RMN AND SSL (HTTPS)

Posts

Pages: 1
Sometime in the next few weeks, I plan to start making RMN an https only site. Requests to http://rpgmaker.net will automatically be redirected to https://rpgmaker.net.

When this change happens the site will not support SSLv2, SSLv3, or TLS versions below 1.2. SSLv2 is pretty old and hasn't been supported in browsers since the mid 90's. SSLv3 was disabled by default in many modern browsers after the POODLE attack.

You can learn whether or not your browser supports TLS v1.2 here:

https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

We'll be getting our certificates from the Let's Encrypt project. These certs are pretty new, but should be trusted in all major modern browsers. You can visit this site: https://letsencrypt.daylightpirates.org/ to see whether or not your browser trusts / supports Let's Encrypt certs. If you get a green lock (or whatever else your browser does) next to the URL in the address bar, then you are probably good to go.

If anyone has any issues with this change, please let me know!
kentona
I am tired of Earth. These people. I am tired of being caught in the tangle of their lives.
20742
Gotta keep those RTP adventures secure!
Woah, we are actually doing this?! Well, you know I've pushed for it before, but I didn't really expect this to happen until next year or so. Anyway, great work!
Is this really a good idea? While RMN's server's are much better than they used to be, it still takes awhile to fill a request.
nhubi
Liberté, égalité, fraternité
11099
Seriously every time I see POODLE attack I think this.




On the serious side, my browser is set and ready to go. Thanks for the heads up Anky.
I'm not 100% sure what this means.

Is it like, more secure servers that are resistant to malicious internet attack or something?
It's not the server security per se but the connection security. SSL basically verifies the connection between website and the computer, and more-or-less prevents the insertion of various Trojans and other spyware by third parties in between, which can easily happen on normal sites. It's not about protecting server but protecting you.

Having said that, there's a notable benefit to the website to this as well; search engine algorithms are already being taught to upgrade HTTPS websites in their page ranks, and this is going to become more prominent over time. Getting a little boost like this certainly wouldn't go amiss.
Looks like I'm okay using Chrome when you do this. Not that my RMN account is high on my security priority list or anything, although maybe it should be...
+1
This is a must. I'm using HTTPS last years and it is really worth.

ps: Don't forget to support OCSP stapling for server performance saving. This SSL Configuration Generator is worth to follow. We used it also to get better SSL server results with some additional tweaks to use 256-bit ciphers only and HPKP.
WIP
I'm not comfortable with any idea that can't be expressed in the form of men's jewelry
11363
Is there anything in the works to not allow insecure avatar URLs? Looks like that'd be the last step in getting a fully secure page load.
author=WIP
Is there anything in the works to not allow insecure avatar URLs? Looks like that'd be the last step in getting a fully secure page load.

Yes. I've thought about only allowing avatars from lockers, or giving users avatar space on the site as that feels the most secure, but at the very least could require https for all new avatars.
Pages: 1