No referral to the secure connection https://wedge.org/
[Security] BBCode in SQL Database »

Jurien

  • All i want is a couple days off
  • Posts: 132
No referral to the secure connection https://wedge.org/
« on March 19th, 2017, 10:49 AM »Last edited on March 19th, 2017, 11:28 AM
#Who.english.php <->Website credits page
No referral to the secure connection (SSL server certificate) wedge.org and this also applies to the license and authors reference

$txt['credits_wedge'] = 'Wedge is copyright © %5$s by %1$s, all rights reserved. It is distributed under the Wedge license.';

When for example change the link into:
$txt['credits_wedge'] = '<a href="https://wedge.org/"target="_blank">Wedge is copyright © %5$s by %1$s,all rights reserved. It is distributed under the Wedge license.';

Referral to the secure connection https://wedge.org/ is then oké.

 :edit: Also includes almost all links in Homepage Wedge.org

Nao

  • Dadman with a boy
  • Posts: 16,079
Re: No referral to the secure connection https://wedge.org/
« Reply #1, on March 19th, 2017, 12:19 PM »
Well, IIRC I only added https support to wedge.org for testing. I'm only making use of it on lestrades.com, where sensitive (or more precisely, 'valuable') data can be shared. I keep asking my host to enable http/2 on nginx[1] but she won't budge. I had my websites hosted by someone else so I wouldn't have to deal with keeping a list of installed modules to update, but apparently I'm not the only one not willing to do that ahah.

Any reason you'd want to have an exclusive https connection? Because AFAIK it's a bit slower (5% at least?), and there is no sensitive data here-- everything is open source and passwords are encrypted before they're transmitted anyway.
 1. This would give me a good reason to move everything to https, by making everything load noticeably faster.

Jurien

  • All i want is a couple days off
  • Posts: 132
Re: No referral to the secure connection https://wedge.org/
« Reply #2, on March 19th, 2017, 12:37 PM »
Quote from Nao
Any reason you'd want to have an exclusive https connection?
Well a secure connection between internet browsers and websites is not a luxury it's a must, allowing to transmit details,passwords or any personal information.

So when an users on my Website which is secured with a SSL Certificate chooses to click on a link (on our credit page) it seems logical to me that this must be a secure connection.

Nao

  • Dadman with a boy
  • Posts: 16,079
Re: No referral to the secure connection https://wedge.org/
« Reply #3, on March 19th, 2017, 02:16 PM »
Quote from Freñiçh on March 19th, 2017, 12:37 PM
Quote from Nao
Any reason you'd want to have an exclusive https connection?
Well a secure connection between internet browsers and websites is not a luxury it's a must, allowing to transmit details,passwords or any personal information.
But what personal information would you want to transmit over https here that isn't already encrypted..?
It should be enough that Wedge now fully supports https. ;) (It wasn't the case before.)
The only problem is with avatars, which sometimes use http links so you have to be smart about them.
Quote
So when an users on my Website which is secured with a SSL Certificate chooses to click on a link (on our credit page) it seems logical to me that this must be a secure connection.
Not really, no..?

CerealGuy

  • Posts: 343
Re: No referral to the secure connection https://wedge.org/
« Reply #4, on March 19th, 2017, 03:28 PM »Last edited on March 19th, 2017, 03:40 PM
How about using that <PROT> magic thing we added once for Aeva Media? So everyone using a https connection will get https://wedge.org, everyone else plain http.

But still I don't see any real benefit on using https over plain http on the credit page. What maybe would make sense is that you get forced to use ssl as soon as you try to login. And always get redirected to the ssl url if you are logged in and don't use ssl. Plugin stuff?

Jurien

  • All i want is a couple days off
  • Posts: 132
Re: No referral to the secure connection https://wedge.org/
« Reply #5, on March 19th, 2017, 04:36 PM »Last edited on March 19th, 2017, 05:19 PM
Https on the credit page links is possible,now the links on the credit page redirect you to http://wedge.org/
Code: [Select]
$txt['credits_wedge'] = '<a href="https://wedge.org/"target="_blank">Wedge</a> is copyright © %5$s by <a href="https://wedge.org/profile/Nao"target="_blank">%1$s</a>
instead of
Code: [Select]
$txt['credits_wedge'] = '<a href="%2$s">Wedge</a> is copyright © %5$s by <a href="%3$s">%1$s</a>

Or perhaps insert the following code in the .htaccess file
Code: [Select]
##-------Force HTTPS connection from a folder-------##
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
##


Jurien

  • All i want is a couple days off
  • Posts: 132

Nao

  • Dadman with a boy
  • Posts: 16,079