A small suggestion to EDMW Forum Admin regarding https://
- Thread starter xcodes
- Start date
slashershot
Arch-Supremacy Member
- Joined
- May 5, 2012
- Messages
- 21,662
- Reaction score
- 5,336
xcodes volunteers to migrate pages. 
carloverme
Member
- Joined
- Jan 26, 2017
- Messages
- 262
- Reaction score
- 0
Mentality is like your government..
if cannot make money from investment, tax more from people.
Behkan.. really behkan.
Might as well say if robbery in bank is too frequent, just close down banks ?
if cannot make money from investment, tax more from people.
Behkan.. really behkan.
Might as well say if robbery in bank is too frequent, just close down banks ?
xcodes
Great Supremacy Member
- Joined
- Dec 15, 2013
- Messages
- 63,860
- Reaction score
- 29,134
they already said sugar is diabetes leow. buehkanness cannot go any lower already.
- Joined
- Jan 1, 2000
- Messages
- 27,827
- Reaction score
- 2,717
As you surf around, you'll notice the Secure logo, but sometimes you don't.
There are several external sources and it depends what content gets referenced.
But thanks for your suggestion and active voice for this point.
There are several external sources and it depends what content gets referenced.
But thanks for your suggestion and active voice for this point.
Since you have decided to implement secure connection, you might as well go all the way and remove all those insecure portions from the page ... hope you can consider this suggestion ...
![[[ForeverAlone]]](https://forums-media.hardwarezone.com.sg/data/avatars/m/509/509978.jpg?1616643271){kind=avatar}
[[ForeverAlone]]
Banned
- Joined
- Nov 3, 2011
- Messages
- 150,493
- Reaction score
- 11
- Joined
- Jan 1, 2000
- Messages
- 27,827
- Reaction score
- 2,717
BlackCube
Great Supremacy Member
- Joined
- Jul 18, 2003
- Messages
- 71,252
- Reaction score
- 861
Correct me if I'm wrong.
You can do something about it but whether u want or not. Unless I understand the issue wrongly.
https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content
You can do something about it but whether u want or not. Unless I understand the issue wrongly.
https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content
davidktw
Arch-Supremacy Member
- Joined
- Apr 15, 2010
- Messages
- 13,547
- Reaction score
- 1,299
The warning of mixture between HTTP and HTTPS contents is a significant security issue.
When you have such warnings that keep popping up from time to time and the end-users are "advised" to ignore such pop up, putting across that it is a benigned behaviour, soon they will NOT BE ABLE to recognise a MITM attack pop up that is caused by the attack host posing an invalid certificate of the same domain name. That is why such warnings MUST BE treated with caution and end-users should be notified to either set their browsers to deny access to any NON-HTTPS resources in a HTTPS enabled website, and be advised appropriately to react with skepticism when any form of warnings are produced by the browser to the relevant website.
In my findings, simply using the Developer Tools in Chrome, one can see that such mixture are not limited to user provided contents which are pointing to NON-HTTPS resources.
The main page alone @ https://forums.hardwarezone.com.sg/, already exposed Advertising GIF resources and CSS resources which are fetched via NON-HTTPS conduit in a HTTPS enabled website. This has nothing to do with user contributed contents and should be rectified as soon as possible.
Embedding a NON-HTTPS hyperlink will not cause such issue, since what the forum has been doing to opening up hyperlink in a new window, which will then be out of the HWZ domain.
For end-users contents, they are mostly IMAGES or YOUTUBE links are externally fetched contents displayed in the same domain name as HWZ Forum. YOUTUBE already have HTTPS conduit, so all HWZ need to do is for new YOUTUBE embed, only allow HTTPS link and for existing posts which are already embedded with HTTP link, either sieve though the database and perform a data patch to change all YOUTUBE links to HTTPS://...., or perform this job at the client end using a Javascript routine, which can be easily performed using tools like jQuery.
For Images, there are still sites like TINYPIC which does not offer HTTPS access, for these sites, deny such access by removing them, or advice the end-users that breakage in not fetching such contents are expected behaviours to enhance the security of the forum. Sites like IMGUR supports HTTPS for the image resources are acceptable and should be enabled. HWZ can list out a couple of such image repository sites to allow end-users to host their images. HWZ can also opt to lock down all images repositories to a limited set to keep things accountable and secure with the use of CSP, at a latter date for the end-users to comply over time, since old posts will eventually be neglected and prune with the least disruption to the service.
When you have such warnings that keep popping up from time to time and the end-users are "advised" to ignore such pop up, putting across that it is a benigned behaviour, soon they will NOT BE ABLE to recognise a MITM attack pop up that is caused by the attack host posing an invalid certificate of the same domain name. That is why such warnings MUST BE treated with caution and end-users should be notified to either set their browsers to deny access to any NON-HTTPS resources in a HTTPS enabled website, and be advised appropriately to react with skepticism when any form of warnings are produced by the browser to the relevant website.
In my findings, simply using the Developer Tools in Chrome, one can see that such mixture are not limited to user provided contents which are pointing to NON-HTTPS resources.
The main page alone @ https://forums.hardwarezone.com.sg/, already exposed Advertising GIF resources and CSS resources which are fetched via NON-HTTPS conduit in a HTTPS enabled website. This has nothing to do with user contributed contents and should be rectified as soon as possible.
Embedding a NON-HTTPS hyperlink will not cause such issue, since what the forum has been doing to opening up hyperlink in a new window, which will then be out of the HWZ domain.
For end-users contents, they are mostly IMAGES or YOUTUBE links are externally fetched contents displayed in the same domain name as HWZ Forum. YOUTUBE already have HTTPS conduit, so all HWZ need to do is for new YOUTUBE embed, only allow HTTPS link and for existing posts which are already embedded with HTTP link, either sieve though the database and perform a data patch to change all YOUTUBE links to HTTPS://...., or perform this job at the client end using a Javascript routine, which can be easily performed using tools like jQuery.
For Images, there are still sites like TINYPIC which does not offer HTTPS access, for these sites, deny such access by removing them, or advice the end-users that breakage in not fetching such contents are expected behaviours to enhance the security of the forum. Sites like IMGUR supports HTTPS for the image resources are acceptable and should be enabled. HWZ can list out a couple of such image repository sites to allow end-users to host their images. HWZ can also opt to lock down all images repositories to a limited set to keep things accountable and secure with the use of CSP, at a latter date for the end-users to comply over time, since old posts will eventually be neglected and prune with the least disruption to the service.
Code:
<html>
<head>
<script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"></script>
<script type="text/javascript">
$(function() {
$("img").each(function() {
$(this).attr("src", $(this).attr("src").replace(/^http:\/\//, "https://"))
});
});
</script>
</head>
<body>
<img src='http://i.imgur.com/H0gH9pW.png'>
<img src='http://i.imgur.com/H0gH9pW.png'>
</body>
</html>
Last edited:
For now on using https should be good and fine.
As this site need advertisements and sponsorship & others, there may have to give in to these as leeway.
Anyway most of posts are not of sensitive information &or details...
As this site need advertisements and sponsorship & others, there may have to give in to these as leeway.
Anyway most of posts are not of sensitive information &or details...
davidktw
Arch-Supremacy Member
- Joined
- Apr 15, 2010
- Messages
- 13,547
- Reaction score
- 1,299
HTTPS not done properly is worse off than not having it. It gives a false sense of security and in fact place the end-users at more risks because they assume it is safe to use it with the understanding that there is security, but there is actually gaps in it.
HTTPS for forums are not really to protect the viewers from what are posted because these contents are for public viewing in the first place. The only use of HTTPS in the use case of forums are to prevent MITM attacks, changing the links in the attempt to redirect the end-users to elsewhere without the user knowing or consuming their computing resources for crypto mining (recently).
If there is no HTTPS, end-users would by default assume the site is not safe from MITM attack or other forms of vulnerabilities, which put skepticism as defacto.
Analogy: You don’t lock a door, you assume it can be open all the time, and you stay vigilant . You put on a lock that doesn’t work sometimes, you go and sleep thinking that you are safe. So which is safer?
Last edited:
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ Forums. Forum members and moderators are responsible for their own posts.
Please refer to our Community Guidelines and Standards and Terms and Conditions for more information.
