Feature request: PICO-8 and the website should use HTTPS (HTTP over SSL) for all network requests.
Right now the BBS is HTTP only when accessed in the browser, which is vulnerable to eavesdropping, credential spoofing, and man-in-the-middle attacks. There are good reasons to use secure connections even when no user data is involved, but the BBS also uses an insecure connection for signing in with a password and for sending the session ID and encoded password cookies with every authenticated request.
I haven't actually checked whether PICO-8 is using a secure connection to access Splore data but I would assume it's the same. PICO-8 itself will eventually use forum credentials for authenticated network access. Even if it uses an OAuth flow for this via a web browser (and I would guess it'd rather be a self-contained experience without a browser), it'd still need to execute the flow over SSL.
Implementation detail: The BBS and PICO-8 should use HTTPS for everything and disallow HTTP. Any request not over SSL should redirect to the equivalent HTTPS URL or refuse service.
As a PICO-8 user I would prefer that SSL be a prerequisite for on-device network authentication and any additional network services.
Thanks!
-- Dan
I can vouch for @jessemillar's suggestion - I use Let's Encrypt on https://games.clowerweb.com/, and it's free, took like 10 minutes to set up, and I simply made a CRON job to auto-renew it. Here's a simple tutorial about how to do it. Couldn't have been any easier to set up all my domains, subdomains, and mail server to use it. One thing the tutorial leaves out though is that you may have to edit your /etc/apache2/sites-available/domain.conf files manually, especially if you use Cloudflare like I do, since the TLS challenges will fail and you will have to use the "certonly" flag which won't auto-configure your .conf files. Use this tutorial if you use Cloudflare: https://support.cloudflare.com/hc/en-us/articles/214820528-How-to-Validate-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-CloudFlare
I'm going to necro this topic again. As of this month (the article says January, but I noticed it actually just started last week), Google has implemented a warning in Chrome whenever you visit a page that has a password field, or accepts any kind of credit card info, if the site is not using SSL. This warning is displayed prominently in the URL box. Here is more info on that: https://goo.gl/zmWq3m
However, soon it will not just be for sites that have password fields or credit card boxes, but ALL websites that don't use SSL, regardless of their content, and they will be changing that small gray warning to a big, bold red warning.
With the advent of cheap unmanaged VPS servers and Let's Encrypt that gives 100% free signed certificates to all with very little effort, there's absolutely no reason not to have SSL on any website anymore. In fact it'll soon be to your detriment if you don't have it because Google is going to make your site look like the user has wandered to a dark corner of the internet where they shouldn't be going.
See my post above if you're unsure about how to set up Let's Encrypt and get your server working with SSL. It's incredibly easy. You can even make a CRON job to auto-renew the certificate, so you never have to worry about it again. Just set it and forget it, literally.
Bumping this again in the hope that zep sees this if he hasn't already. If you need help with this, get ahold of me buddy, I'll gladly help you get it going free of charge. I have lots of experience setting this up on multiple sites, multiple servers, some using Cloudflare. The certs are also 100% free and will auto renew. I had a hard time at first because of Cloudflare because there are various tricks to it, so just let me know. You can add me on Skype: chris.clower or email me at my account email.
hey guys I noticed like a week ago that the site actually does serve https now if you try it :) There's just no redirect to it, so I'm guessing zep is still working on changing stuff.
But if you get the HTTPS Everywhere extension you can tell it to always use https with this site and it seems to work everywhere on the site that I've tried so far.
@kittenm4ster thanks for pointing that out, I had no idea! So now all he needs to do is redirect http to https.
In Apache .htaccess:
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.lexaloffle.com/$1 [R,L] |
In nginx:
server { listen 80; listen [::]:80; server_name lexaloffle.com www.lexaloffle.com; return 301 https://www.lexaloffle.com$request_uri; } |
Looks like all the navigation links are in this format: "/page/?something=something&somethingelse=2", so it shouldn't require changing the site template much, if at all. The carts, user uploads and avatars follow the same format, so no hardcoded "http" addresses that I can find that would need converted. I only did a quick sweep, but it looks like it'd just work without any further modifications.
ok, almost there! The site is now redirecting to https, and images / links / thumb urls are rewritten as https. Almost all in-post links & embedded images are to sites that also allow https url rewriting (imgur etc), but there might be a small amount of stray breakage there.
Splore still uses http for now, as redirecting to https breaks the post fetching under OSX -- this will be fixed in 0.1.11, and later when enough users have updated I'll force redirects to https for splore urls too.
[Please log in to post a comment]