrogen Audio
Post by: dhromed on 2015-09-09 11:41:52
Praise upon the Garf!

> chacker

I have a mighty need to use this word for something, but I'm not sure what,
Title: HTTPS is now supported on Hydrogen Audio
Post by: Garf on 2015-09-09 12:47:53
You will still see mixed content warnings in every thread where users link to external images. I don't think much can be done about that unless it's just disallowed.
Title: HTTPS is now supported on Hydrogen Audio
Post by: marc2003 on 2015-09-09 12:59:12
i get an invalid certificate warning if i try to browse the wiki over https. if i accept the certificate anyway, i get 404 page not found...

https://wiki.hydrogenaud.io/index.php?title...2000:Foobar2000 (https://wiki.hydrogenaud.io/index.php?title=Foobar2000:Foobar2000)


Title: HTTPS is now supported on Hydrogen Audio
Post by: Garf on 2015-09-09 13:00:08
The Wiki is on a different server and doesn't support HTTPS yet.

Edit: It would actually need a separate cert too because it's a different domain.
Title: HTTPS is now supported on Hydrogen Audio
Post by: marc2003 on 2015-09-09 13:21:49
ah, ok then.

how about automatic re-direction of http > https? that doesn't appear to be implemented at the moment but is usually standard when a site supports https.
Title: HTTPS is now supported on Hydrogen Audio
Post by: Garf on 2015-09-09 13:26:47
how about automatic re-direction of http > https? that doesn't appear to be implemented at the moment but is usually standard when a site supports https.


You'll get redirected when you just enter the domain name. Not if you follow an HTTP link to inside the forums. Maybe the latter can be done if it's verified nothing important is broken.
Title: HTTPS is now supported on Hydrogen Audio
Post by: includemeout on 2015-09-11 03:55:16
For the layman (and I surely am a big, fat one when it comes to internet protocols) what does it actually change?

I mean, whom we're 'not being spied on' by any more: Government? Evil empires? Ministry of Truth?
Title: HTTPS is now supported on Hydrogen Audio
Post by: Soap on 2015-09-11 04:04:39
I mean, whom we're 'not being spied on' by any more: Government? Evil empires? Ministry of Truth?

That's what it addresses...

Title: HTTPS is now supported on Hydrogen Audio
Post by: audiophool on 2015-09-11 04:25:30
Note that without https, not just the usual suspects (your ISP, governments) can see which sites you visit and which messages you exchange. In some instances, such as when using an open WLAN, *anyone* with access to that network can see all your traffic as clear text.
Also note that https doesn't protect your privacy with regard to the domains you visit. So it's still open that you visit HA. What's not open is that you visited this thread and inquired about what the https protocol does for you.
Title: HTTPS is now supported on Hydrogen Audio
Post by: Garf on 2015-09-11 08:11:20
The main thing it does for a site like HA is indeed avoid your connection getting intercepted on something like a public Wifi.

There are also some phone/data providers (particularly in the USA) that will add advertising/tracking information to your connection. Using HTTPS stops this cold, too.
Title: HTTPS is now supported on Hydrogen Audio
Post by: Aleron Ives on 2015-09-12 00:23:00
If you notice any HTTPS-related problems, do let us know.

Well, it would be nice for backwards-compatibility's sake if the site would fall back to HTTP when browsers don't support the encryption. It's now almost impossible to browse HA on a text-only browser such as Lynx, as all URLs default to HTTPs, and Lynx doesn't support it, so you have to type every URL manually without the "s" to get the regular version of each page. HA is also equally difficult to navigate now with older browsers that only support SSLv3 and TLS 1.0-era encryption standards, as your certificate doesn't allow them, so you'll get encryption failure errors when clicking any link on the site and when loading every... single... post (if you manually paste thread links without the "s" in order to be able to access the thread at all). Changing the URLs doesn't work for making posts, though, as the "Post" button forces HTTPS, so the post won't go through.

Unless you're planning to force HTTPS, it would be nice if the site could fall back more gracefully than it does at present.
Title: HTTPS is now supported on Hydrogen Audio
Post by: yourlord on 2015-09-12 01:50:19
The site works just fine with my version of Lynx.

No offence but allowing fall back to insecure modes essentially defeats the whole purpose of TLS. At some point you have to stop supporting inherently insecure clients for the benefit of everyone else. Unless you're running IE 6 on Windows XP you can support reasonably secure communications. And if you are running IE6 on WinXP, well, frankly that's your problem, not ours.
Title: HTTPS is now supported on Hydrogen Audio
Post by: Aleron Ives on 2015-09-12 03:10:04
There's a difference between HTTPS being supported and being forced, and since this isn't a site where financial transactions or other sensitive information gets exchanged, I don't think there's any particular reason why fallbacks would be problematic for those who don't have a problem with browsing and posting over HTTP.
Title: HTTPS is now supported on Hydrogen Audio
Post by: kode54 on 2015-09-12 03:27:40
Fallback is probably impossible for this script without forcing http:// in the forum script and somehow forcing the transparent reverse proxy that handles the https to convert all forum links to https on outbound pages.
Title: HTTPS is now supported on Hydrogen Audio
Post by: Chibisteven on 2015-09-12 06:58:23
There's a difference between HTTPS being supported and being forced, and since this isn't a site where financial transactions or other sensitive information gets exchanged, I don't think there's any particular reason why fallbacks would be problematic for those who don't have a problem with browsing and posting over HTTP.


HTTPS on and forced by default on every site I visit would make me very happy.  If your browser is too old to support HTTPS on a forum, I'm actually very concerned for you.

Although some sites let you toggle it on and off.  To each their own.

In this day of cyber breaches and other stuff.  I rather have some old browsers not work at all than try to support them because that can endanger others.
Title: HTTPS is now supported on Hydrogen Audio
Post by: j7n on 2015-09-12 07:00:05
older browsers that only support SSLv3 and TLS 1.0-era encryption standards
I am pleased to report that the site is working well in Opera 12, in either TLS 1.0 or 1.2 (if the later is enabled). HA is also still responsive enough. Actually, Opera 10 works too. I pray that an update of the forum engine isn't planned, which will definitely slow down everything with "web 2.0" features. Along with Doom9, this is one of the last remaining classic, uncluttered forums.

I also think that SSL isn't essential on sites that don't deal with finances or particulary controversial subjects. Unfortunately it is forced on most of the web now, and almost everybody things it is a good thing.
Title: HTTPS is now supported on Hydrogen Audio
Post by: Aleron Ives on 2015-09-12 07:59:30
I pray that an update of the forum engine isn't planned, which will definitely slow down everything with "web 2.0" features. Along with Doom9, this is one of the last remaining classic, uncluttered forums.

I see we share some of the same sensibilities. I've actually found that using an ancient browser on some modern forum software is quite advantageous, as all of the time-wasting JavaScript screen dimming and animated loading bars don't work, so pages load quickly and cleanly, as they should.

I also think that SSL isn't essential on sites that don't deal with finances or particulary controversial subjects. Unfortunately it is forced on most of the web now, and almost everybody things it is a good thing.

Sadly, yes. I am of the opinion that compatibility should always take priority when functionality and security are not at stake (i.e. that a compatible solution doesn't sacrifice major features or security benefits), and considering that everything we post is publicly viewable on the web, I see no reason to force HTTPS on a forum. I know that some people need to hide their activity from nosy ISPs and restrictive governments, but that's what TOR and other encryption + anonymisation software is for.
Title: HTTPS is now supported on Hydrogen Audio
Post by: Chibisteven on 2015-09-12 10:00:10
I see we share some of the same sensibilities. I've actually found that using an ancient browser on some modern forum software is quite advantageous, as all of the time-wasting JavaScript screen dimming and animated loading bars don't work, so pages load quickly and cleanly, as they should.

What's your IP Address?  *hides a vulnerability list*  JK.  Seriously, though.  Don't some modern browsers allow disabling Javascripts via methods of sorts?

Sadly, yes. I am of the opinion that compatibility should always take priority when functionality and security are not at stake (i.e. that a compatible solution doesn't sacrifice major features or security benefits), and considering that everything we post is publicly viewable on the web, I see no reason to force HTTPS on a forum. I know that some people need to hide their activity from nosy ISPs and restrictive governments, but that's what TOR and other encryption + anonymization software is for.

It's more to prevent a man in the middle type of attack and other kinds of snooping of that nature.  It's called privacy and yes it's a public forum...  But I don't think you want someone snooping on you constantly every time you're online.  Imagine if you had a stalker (hope no one here has one BTW) who was capable of reading everything you did online, even your Private Messages on a board because there's no HTTPS anywhere you visit... 
Title: HTTPS is now supported on Hydrogen Audio
Post by: Jens Rex on 2015-09-12 10:09:50
I am of the opinion that compatibility should always take priority when functionality and security are not at stake

Compatibility with what? As far as I know, HTTPS works with all current browsers, including Lynx if it's compiled with OpenSSL support.
Title: HTTPS is now supported on Hydrogen Audio
Post by: hidn on 2015-09-12 14:39:15
Quote
HTTPS is now supported on Hydrogen Audio

Thank you.
Title: HTTPS is now supported on Hydrogen Audio
Post by: includemeout on 2015-09-13 01:55:05
Note that without https, not just the usual suspects (your ISP, governments) can see which sites you visit and which messages you exchange. In some instances, such as when using an open WLAN, *anyone* with access to that network can see all your traffic as clear text.
Also note that https doesn't protect your privacy with regard to the domains you visit. So it's still open that you visit HA. What's not open is that you visited this thread and inquired about what the https protocol does for you.

Many thanks.
Title: HTTPS is now supported on Hydrogen Audio
Post by: mjb2006 on 2015-09-13 07:21:42
Imagine if you had a stalker (hope no one here has one BTW) who was capable of reading everything you did online, even your Private Messages on a board because there's no HTTPS anywhere you visit...

Plenty of people have those kind of stalkers. They are called employers. Or parents.
Title: HTTPS is now supported on Hydrogen Audio
Post by: Chibisteven on 2015-09-13 09:59:48
Imagine if you had a stalker (hope no one here has one BTW) who was capable of reading everything you did online, even your Private Messages on a board because there's no HTTPS anywhere you visit...

Plenty of people have those kind of stalkers. They are called employers. Or parents.


The first is avoidable if you're careful enough unless you work for the feds or the mob (not sure who is more competent there).  The second not so much because you're screwed and if you're living in group home, good luck because you're super screwed.

I'm talking about a lot worse like the creep you told to go away and doesn't get the message and finds a way into your Wi-Fi or internet connection without anyone noticing.
Title: HTTPS is now supported on Hydrogen Audio
Post by: krabapple on 2015-09-14 02:00:24
So, when Windows asks me, when I join a new Wifi network, whether I want to designate it as  'public', 'work', or 'home',  what protections if any does selecting 'public' provide?
Title: HTTPS is now supported on Hydrogen Audio
Post by: audiophool on 2015-09-14 02:41:25
So, when Windows asks me, when I join a new Wifi network, whether I want to designate it as  'public', 'work', or 'home',  what protections if any does selecting 'public' provide?

This is off-topic. My understanding is the network location setting affects discovery and sharing on the local network. What it does exactly depends on the Windows version and, possibly, settings you made.

Home is least restrictive, public is most restrictive. With public, things like file and printer sharing will be disabled. Furthermore, Windows won't announce that your computer is on the local network. It won't advertise resources via uPnP nor via a few other protocols.

As far as I understand from a support document on technet, the network location setting effectively allows or prohibits certain services and protocols in the Windows firewall.

However, http and https are not affected by this settting. They are allowed even when you choose "public".
Title: HTTPS is now supported on Hydrogen Audio
Post by: chaban on 2015-09-26 15:23:26
Some scripts on https://www.foobar2000.org/ (https://www.foobar2000.org/) still use HTTP URLs:
Code: [Select]
http://api.flattr.com/js/0.5.0/load.js?mode=auto
http://apis.google.com/js/plusone.js

They are booth available over HTTPS.
Title: HTTPS is now supported on Hydrogen Audio
Post by: schmidj on 2015-09-29 18:50:19
 There is an issue with new user registration now with HTTPS.  The Captcha you use to stop bots is not secure, and doesn't appear (display on the screen) on Firefox, (at least as my browser is configured) making it impossible to register as a new member.  In IE, it didn't appear, but the browser asked me if I wanted to see the unsecure content, and when I clicked yes, it appeared. 

Somehow, you need to make the Captcha insert secure, or others will be unable to register as new members.
Title: HTTPS is now supported on Hydrogen Audio
Post by: kode54 on 2015-09-30 02:34:17
This should be fixed now.
Title: HTTPS is now supported on Hydrogen Audio
Post by: greynol on 2015-09-30 02:45:28
Maybe this explains why we've gotten so little spam as of late?
Title: HTTPS is now supported on Hydrogen Audio
Post by: Sebastian Mares on 2015-10-02 09:40:36
Oh, nice! Any plans to add HSTS if everything is fine over HTTPS?
Title: HTTPS is now supported on Hydrogen Audio
Post by: Garf on 2015-11-09 17:28:01
Oh, nice! Any plans to add HSTS if everything is fine over HTTPS?


Probably want to work out how to do the redirects first.

HA does use HPKP.
Title: HTTPS is now supported on Hydrogen Audio
Post by: Garf on 2015-11-09 17:41:54
HTTP/2 is now supported on HA (not foobar2000.org)
SimplePortal 1.0.0 RC1 © 2008-2019