Welcome to NESR! Most features of this site require registration, including replying to threads, sending private messages, starting new threads, and uploading files. Click here to register.

Results 1 to 19 of 19

https links in emails, please

  1. #1
    Member
    Join Date
    May 2014
    Location
    Dedham, MA
    Posts
    63

    https links in emails, please

    The links in "Reply to thread" emails are all plain http so Firefox doesn't know that I'm logged in when I click them. It's no big deal but it would be an improvement if those links were https. Thanks!

    0 Not allowed! Not allowed!

  2. #2
    Lifer
    Join Date
    Nov 2009
    Location
    Bristol County
    Age
    37
    Posts
    3,470

    Re: https links in emails, please

    Quote Originally Posted by caboteria View Post
    The links in "Reply to thread" emails are all plain http so Firefox doesn't know that I'm logged in when I click them. It's no big deal but it would be an improvement if those links were https. Thanks!
    I don't follow how your login session ties to HTTPS.

    0 Not allowed! Not allowed!
    nedirtriders.com

  3. #3
    Lifer Kurlon's Avatar
    Join Date
    Jun 2007
    Location
    Waterboro ME
    Age
    46
    Posts
    13,499

    Re: https links in emails, please

    There's also the small detail that the site isn't available via HTTPS... Fix your firefox.

    0 Not allowed! Not allowed!

  4. #4
    Member
    Join Date
    May 2014
    Location
    Dedham, MA
    Posts
    63

    Re: https links in emails, please

    Quote Originally Posted by Kurlon View Post
    There's also the small detail that the site isn't available via HTTPS... Fix your firefox.
    It gets only a B rating from SSL Labs so it's not perfect but it is available via https

    https://www.ssllabs.com/ssltest/anal...reetriders.com

    0 Not allowed! Not allowed!

  5. #5
    Lifer Kurlon's Avatar
    Join Date
    Jun 2007
    Location
    Waterboro ME
    Age
    46
    Posts
    13,499

    Re: https links in emails, please

    Bah, chrome's insistence of hiding parts of the url plus giving it a Not Secure status made me think it was forcing a non-ssl connection.

    0 Not allowed! Not allowed!

  6. #6
    Member
    Join Date
    May 2014
    Location
    Dedham, MA
    Posts
    63

    Re: https links in emails, please

    Quote Originally Posted by aldend123 View Post
    I don't follow how your login session ties to HTTPS.
    Let's say you log into an https website. All the data sent back and forth is secure from being snooped on or spoofed. One of the items that you got back from that website was a cookie so you don't need to provide your login credentials for every single page that you try to view. That cookie identifies you to the website so it will let you in and let you post as aldend123. Now say someone tricks you into going back to that website using an http url, perhaps by sending you an email message with links in it. Your cookie is now sent "in the clear" which is a security risk. Anyone who can see that cookie can become aldend123. So most modern browsers will refuse to send cookies that they got using https over a cleartext connection. It's clearly NBD for a website where people yak about motorcycles, guns, and Donald Trump, but it's a good idea to get in the habit of using https as much as possible because it's substantially more secure than http.

    https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie

    0 Not allowed! Not allowed!

  7. #7
    Administrator Frankenstein's Avatar
    Join Date
    May 2001
    Location
    NH
    Posts
    6,512

    Re: https links in emails, please

    HTTPs is definitely enabled but we don't force it because then all of the non-secure content ever posted (hotlinked images, etc) throws up warnings in most modern browsers because it's mixed-security content. Right now the reason Chrome says it's insecure on HTTPs is that all of the internal images and shit (smileys, post icons, background images) are all http. That part changes if I turn on https site-wide but then we still have the external content problem.

    I can't make the URLs in the notification emails HTTPs without doing so site-wide. It's been quite a while since I gave any serious consideration to forcing HTTPs on this site, maybe it's time to do so again.

    0 Not allowed! Not allowed!
    -Josh || Forum Rules || Stop. Think. Post.

  8. #8
    Lifer
    Join Date
    Nov 2009
    Location
    Bristol County
    Age
    37
    Posts
    3,470

    Re: https links in emails, please

    Quote Originally Posted by caboteria View Post
    Let's say you log into an https website. All the data sent back and forth is secure from being snooped on or spoofed. One of the items that you got back from that website was a cookie so you don't need to provide your login credentials for every single page that you try to view. That cookie identifies you to the website so it will let you in and let you post as aldend123. Now say someone tricks you into going back to that website using an http url, perhaps by sending you an email message with links in it. Your cookie is now sent "in the clear" which is a security risk. Anyone who can see that cookie can become aldend123. So most modern browsers will refuse to send cookies that they got using https over a cleartext connection. It's clearly NBD for a website where people yak about motorcycles, guns, and Donald Trump, but it's a good idea to get in the habit of using https as much as possible because it's substantially more secure than http.

    https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie
    I just logged out, navigated to HTTPS url, logged in, then switched to HTTP and it still works fine. Am I missing something? I know the browsers have gotten super obnoxious with trying to intentionally blur the lines. I'll defer to admin for whether the site is configured to use a secure cookie as authentication, but I'm not sure it is. Or it's cached locally from my login.
    Quote Originally Posted by Frankenstein View Post
    HTTPs is definitely enabled but we don't force it because then all of the non-secure content ever posted (hotlinked images, etc) throws up warnings in most modern browsers because it's mixed-security content. Right now the reason Chrome says it's insecure on HTTPs is that all of the internal images and shit (smileys, post icons, background images) are all http. That part changes if I turn on https site-wide but then we still have the external content problem.
    Can't you put a rewrite rule on the webserver to transpose HTTP url's to HTTPS? Although I guess it'd need to be more narrowly restricted to embedded content. And might end up breaking stuff that doesn't offer HTTPS.
    Quote Originally Posted by Frankenstein View Post
    It's been quite a while since I gave any serious consideration to forcing HTTPs on this site, maybe it's time to do so again.
    Meh, what for? Placating people who just finished a Sec+ class? Although I thought some of the search engines were using it as part of their SEO ranking.

    0 Not allowed! Not allowed!
    nedirtriders.com

  9. #9
    Administrator Frankenstein's Avatar
    Join Date
    May 2001
    Location
    NH
    Posts
    6,512

    Re: https links in emails, please

    Quote Originally Posted by aldend123 View Post
    Although I thought some of the search engines were using it as part of their SEO ranking.
    That's the only reason, really.

    The rewrite angle would work, too.

    0 Not allowed! Not allowed!
    -Josh || Forum Rules || Stop. Think. Post.

  10. #10
    Lifer
    Join Date
    Nov 2009
    Location
    Bristol County
    Age
    37
    Posts
    3,470

    Re: https links in emails, please

    I see the problem now. I'm guessing my local auth expired. When I go to the HTTP page, it does not think I'm logged in. Flip over to HTTPS and I'm logged in.

    0 Not allowed! Not allowed!
    nedirtriders.com

  11. #11
    Member
    Join Date
    May 2014
    Location
    Dedham, MA
    Posts
    63

    Re: https links in emails, please

    Quote Originally Posted by Kurlon View Post
    There's also the small detail that the site isn't available via HTTPS... Fix your firefox.
    Quote Originally Posted by aldend123 View Post
    Meh, what for? Placating people who just finished a Sec+ class?
    To make the web safer, albeit in a small way. I gotta say, when I made what seems like a very obvious suggestion given that it's 2020 I didn't anticipate that I'd get snarked on by not one but two people who clearly don't understand how the web works.

    Next time I think of some way to make the site safer I'll just save the hassle and STFU instead.

    0 Not allowed! Not allowed!

  12. #12
    Lifer Kurlon's Avatar
    Join Date
    Jun 2007
    Location
    Waterboro ME
    Age
    46
    Posts
    13,499

    Re: https links in emails, please

    Quote Originally Posted by caboteria View Post
    To make the web safer, albeit in a small way. I gotta say, when I made what seems like a very obvious suggestion given that it's 2020 I didn't anticipate that I'd get snarked on by not one but two people who clearly don't understand how the web works.

    Next time I think of some way to make the site safer I'll just save the hassle and STFU instead.
    It does not make the web safer in any way. It just placates people who see a lock and think all is good. Given I can get certs for damn near anything without any shred of evidence that I actually have control of said element, it's a false sense of trust. ...add in the fun of Apple deciding to do an end run around standard bodies and just declaring certs longer than one year will defacto be untrusted, meh.

    0 Not allowed! Not allowed!

  13. #13
    Member
    Join Date
    May 2014
    Location
    Dedham, MA
    Posts
    63

    Re: https links in emails, please

    Quote Originally Posted by Frankenstein View Post
    I can't make the URLs in the notification emails HTTPs without doing so site-wide.
    The good news is that the email that notified me of Kurlon's "HTTPS isn't perfect so it sucks and I hate it" rant used "https://" links so I can post this without having to log in. That makes the site more convenient to use and is much appreciated.

    Thank you Frankenstein!

    0 Not allowed! Not allowed!

  14. #14
    Lifer Kurlon's Avatar
    Join Date
    Jun 2007
    Location
    Waterboro ME
    Age
    46
    Posts
    13,499

    Re: https links in emails, please

    Quote Originally Posted by caboteria View Post
    The good news is that the email that notified me of Kurlon's "HTTPS isn't perfect so it sucks and I hate it" rant used "https://" links so I can post this without having to log in. That makes the site more convenient to use and is much appreciated.

    Thank you Frankenstein!
    I didn't say it sucks, I said I'm not a fan of it arbitrarily being driven down our throat as security theatre. I utilize SSL quite heavily in many places, and the requirements for me to do so include knowing all the ways in which it's flawed.

    1 Not allowed! Not allowed!

  15. #15
    Member
    Join Date
    May 2014
    Location
    Dedham, MA
    Posts
    63

    Re: https links in emails, please

    Quote Originally Posted by Kurlon View Post
    I didn't say it sucks, I said I'm not a fan of it arbitrarily being driven down our throat as security theatre. I utilize SSL quite heavily in many places, and the requirements for me to do so include knowing all the ways in which it's flawed.
    Sorry, I interpreted "It does not make the web safer in any way" as "it sucks". My bad.

    But honestly, if need an informed opinion on whether HTTPS is useful or not, I don't think I'll turn to the guy who told me "There's also the small detail that the site isn't available via HTTPS... Fix your firefox."

    0 Not allowed! Not allowed!

  16. #16
    Lifer Kurlon's Avatar
    Join Date
    Jun 2007
    Location
    Waterboro ME
    Age
    46
    Posts
    13,499

    Re: https links in emails, please

    Quote Originally Posted by caboteria View Post
    Sorry, I interpreted "It does not make the web safer in any way" as "it sucks". My bad.

    But honestly, if need an informed opinion on whether HTTPS is useful or not, I don't think I'll turn to the guy who told me "There's also the small detail that the site isn't available via HTTPS... Fix your firefox."
    Yup, I got caught out by an ever changing browser UI, 'cause obfuscating that info really helps... thanks Firefox. I also noted my gaff above once I was made aware of it.

    0 Not allowed! Not allowed!

  17. #17
    Lifer
    Join Date
    Nov 2009
    Location
    Bristol County
    Age
    37
    Posts
    3,470

    Re: https links in emails, please

    Quote Originally Posted by Kurlon View Post
    Yup, I got caught out by an ever changing browser UI, 'cause obfuscating that info really helps... thanks Firefox. I also noted my gaff above once I was made aware of it.
    That and if I remember right, this site did not offer HTTPS at all until very recently. I want to say within the past year.

    It's just like so many other people in cybersec who demand all security with no consideration for risk/trade-offs/layered approach etc, and then act like 'people just don't care about security at all' when they get any dissension.

    The original point that email links are HTTP and they won't work if you logged in via HTTPS is still valid though. Ends up being essentially a bug, regardless of the security implications.

    0 Not allowed! Not allowed!
    nedirtriders.com

  18. #18
    Administrator Frankenstein's Avatar
    Join Date
    May 2001
    Location
    NH
    Posts
    6,512

    Re: https links in emails, please

    Quote Originally Posted by caboteria View Post
    The good news is that the email that notified me of Kurlon's "HTTPS isn't perfect so it sucks and I hate it" rant used "https://" links so I can post this without having to log in. That makes the site more convenient to use and is much appreciated.

    Thank you Frankenstein!
    I didn't do anything, but you're welcome.

    0 Not allowed! Not allowed!
    -Josh || Forum Rules || Stop. Think. Post.

  19. #19
    Being A Dick PurplePackage's Avatar
    Join Date
    Oct 2020
    Location
    Chelmsford, MA
    Posts
    2,155

    Re: https links in emails, please

    +1 vote for removing http and forcing mixed content. port 80 should not be used except for 301 redirect

    0 Not allowed! Not allowed!

Similar Threads

  1. Wanted - Other | Someone with https://www.directechs.com/ access
    By WordTooYoMamma in forum Wanted
    Replies: 0
    Last Post: 12-16-18, 04:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •