EN \ NL \ FR
Current Wings Quest 123
Llaca Night Life!
print ShareShare 

Security issues?

Post new topic Reply to topic
Page 1 of 1

Author  Message 
Alot
MEOW
Dream Deity
Posts: 628
Joined: 28 Jun 2012
Last Visit: 15 Nov 2018
LD count: 11.8 estimate
 
Security issues?
PostPosted: Tue 30 Oct, 2018  Reply with quote

I've recently noticed that I get a notification symbol when visiting ld4all, the one with an "i" in a circle that says "Your connection to this site is not secure"

When posting, it has very recently (like in the past few days) changed into a triangle with an "i" in it, with the same message. Also "http" is double crossed out and in red on the warning message.

I've just tried visiting the site using https before the url, and it works, but the look is completely different, with images and backgrounds not loading. It looks like a slow connection version of the website.

I don't recall making any setting changes on my browser before noticing this. Have yet to check if it's the same on a computer. ld4all seems to be the only site where I've experienced this.


Also I just found out that when I use this slow browser version with https, I can post without needing to go to incognito mode. (from this older issue)


back to top
FiXato
(mobile) IRC-Addict
Astral Explorer
34
Posts: 479
Joined: 07 Oct 2004
Last Visit: 31 Oct 2018
LD count: 6
Location: Ceeia
 
PostPosted: Wed 31 Oct, 2018  Reply with quote

This seems to be mostly caused by so-called 'mixed-content'; content still served over http while using the https version of the website.
Since http content is susceptible to man-in-the-middle attacks that would for instance allow rewriting its content and thus the site, such (active) content is not loaded while the main site itself is loaded over https.
Browsers make a distinction between passive/display content (images/media objects) and active content (external stylesheets, scripts, etc). Passive content might still be loaded, but active content definitely won't and will generate errors.

Since the CSS stylesheet isn't loaded, a lot of the design elements and layout styling is missing, making the site look like it's loaded over a slow connection, as you put it.

LD4All currently still uses absolute http links for certain active and passive content where relative or protocol-relative href/src's would suffice:




  • Stylesheet is loaded over http (http://www.ld4all.com/css/LD4all.css), while a relative path (/css/LD4all.css) would suffice. IIRC ld4all's forum used to be accessible from forum.ld4all.com rather than using a redirect, so this is probably a leftover from that era. Alternatively this could be solved by using a protocol-relative URL: //www.ld4all.com/css/LD4all.css (note the missing http: / https:), though AFAIK nowadays it's recommended to use https links whenever content can be served over https.
  • Favicon also still has a hardcoded http:// URL.
  • Google search form still uses http: http://www.google.com/coop/cse/brand?form=cse-search- box&lang=en
  • Several images seem to be hard-coded to http:

  • There are still some Google Analytics script source URLs that are hard-coded to http rather than https. Actually, urchin.js for instance is loaded several times, while a single call to it via a script tag would suffice:
    Code:
    <script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
    </script>
    <script type="text/javascript">
    _uacct = "UA-706489-1";
    urchinTracker();
    </script>
    <script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
    </script>
    <script type="text/javascript">
    _uacct = "UA-706489-5";
    urchinTracker();
    </script>
    <script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
    </script>
    <script type="text/javascript">
    _uacct = "UA-706489-3";
    urchinTracker();
    </script>

    Qu probably wants to regenerate her analytics code, as I'm quite sure the google-analytics domain is rather outdated, and superseded by the googletagmanager (which I actually also see loaded at the top of the page, so I'm guessing these script tags at the bottom are actually superfluous. If it's to track it on multiple properties, that probably also is better done with additional gtag() calls rather than the above code and multiple external script loads).
  • The AddThis social-network bookmarking script is loaded over http, and I think is also still using an outdated URL. Probably will want to regenerate the code for this if LD4All wants to keep using this.
  • Webchat uses a form action that submits to http rather than https. Unfortunately this isn't something Q can fix, as Chat4all's webchat currently doesn't run on https apparently. I've forwarded this issue to Chat4all's Adonix though.


It's likely the actual CSS file also still has http-only links in there, but as it wasn't loaded, I couldn't easily get an overview of it through the debugger without manually changing things.


back to top
Eilatan
The Lookout Rogue.
Head Scribe
Eilatan has successfully completed an LD4all Quest!
26
Chat Mods
Scribes
Posts: 1694
Joined: 26 Sep 2010
Last Visit: 16 Nov 2018
LD count: 十一
Location: Australia!
 
PostPosted: Wed 31 Oct, 2018  Reply with quote

FiXato wrote:
  • Stylesheet is loaded over http (http://www.ld4all.com/css/LD4all.css), while a relative path (/css/LD4all.css) would suffice. IIRC ld4all's forum used to be accessible from forum.ld4all.com rather than using a redirect, so this is probably a leftover from that era.


It is still accessible this way. kiekeboe



Current LD goal(s): Meet my dream guide

Link to My DJ: www.ld4all.com
back to top
Alot
MEOW
Dream Deity
Posts: 628
Joined: 28 Jun 2012
Last Visit: 15 Nov 2018
LD count: 11.8 estimate
 
PostPosted: Wed 31 Oct, 2018  Reply with quote

Thanks for explaining, FiXato. I just checked and it was the same on a computer, so I guess it's normal for everyone then.

back to top
FiXato
(mobile) IRC-Addict
Astral Explorer
34
Posts: 479
Joined: 07 Oct 2004
Last Visit: 31 Oct 2018
LD count: 6
Location: Ceeia
 
PostPosted: Tue 06 Nov, 2018  Reply with quote

Eilatan wrote:
FiXato wrote:
  • Stylesheet is loaded over http (http://www.ld4all.com/css/LD4all.css), while a relative path (/css/LD4all.css) would suffice. IIRC ld4all's forum used to be accessible from forum.ld4all.com rather than using a redirect, so this is probably a leftover from that era.


It is still accessible this way. kiekeboe


Not quite. While that address is accessible, all it does is redirect to ld4all.com/forum, rather than retain the forum.ld4all.com host. Hence, there is no need to actually specify the host when loading assets, as it'll always be hosted on the same domain.


back to top
Display posts from previous:
Post new topic Reply to topic
Page 1 of 1


print   ShareShare 

All times are GMT + 2 Hours
Jump to:  

LD4all ~ spreading the art and knowledge of lucid dreaming online since 1996 ~
created and copyright by pasQuale. All rights reserved.
Powered by phpBB © 2001,2005 phpBB Group ~