HTTPS for 6502.org?

[WillisBlackburn]

There's another issue with not supporting HTTPS that's unrelated to security, passwords, etc.: If you type 6502.org into the address bar in Chrome, it will attempt https://6502.org by default, and then the request will hang because 6502.org doesn't respond on the HTTPS port 443, not even with "refused." For a while I thought 6502.org was just occasionally down until I realied that it was only "down" when I typed the address and not when I followed links or bookmarks.

[Mike Naberezny]

We will be switching to HTTPS-only in April. I believe that all the preparatory work is done as best as we can do it and we just need to throw the switch now. Since we just upgraded the forum software, I am going to wait a little bit to see if anything unexpected happens.

The last issue preventing the forum from fully working on HTTPS was mixed content warnings. The forum no longer allows it, but for many years it allowed an "img" tag to be used, which directly displays an image from another site within the page ("inline image linking" or "hotlinking"). Over two thousand posts had this, most of which were links to HTTP. When an HTTP image is included on an HTTPS page, the browser either shows it as a broken image or shows security warnings. The result would be that the forum would seem to work but would be randomly broken if you happened to land on one of these posts.

This has been solved by downloading all of those images and hosting them on 6502.org, where they can be served on HTTPS. There's no visible difference in these posts. Some images have unfortunately gone missing since they were posted (404). For these, we show a message indicating that (random example). I've already looked on the Wayback Machine for all the 404'ed images. Unfortunately, there are a couple hundred that could not be found. It's a good lesson that anything not directly hosted on the forum can disappear.

[fachat]

Many thanks, that's very good news!

I assume there will be a redirect from http to https?

André

[BigDumbDinosaur]

Mike Naberezny wrote:

We will be switching to HTTPS-only in April.

I have never worried much about someone stealing my forum password and using it to log in as me.    It would be immediately evident to forum regulars that that individual is an imposter. 

That said, setting up the site to secure HTML may encourage more (human) web surfers to visit if they aren’t getting complaints from their browser about no security.  I will likely move my POC site to HTTPS in the near future just to keep up with the times.  Just gotta get an SSL cert and do some Apache configuration.

[gilhad]

BigDumbDinosaur wrote:

I have never worried much about someone stealing my forum password and using it to log in as me.    It would be immediately evident to forum regulars that that individual is an imposter. 

The problem is, that such imposter may instead change password (so you could not login) and delete all your posts/delete the contet/vandalise it ... so it would be clear, that this was done by imposter, but we couldnot read it anymore.
(Happened to me on some other forum.)

[BigEd]

Yes, session hijack no fun. Also, risk of malicious javascript injection or malicious modification of page content. Of course, it's all rather unlikely, but I look forward to seeing the upgrade when it happens.

[dmsc]

Hi!

Mike Naberezny wrote:

We will be switching to HTTPS-only in April. I believe that all the preparatory work is done as best as we can do it and we just need to throw the switch now. Since we just upgraded the forum software, I am going to wait a little bit to see if anything unexpected happens.

...

Quote:

This has been solved by downloading all of those images and hosting them on 6502.org, where they can be served on HTTPS. There's no visible difference in these posts.

Thank you very much for your hard work!

[Mike Naberezny]

fachat wrote:

I assume there will be a redirect from http to https?

Yes, there will be 301 redirects so existing links will continue to work.

[BigDumbDinosaur]

gilhad wrote:

BigDumbDinosaur wrote:

It would be immediately evident to forum regulars that that individual is an imposter. 

The problem is, that such imposter may instead change password (so you could not login) and delete all your posts/delete the contet/vandalise it ... so it would be clear, that this was done by imposter, but we couldnot read it anymore.
(Happened to me on some other forum.)

I was joking, of course.  I am well aware of what might happen if an imposter could log in as me.

In years past, an unprotected website was no big deal, unless, of course, it involved processing of personally-sensitive information, such as a bank account number.  Now, with AI robots constantly scraping sites for data, no telling what could be intercepted and used for nefarious purposes.

[GARTHWILSON]

gilhad wrote:

such imposter may instead change password (so you could not login) and delete all your posts/delete the contet/vandalise it ... so it would be clear, that this was done by imposter, but we could not read it anymore.
(Happened to me on some other forum.)

Because of automatic nightly backups, Mike could restore the forum after such vandalism, if it were to happen.  The only things to be lost would be the posts and edits done since the backup.