Page 2 of 2

Re: https for atari-forum.com

Posted: Fri Apr 19, 2019 10:45 am
by vido
mikro wrote:This is similar to the native vs. cross compiler development debate. Sure, some like the spirit of working on the actual machine but some prefer the speed and modern tools. It would be wrong if people from the first group would be forcing everyone to use PureC and Devpac just because they enjoy the feeling and let others suffer from much more inefficient tools, in the end leading to halt of their development/atari efforts because they couldn't bare using such ancient and obsolete tools/libraries/debugging abilities.

I disagree here Mikro. Nobody of the first group is forcing anyone not to use https. It is just oposite. The second group would like to force Atari users to use their Ataris less = make them less usable ;)

Re: https for atari-forum.com

Posted: Fri Apr 19, 2019 12:00 pm
by jury
Yes, exactly! ( and I'm saying it as the one who do not use native browsers and uses cross tools )

Re: https for atari-forum.com

Posted: Sat Apr 20, 2019 5:01 pm
by 1st1
Hello, it's about security. It's about privacy. It's about the password you use, maybe multiple times on other sites as well. It's about forum beeing hacked by grabbing clear text passwords from moderators and administrators via phishing or man-in-the-middle-attack.

Re: https for atari-forum.com

Posted: Sun Apr 21, 2019 7:02 am
by arf
I don’t get why this discussion is often about having HTTP _or_ HTTPS. Actually, you can have both. There’s no technical requirement to forward HTTP requests to HTTPs. A site can offer both protocols, and the user can decide which to use. It’s only that many sites do the redirect, to protect the user’s data.

But the site owner decides what’s implemented.

Re: https for atari-forum.com

Posted: Sun Apr 21, 2019 7:18 am
by vido
arf wrote:I don’t get why this discussion is often about having HTTP _or_ HTTPS. Actually, you can have both. There’s no technical requirement to forward HTTP requests to HTTPs. A site can offer both protocols, and the user can decide which to use. It’s only that many sites do the redirect, to protect the user’s data.

But the site owner decides what’s implemented.

Then it is easy to have all happy. Just to implement https and keep http. :)

Re: https for atari-forum.com

Posted: Sun Apr 21, 2019 7:56 am
by dma
And then maybe HTTP to HTTPS redirection could be activated by a profile setting ? (off by default, to satisfy non compatible HTTP browser users)

Re: https for atari-forum.com

Posted: Sun Apr 21, 2019 3:01 pm
by SteveBagley
dma wrote:And then maybe HTTP to HTTPS redirection could be activated by a profile setting ? (off by default, to satisfy non compatible HTTP browser users)


The HTTP User agent might be a better option to use -- by default redirect to https:// unless the User Agent matches a set of whitelisted Atari browsers?

Steve

Re: https for atari-forum.com

Posted: Sun Apr 21, 2019 3:39 pm
by dma
SteveBagley wrote:The HTTP User agent might be a better option to use -- by default redirect to https:// unless the User Agent matches a set of whitelisted Atari browsers?

Ah yes indeed, also considering the same user could use both kind of browsers.
but then let's hope that Atari browsers doesn't mask themselves behind common user-agent strings to access certain websites blocking unknown clients.

Re: https for atari-forum.com

Posted: Mon Apr 22, 2019 5:14 pm
by christos
At first I thought well, I want to be able to access the forum when I am on the atari, trying to code something and I need a quick reference. But, indeed it's better to have ssl.
(How hard would adding ssl to highwire be?)

Re: https for atari-forum.com

Posted: Mon Apr 22, 2019 6:01 pm
by EmpireAndrew
Given the site uses an off the shelf forum package that uses css, javascript and cookies I can't imagine there are many ppl using this on their Atari? I certainly wish we could but I doubt it's practical for the work that would be involved...

If we switch to https now we should be using at least TLS 1.3 (no lower, and certainly not SSL) which means only browsers from the last few years will work at all (this is a trend on the net).

I do like the idea of leaving http available for someone to choose to use if they have an older machine instead of redirecting, but of course they could fall for a man in the middle attack and lose their password and if they've used it on other sites that could be a problem. But... if people do things like choose to use http when https is available, and use the same passwords on other sites I have little sympathy...

Re: https for atari-forum.com

Posted: Tue Apr 23, 2019 6:53 am
by joska
Something like a QWK/SOUP gateway for phpBB would be great... Then we could use this forum with native applications on our Ataris.

Re: https for atari-forum.com

Posted: Wed Apr 24, 2019 5:24 am
by wongck
ah.... back to the good old BBS days...

Re: https for atari-forum.com

Posted: Thu Jul 18, 2019 12:02 pm
by Rustynutt
Transparent Gif's :)
That was so cool using CAB the first time.

Sorta topic. Been some years ago recall using "website translators". Forget the proper term, think they got you around the security stuff.

I'm feeling the need to cleanse myself, is there a good purpose public site designed to handle plain browser compatibly?

Re: https for atari-forum.com

Posted: Sun Feb 09, 2020 8:04 pm
by leech
I have been thinking for a while that I need to come up with a Squid config do people can buils their own SSL gateway for 16/32bit machines.
The reason for this? Even on the shiny new version of IBrowse for the Amiga, SSL enabled sites take an extra 5 minutes to work, and that is on an 060@50. So if I could get the SSL decrypting portion set up on a Raspberry Pi or my Linux server, it'd be a lot more trustworthy than using some proxy out there that rips other things out.

Re: https for atari-forum.com

Posted: Mon Feb 10, 2020 10:25 pm
by Gunstick
Hi,

Making atari-forum support https, will not disable http. So both stay accessible.
There are 2 ways to force people to use https.
1) if they once visited https version, then the browser will always force https (via the HSTS header)
2) add the site to hstspreload.org so browsers supporting that, will go to https right away.

Do NOT set an automatic redirect on the http site to go to https, else CAB and others will be blocked.

So no need for ssl gateway or other fancy tricks to make old browsers work.
Maybe add a info on the login page "you use non secure connection, click here for the secure version".
So it stays optional and does not lock anyone out.

Georges

Re: https for atari-forum.com

Posted: Tue Feb 11, 2020 5:21 pm
by simonsunnyboy
+1 for Gunstick's suggestion.

I personally strongly want to use SSL on my modern browser. I see no point in restricting 95% of the user base for those 100 people who actually use Atari's to surf the web.

Re: https for atari-forum.com

Posted: Thu Feb 13, 2020 6:32 pm
by 1st1
Allmost a year since discussion start. Current webbrowser like Firefox 73, Chromium based Edge and Chrome istelf mark that website as unsecure. Next step will be with Chrome in 1-2 month that it will not allow anymore HTTP downloads from HTTPS websites. The day comes, when a browser will refuse to visit uncrypted websites like this.

By the way, for Firefox there is an addon called "HTTPS everywhere" which will try to load a HTTPS website if user goes to HTTP site.

Re: https for atari-forum.com

Posted: Fri Feb 14, 2020 8:34 am
by emcclariion
I think, where it comes to forums websites etc which deal with retro computers, unless they are doing financial transactions, which can be redirected to HTTPS, should be use Http....I browse this site using Highwire and it works fine, and using netsurf it works great on my TT.

even though Netsurf is HTTPS, but TT is not fast enough to use it, my CT60 can though