Trash Talk - Https Mine GO BOOM - Wed Jun 13, 2007 12:18 pm Post subject: Https
Since I have access to a couple of IPs now, I setup the forums to be one. Since I'm lazy and don't always like to type in the full url to get to the secure site, I setup a couple of features to better promote the use of the secure version of the forums.
If you have not read about the certificate used on the forums, check out this announcement post for more information and why it pops up a message box.
The first thing you'd notice is that the Login link now has an (SSL) tacked onto the end. This allows you to hit the secure login page up front, so your password is sent encrypted. A good security option, and mostly done for my laziness.
If you are logged in, go edit your profile. At the bottom of all the Yes/No questions is a new option, Always connect via HTTPS. If you select yes, anytime you log into the forums, it will change you over to the secure site. Anytime you visit the forums and you are not connected via SSL, it will make all the forum generated links point you to it. Roughly, it will try and force you to use SSL as much as possible. Good for those that have bookmarks or links from other sources, but wants to use HTTPS without doing any work. Again, done for my laziness.
And then the final touch, so the links that are in posts don't bother HTTPS and non HTTPS using people, all links in posts that link inside the forums are aware of your current settings. If someone posts an HTTPS link to another thread and you are using just normal HTTP, the forums will downgrade them. If you have HTTPS always-on, or just happen to be using HTTPS by choice for just that session, all non-HTTPS links are upgraded. Thus, the HTTP/HTTPS worlds won't collide and cause the untrusted certificate authority window to popup randomly to users of the forums.
BDwinsAlt - Wed Jun 13, 2007 12:58 pm Post subject:
Testing. I like this.
Cyan~Fire - Wed Jun 13, 2007 2:17 pm Post subject:
"MGB Certificate Authority"... I like it. Cyan~Fire - Wed Jun 13, 2007 6:03 pm Post subject:
Hmm, so do SSL sites always refresh when you hit the back button instead of loading from cache? If so, can you make it so that the site goes out of SSL mode after you login via SSL? (I have "always use HTTPS" unchecked in my profile.)
BDwinsAlt - Wed Jun 13, 2007 6:08 pm Post subject:
Works fine for me on Firefox.
Mine GO BOOM - Wed Jun 13, 2007 7:17 pm Post subject:
Cyan~Fire wrote:
If so, can you make it so that the site goes out of SSL mode after you login via SSL?
Changed it into three options. Always, Never, and Whatever. If you select Never, the code tries its hardest to make you never use HTTPS. Since you are not logged in when you go to the login page, it only drops you out of SSL after you login. Thus, your password is encrypted, but your session id isn't.
Cancer+ - Thu Jun 14, 2007 1:36 pm Post subject:
How come when I log in SSL or have the "always use https" box checked, at the top of IE7, it says "Certificate Error" ?
Mine GO BOOM - Thu Jun 14, 2007 4:46 pm Post subject:
Cancer+ wrote:
How come when I log in SSL or have the "always use https" box checked, at the top of IE7, it says "Certificate Error" ?
Try reading this announcement post about having the master certificate be an accepted authority.
