Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




BDFL - Memuneh
57899 posts

Uber Geek
+1 received by user: 9502

Administrator
Trusted
Geekzone
Subscriber

Topic # 214562 17-May-2017 19:52 7 people support this post Send private message quote this post

Hello folks

 

Some of the more observant may have noticed a change on Geekzone tonight. We have moved the (very) few pages still being served over HTTP to HTTPS - this means the frontpage and forums (other pages have been served on HTTPS for some time now).

 

I have also reset all your sessions because I have changed cookies to be marked as "Secure" from now on. This means that even if you request a HTTP page on Geekzone cookies (such as session identification) won't be sent from your browser - only when the redirection to HTTPS happens will the cookies be sent. This guarantees your sessions are now secure and shouldn't face the risk of hijacking (unless a MITM attack happens).

 

Our mobile site has been moved to HTTPS last week.

 

Some links will still show "http://www.geekzone.co.nz" but will automatically redirect to the correct https: schema (including email notifications and RSS feeds). I will be changing this over slowly this week.

 

Most pages will show as "Secure" in your browsers. Some pages might show "Mixed content" warnings if someone inserted a third-party image that is not served using the HTTPS schema. This includes those Speedtest results in your signatures. Don't worry, the page itself is still secure, just those elements aren't being served over HTTPS.

 

You should see another speed improvement for those using browsers supporting SPDY or HTTP/2 protocols.

 

If you see something "interesting" happening, please let me know.





View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
790 posts

Ultimate Geek
+1 received by user: 60

Subscriber

  Reply # 1783877 17-May-2017 20:14 Send private message quote this post

Explains why I had to log in again I'm assuming :)


584 posts

Ultimate Geek
+1 received by user: 157

Trusted
Subscriber

  Reply # 1783881 17-May-2017 20:40 Send private message quote this post

allan: Explains why I had to log in again I'm assuming :)

 

Yes, that will be the "reset all your sessions".


 

 



6002 posts

Uber Geek
+1 received by user: 2544

Moderator
Trusted
Subscriber

  Reply # 1783882 17-May-2017 20:42 Send private message quote this post

It is a shame that Speedtest doesn't allow for SSL connections else you could do a find and replace on many things to convert them to SSL.

 

However, congrats!





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial




BDFL - Memuneh
57899 posts

Uber Geek
+1 received by user: 9502

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1783885 17-May-2017 20:46 Send private message quote this post

michaelmurfy:

 

It is a shame that Speedtest doesn't allow for SSL connections else you could do a find and replace on many things to convert them to SSL.

 

 

They do. Just that their "Copy link" button offers the HTTP version and most people will just use that...





Aussie
3656 posts

Uber Geek
+1 received by user: 904

Trusted
Subscriber

  Reply # 1783888 17-May-2017 20:55 Send private message quote this post

Dammit... now I have to login on my phone and tablet again with 2FA... pain in the A :D


3925 posts

Uber Geek
+1 received by user: 482

Moderator
Trusted
Subscriber

  Reply # 1783898 17-May-2017 21:17 Send private message quote this post

blakamin:

 

Dammit... now I have to login on my phone and tablet again with 2FA... pain in the A :D

 

 

Use Authy it's great.




BDFL - Memuneh
57899 posts

Uber Geek
+1 received by user: 9502

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1783910 17-May-2017 21:25 2 people support this post Send private message quote this post

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...





nas

132 posts

Master Geek
+1 received by user: 61


  Reply # 1783912 17-May-2017 21:27 Send private message quote this post

Another +1 for Authy




BDFL - Memuneh
57899 posts

Uber Geek
+1 received by user: 9502

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1784033 18-May-2017 09:58 Send private message quote this post

This is the difference in % of HTTP/S traffic served in the last six hours (overnight), compared to last month:

 

 

As search indexes are updated, RSS feeds change, people bookmark new URLs we should see this increase to around 90%. We will still have some non-HTTPS requests but those will be redirected.





3504 posts

Uber Geek
+1 received by user: 1659

Trusted
Subscriber

  Reply # 1784035 18-May-2017 10:09 Send private message quote this post

Must be time for a new GZ badge: "Congrats, you're on SSL exclusively now." or something like that. laughing




BDFL - Memuneh
57899 posts

Uber Geek
+1 received by user: 9502

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1784063 18-May-2017 10:54 One person supports this post Send private message quote this post

Some more background information posted on my LinkedIn page and reproduced below:

 

 

 

Last night I switched Geekzone (www.geekzone.co.nz) to full HTTPS support. And slowly traffic over SSL is going up (as per image in the header, comparing last six hours overnight vs last month).

 

Up until now we only used SSL for login, registration, private messages and profile pages plus assets (images, CSS and scripts).

 

Now everything is covered.

 

I started using SSL many years ago and wanted to have the site fully served over HTTPS for quite a while. Started by enforcing HTTPS on some content-sensitive pages and moving assets to HTTPS domains, including redirects to ensure clients used the correct schema. Last week I deployed an update for Geekzone mobile to make sure it worked on HTTPS and yesterday I did the same on the full desktop version of the site.

 

Also included in this change is the addition of a "Secure" flag to cookies used on these domains. This ensures cookies only move between the client browser and server when there's a secure connection. If anyone requests http://www.geekzone.co.nz instead of https://www.geekzone.co.nz the server will instruct the browser to redirect to the correct location while the browser knows not to disclose the cookies until the secure connection is established. This is essential to avoid session hijacking (unless of course we talk MITM attacks, of course).

 

Why have all this trouble for a forum? Because we have lots of industry (telcos mainly but other companies around too) people using the site. Account numbers, PIN and passwords are sometimes sent via our private message system (which has been served using the HTTPS schema for quite a while) so it makes sense to extend this to the whole site.

 

In addition to this, for the last few months I have been using ThisData to collect, analyse and understand user behaviour around the site, in real-time, to quickly determine if an account could've been compromised. Up until now we were using it in "read mode" and tracking notifications. Last week I changed the webhook/API to actually start closing sessions and blocking IP addresses if a user confirms a breach occurred.

 

ThisData receives millions of transactions reports (login, logout, forum post, message sent, message read, password change, new registration, avatar change, invalid password, etc) from us every month and uses machine learning to observe and assign a "risk" to each transaction. Based on this risk result our forum software can take different actions to protect our users - like the ones I described in the previous paragraph.

 

I have also added a Geekzone ruleset to the HTTPS Everywhere project. This ensures that browsers using the HTTPS Everywhere add-ons will know to use the HTTPS schema instead of HTTP even if the source explicitly refer to the HTTP version (including references to any Geekzone resource served in non-Geekzone pages). This is important because Cloudflare also uses the same ruleset when doing the automatic HTTPS upgrade for some of their millions of clients around the Internet.

 

We also use other platforms to prevent spammers and scammers joining the site. One or another can sometimes get past all this protection but our moderator team is pretty quick to act and our community is really good at reporting suspicious behaviour.

 

There are lots more to be done, for sure. But it feels good when all this falls into place.





132 posts

Master Geek
+1 received by user: 50

Subscriber

  Reply # 1784599 19-May-2017 09:33 Send private message quote this post

freitasm:

 

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...

 

 

Having done ~30 seconds research, I think I agree with you.
Trouble is, I'm already using Google Authenticator for 2FA on this site (and one or two others) frown

 

So, how do I switch from Google Authenticator to Authy?
At least for Geekzone




BDFL - Memuneh
57899 posts

Uber Geek
+1 received by user: 9502

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1784607 19-May-2017 09:54 Send private message quote this post

Do it while you have only three. I currently have 43 sites with 2FA on Authy. And I still have to load a few more. Imagine if you lose your phone and you had 50 sites to reset?

 

 





309 posts

Ultimate Geek
+1 received by user: 73

Trusted

  Reply # 1784613 19-May-2017 10:08 Send private message quote this post

Nice to see, all sites should really now be https, google is talkign about flagging all non ssl sites as insecure starting next year.

 

Don't forget you can get free ssl certs now
http://letsencrypt.org/


764 posts

Ultimate Geek
+1 received by user: 202

Trusted

  Reply # 1784615 19-May-2017 10:13 Send private message quote this post

freitasm:

 

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...

 

 

Have been meaning to set this up... Was using Google Authenticator, which is a nuance when you have to change phone etc.






 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

IBM remote work recall a red herring
Posted 29-May-2017 19:15


RBI2 bidders at Rural Connectivity Symposium
Posted 29-May-2017 12:50


Edifier R1700BT speakers review: Luxury Bluetooth sounds
Posted 28-May-2017 13:06


National AI group launching next month
Posted 25-May-2017 09:54


New Zealand Digital Future, according to tech companies
Posted 25-May-2017 09:51


New Microsoft Surface Pro delivers outstanding battery life, performance
Posted 25-May-2017 09:34


Garmin VIRB 360 brings immersive 360-degree 5.7K camera experience
Posted 25-May-2017 09:30


Telecommunications monitoring report: Are you being served?
Posted 24-May-2017 11:54


NetValue partners with CRM Provider SugarCRM
Posted 23-May-2017 20:04


Terabyte looms as Vocus users download 430GB a month
Posted 19-May-2017 14:51


2degrees tips into profit after seven lean years
Posted 19-May-2017 09:47


2degrees growth story continues
Posted 17-May-2017 15:25


Symantec Blocks 22 Million Attempted WannaCry Ransomware Attacks Globally
Posted 17-May-2017 12:41


HPE Unveils Computer Built for the Era of Big Data
Posted 17-May-2017 12:39


Samsung Galaxy S8 Plus review: Beautiful, feature-packed
Posted 16-May-2017 20:14



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.