Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




BDFL - Memuneh
58362 posts

Uber Geek
+1 received by user: 9818

Administrator
Trusted
Geekzone
Subscriber

Topic # 214562 17-May-2017 19:52
8 people support this post
Send private message quote this post

Hello folks

 

Some of the more observant may have noticed a change on Geekzone tonight. We have moved the (very) few pages still being served over HTTP to HTTPS - this means the frontpage and forums (other pages have been served on HTTPS for some time now).

 

I have also reset all your sessions because I have changed cookies to be marked as "Secure" from now on. This means that even if you request a HTTP page on Geekzone cookies (such as session identification) won't be sent from your browser - only when the redirection to HTTPS happens will the cookies be sent. This guarantees your sessions are now secure and shouldn't face the risk of hijacking (unless a MITM attack happens).

 

Our mobile site has been moved to HTTPS last week.

 

Some links will still show "http://www.geekzone.co.nz" but will automatically redirect to the correct https: schema (including email notifications and RSS feeds). I will be changing this over slowly this week.

 

Most pages will show as "Secure" in your browsers. Some pages might show "Mixed content" warnings if someone inserted a third-party image that is not served using the HTTPS schema. This includes those Speedtest results in your signatures. Don't worry, the page itself is still secure, just those elements aren't being served over HTTPS.

 

You should see another speed improvement for those using browsers supporting SPDY or HTTP/2 protocols.

 

If you see something "interesting" happening, please let me know.


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
827 posts

Ultimate Geek
+1 received by user: 74

Subscriber

  Reply # 1783877 17-May-2017 20:14
Send private message quote this post

Explains why I had to log in again I'm assuming :)


606 posts

Ultimate Geek
+1 received by user: 168

Trusted
Subscriber

  Reply # 1783881 17-May-2017 20:40
Send private message quote this post

allan: Explains why I had to log in again I'm assuming :)

 

Yes, that will be the "reset all your sessions".


 
 
 
 


6309 posts

Uber Geek
+1 received by user: 2752

Moderator
Trusted
Subscriber

  Reply # 1783882 17-May-2017 20:42
Send private message quote this post

It is a shame that Speedtest doesn't allow for SSL connections else you could do a find and replace on many things to convert them to SSL.

 

However, congrats!





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router Guide | Electric KiwiCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial




BDFL - Memuneh
58362 posts

Uber Geek
+1 received by user: 9818

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1783885 17-May-2017 20:46
Send private message quote this post

michaelmurfy:

 

It is a shame that Speedtest doesn't allow for SSL connections else you could do a find and replace on many things to convert them to SSL.

 

 

They do. Just that their "Copy link" button offers the HTTP version and most people will just use that...


Aussie
3772 posts

Uber Geek
+1 received by user: 951

Trusted
Subscriber

  Reply # 1783888 17-May-2017 20:55
Send private message quote this post

Dammit... now I have to login on my phone and tablet again with 2FA... pain in the A :D


3990 posts

Uber Geek
+1 received by user: 529

Moderator
Trusted
Subscriber

  Reply # 1783898 17-May-2017 21:17
Send private message quote this post

blakamin:

 

Dammit... now I have to login on my phone and tablet again with 2FA... pain in the A :D

 

 

Use Authy it's great.




BDFL - Memuneh
58362 posts

Uber Geek
+1 received by user: 9818

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1783910 17-May-2017 21:25
2 people support this post
Send private message quote this post

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...


nas

166 posts

Master Geek
+1 received by user: 70


  Reply # 1783912 17-May-2017 21:27
Send private message quote this post

Another +1 for Authy




BDFL - Memuneh
58362 posts

Uber Geek
+1 received by user: 9818

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1784033 18-May-2017 09:58
Send private message quote this post

This is the difference in % of HTTP/S traffic served in the last six hours (overnight), compared to last month:

 

 

As search indexes are updated, RSS feeds change, people bookmark new URLs we should see this increase to around 90%. We will still have some non-HTTPS requests but those will be redirected.


3688 posts

Uber Geek
+1 received by user: 1804

Trusted
Subscriber

  Reply # 1784035 18-May-2017 10:09
Send private message quote this post

Must be time for a new GZ badge: "Congrats, you're on SSL exclusively now." or something like that. laughing




BDFL - Memuneh
58362 posts

Uber Geek
+1 received by user: 9818

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1784063 18-May-2017 10:54
One person supports this post
Send private message quote this post

Some more background information posted on my LinkedIn page and reproduced below:

 

 

 

Last night I switched Geekzone (www.geekzone.co.nz) to full HTTPS support. And slowly traffic over SSL is going up (as per image in the header, comparing last six hours overnight vs last month).

 

Up until now we only used SSL for login, registration, private messages and profile pages plus assets (images, CSS and scripts).

 

Now everything is covered.

 

I started using SSL many years ago and wanted to have the site fully served over HTTPS for quite a while. Started by enforcing HTTPS on some content-sensitive pages and moving assets to HTTPS domains, including redirects to ensure clients used the correct schema. Last week I deployed an update for Geekzone mobile to make sure it worked on HTTPS and yesterday I did the same on the full desktop version of the site.

 

Also included in this change is the addition of a "Secure" flag to cookies used on these domains. This ensures cookies only move between the client browser and server when there's a secure connection. If anyone requests http://www.geekzone.co.nz instead of https://www.geekzone.co.nz the server will instruct the browser to redirect to the correct location while the browser knows not to disclose the cookies until the secure connection is established. This is essential to avoid session hijacking (unless of course we talk MITM attacks, of course).

 

Why have all this trouble for a forum? Because we have lots of industry (telcos mainly but other companies around too) people using the site. Account numbers, PIN and passwords are sometimes sent via our private message system (which has been served using the HTTPS schema for quite a while) so it makes sense to extend this to the whole site.

 

In addition to this, for the last few months I have been using ThisData to collect, analyse and understand user behaviour around the site, in real-time, to quickly determine if an account could've been compromised. Up until now we were using it in "read mode" and tracking notifications. Last week I changed the webhook/API to actually start closing sessions and blocking IP addresses if a user confirms a breach occurred.

 

ThisData receives millions of transactions reports (login, logout, forum post, message sent, message read, password change, new registration, avatar change, invalid password, etc) from us every month and uses machine learning to observe and assign a "risk" to each transaction. Based on this risk result our forum software can take different actions to protect our users - like the ones I described in the previous paragraph.

 

I have also added a Geekzone ruleset to the HTTPS Everywhere project. This ensures that browsers using the HTTPS Everywhere add-ons will know to use the HTTPS schema instead of HTTP even if the source explicitly refer to the HTTP version (including references to any Geekzone resource served in non-Geekzone pages). This is important because Cloudflare also uses the same ruleset when doing the automatic HTTPS upgrade for some of their millions of clients around the Internet.

 

We also use other platforms to prevent spammers and scammers joining the site. One or another can sometimes get past all this protection but our moderator team is pretty quick to act and our community is really good at reporting suspicious behaviour.

 

There are lots more to be done, for sure. But it feels good when all this falls into place.


139 posts

Master Geek
+1 received by user: 55

Subscriber

  Reply # 1784599 19-May-2017 09:33
Send private message quote this post

freitasm:

 

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...

 

 

Having done ~30 seconds research, I think I agree with you.
Trouble is, I'm already using Google Authenticator for 2FA on this site (and one or two others) frown

 

So, how do I switch from Google Authenticator to Authy?
At least for Geekzone




BDFL - Memuneh
58362 posts

Uber Geek
+1 received by user: 9818

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1784607 19-May-2017 09:54
Send private message quote this post

Do it while you have only three. I currently have 43 sites with 2FA on Authy. And I still have to load a few more. Imagine if you lose your phone and you had 50 sites to reset?

 

 


311 posts

Ultimate Geek
+1 received by user: 75

Trusted

  Reply # 1784613 19-May-2017 10:08
Send private message quote this post

Nice to see, all sites should really now be https, google is talkign about flagging all non ssl sites as insecure starting next year.

 

Don't forget you can get free ssl certs now
http://letsencrypt.org/


802 posts

Ultimate Geek
+1 received by user: 229

Trusted

  Reply # 1784615 19-May-2017 10:13
Send private message quote this post

freitasm:

 

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...

 

 

Have been meaning to set this up... Was using Google Authenticator, which is a nuance when you have to change phone etc.






 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

IDC thinks ANZ is a nation
Posted 27-Jul-2017 11:51


British new home buyers see ultrafast broadband as vital
Posted 27-Jul-2017 09:46


Australians want NZ-style gigabit, but for less
Posted 27-Jul-2017 08:57


Push notifications: A productivity killer
Posted 25-Jul-2017 14:15


Intergen takes SKYCITY to the cloud
Posted 25-Jul-2017 14:04


Nothing nebulous about Microsoft’s cloud-transition
Posted 21-Jul-2017 15:34


We’re spending more on tech, but not as much as Australians
Posted 21-Jul-2017 11:43


Endace announces EndaceFabric for network-wide packet recording
Posted 20-Jul-2017 20:49


Acorn 6: MacOS image editing for the rest of us
Posted 20-Jul-2017 17:04


HTC faces backlash over keyboard pop-up ads
Posted 19-Jul-2017 15:53


BNZ adds Visa credit cards to Android Pay wallet
Posted 18-Jul-2017 19:44


Still living in a Notification hell – Om Malik
Posted 18-Jul-2017 13:00


Duet Display uses iPad to extend Mac, PC
Posted 18-Jul-2017 10:58


PC sales could be worse
Posted 17-Jul-2017 07:34


Crypto-currencies, tulips, market bubbles
Posted 17-Jul-2017 06:38



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.