Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




BDFL - Memuneh
59051 posts

Uber Geek
+1 received by user: 10335

Administrator
Trusted
Geekzone
Subscriber

Topic # 214562 17-May-2017 19:52
8 people support this post
Send private message

Hello folks

 

Some of the more observant may have noticed a change on Geekzone tonight. We have moved the (very) few pages still being served over HTTP to HTTPS - this means the frontpage and forums (other pages have been served on HTTPS for some time now).

 

I have also reset all your sessions because I have changed cookies to be marked as "Secure" from now on. This means that even if you request a HTTP page on Geekzone cookies (such as session identification) won't be sent from your browser - only when the redirection to HTTPS happens will the cookies be sent. This guarantees your sessions are now secure and shouldn't face the risk of hijacking (unless a MITM attack happens).

 

Our mobile site has been moved to HTTPS last week.

 

Some links will still show "http://www.geekzone.co.nz" but will automatically redirect to the correct https: schema (including email notifications and RSS feeds). I will be changing this over slowly this week.

 

Most pages will show as "Secure" in your browsers. Some pages might show "Mixed content" warnings if someone inserted a third-party image that is not served using the HTTPS schema. This includes those Speedtest results in your signatures. Don't worry, the page itself is still secure, just those elements aren't being served over HTTPS.

 

You should see another speed improvement for those using browsers supporting SPDY or HTTP/2 protocols.

 

If you see something "interesting" happening, please let me know.





View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
892 posts

Ultimate Geek
+1 received by user: 98

Subscriber

  Reply # 1783877 17-May-2017 20:14
Send private message

Explains why I had to log in again I'm assuming :)


626 posts

Ultimate Geek
+1 received by user: 177

Trusted
Subscriber

  Reply # 1783881 17-May-2017 20:40
Send private message

allan: Explains why I had to log in again I'm assuming :)

 

Yes, that will be the "reset all your sessions".


 
 
 
 


6797 posts

Uber Geek
+1 received by user: 3129

Moderator
Trusted
Subscriber

  Reply # 1783882 17-May-2017 20:42
Send private message

It is a shame that Speedtest doesn't allow for SSL connections else you could do a find and replace on many things to convert them to SSL.

 

However, congrats!





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial




BDFL - Memuneh
59051 posts

Uber Geek
+1 received by user: 10335

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1783885 17-May-2017 20:46
Send private message

michaelmurfy:

 

It is a shame that Speedtest doesn't allow for SSL connections else you could do a find and replace on many things to convert them to SSL.

 

 

They do. Just that their "Copy link" button offers the HTTP version and most people will just use that...





Aussie
3918 posts

Uber Geek
+1 received by user: 1026

Trusted
Subscriber

  Reply # 1783888 17-May-2017 20:55
Send private message

Dammit... now I have to login on my phone and tablet again with 2FA... pain in the A :D


4112 posts

Uber Geek
+1 received by user: 626

Moderator
Trusted
Subscriber

  Reply # 1783898 17-May-2017 21:17
Send private message

blakamin:

 

Dammit... now I have to login on my phone and tablet again with 2FA... pain in the A :D

 

 

Use Authy it's great.




BDFL - Memuneh
59051 posts

Uber Geek
+1 received by user: 10335

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1783910 17-May-2017 21:25
2 people support this post
Send private message

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...





nas

261 posts

Ultimate Geek
+1 received by user: 130


  Reply # 1783912 17-May-2017 21:27
Send private message

Another +1 for Authy




BDFL - Memuneh
59051 posts

Uber Geek
+1 received by user: 10335

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1784033 18-May-2017 09:58
Send private message

This is the difference in % of HTTP/S traffic served in the last six hours (overnight), compared to last month:

 

 

As search indexes are updated, RSS feeds change, people bookmark new URLs we should see this increase to around 90%. We will still have some non-HTTPS requests but those will be redirected.





3979 posts

Uber Geek
+1 received by user: 2023

Trusted
Subscriber

  Reply # 1784035 18-May-2017 10:09
Send private message

Must be time for a new GZ badge: "Congrats, you're on SSL exclusively now." or something like that. laughing




BDFL - Memuneh
59051 posts

Uber Geek
+1 received by user: 10335

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1784063 18-May-2017 10:54
One person supports this post
Send private message

Some more background information posted on my LinkedIn page and reproduced below:

 

 

 

Last night I switched Geekzone (www.geekzone.co.nz) to full HTTPS support. And slowly traffic over SSL is going up (as per image in the header, comparing last six hours overnight vs last month).

 

Up until now we only used SSL for login, registration, private messages and profile pages plus assets (images, CSS and scripts).

 

Now everything is covered.

 

I started using SSL many years ago and wanted to have the site fully served over HTTPS for quite a while. Started by enforcing HTTPS on some content-sensitive pages and moving assets to HTTPS domains, including redirects to ensure clients used the correct schema. Last week I deployed an update for Geekzone mobile to make sure it worked on HTTPS and yesterday I did the same on the full desktop version of the site.

 

Also included in this change is the addition of a "Secure" flag to cookies used on these domains. This ensures cookies only move between the client browser and server when there's a secure connection. If anyone requests http://www.geekzone.co.nz instead of https://www.geekzone.co.nz the server will instruct the browser to redirect to the correct location while the browser knows not to disclose the cookies until the secure connection is established. This is essential to avoid session hijacking (unless of course we talk MITM attacks, of course).

 

Why have all this trouble for a forum? Because we have lots of industry (telcos mainly but other companies around too) people using the site. Account numbers, PIN and passwords are sometimes sent via our private message system (which has been served using the HTTPS schema for quite a while) so it makes sense to extend this to the whole site.

 

In addition to this, for the last few months I have been using ThisData to collect, analyse and understand user behaviour around the site, in real-time, to quickly determine if an account could've been compromised. Up until now we were using it in "read mode" and tracking notifications. Last week I changed the webhook/API to actually start closing sessions and blocking IP addresses if a user confirms a breach occurred.

 

ThisData receives millions of transactions reports (login, logout, forum post, message sent, message read, password change, new registration, avatar change, invalid password, etc) from us every month and uses machine learning to observe and assign a "risk" to each transaction. Based on this risk result our forum software can take different actions to protect our users - like the ones I described in the previous paragraph.

 

I have also added a Geekzone ruleset to the HTTPS Everywhere project. This ensures that browsers using the HTTPS Everywhere add-ons will know to use the HTTPS schema instead of HTTP even if the source explicitly refer to the HTTP version (including references to any Geekzone resource served in non-Geekzone pages). This is important because Cloudflare also uses the same ruleset when doing the automatic HTTPS upgrade for some of their millions of clients around the Internet.

 

We also use other platforms to prevent spammers and scammers joining the site. One or another can sometimes get past all this protection but our moderator team is pretty quick to act and our community is really good at reporting suspicious behaviour.

 

There are lots more to be done, for sure. But it feels good when all this falls into place.





140 posts

Master Geek
+1 received by user: 56

Subscriber

  Reply # 1784599 19-May-2017 09:33
Send private message

freitasm:

 

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...

 

 

Having done ~30 seconds research, I think I agree with you.
Trouble is, I'm already using Google Authenticator for 2FA on this site (and one or two others) frown

 

So, how do I switch from Google Authenticator to Authy?
At least for Geekzone




BDFL - Memuneh
59051 posts

Uber Geek
+1 received by user: 10335

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1784607 19-May-2017 09:54
Send private message

Do it while you have only three. I currently have 43 sites with 2FA on Authy. And I still have to load a few more. Imagine if you lose your phone and you had 50 sites to reset?

 

 





314 posts

Ultimate Geek
+1 received by user: 77

Trusted

  Reply # 1784613 19-May-2017 10:08
Send private message

Nice to see, all sites should really now be https, google is talkign about flagging all non ssl sites as insecure starting next year.

 

Don't forget you can get free ssl certs now
http://letsencrypt.org/


872 posts

Ultimate Geek
+1 received by user: 265

Trusted

  Reply # 1784615 19-May-2017 10:13
Send private message

freitasm:

 

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...

 

 

Have been meaning to set this up... Was using Google Authenticator, which is a nuance when you have to change phone etc.






 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UFB killer app: Speed
Posted 17-Nov-2017 17:01


The case for RSS — MacSparky
Posted 13-Nov-2017 14:35


WordPress and Indieweb: Take control of your online presence — 6:30 GridAKL Nov 30
Posted 11-Nov-2017 13:43


Chorus reveals technology upgrade for schools, students
Posted 10-Nov-2017 10:28


Vodafone says Internet of Things (IoT) crucial for digital transformation
Posted 10-Nov-2017 10:06


Police and Facebook launch AMBER Alerts system in NZ
Posted 9-Nov-2017 10:49


Amazon debuts Fire TV Stick Basic Edition in over 100 new countries
Posted 8-Nov-2017 05:34


Vodafone VoIP transition to start this month
Posted 7-Nov-2017 12:33


Spark enhances IoT network capability
Posted 7-Nov-2017 11:33


Vocus NZ sale and broadband competition
Posted 6-Nov-2017 14:36


Hawaiki reaches key milestone in landmark deep-sea fibre project
Posted 4-Nov-2017 13:53


Countdown launches new proximity online shopping app
Posted 4-Nov-2017 13:50


Nokia 3310 to be available through Spark New Zealand
Posted 4-Nov-2017 13:31


Nest launches in New Zealand
Posted 4-Nov-2017 12:31


Active wholesale as Chorus tackles wireless challenge
Posted 3-Nov-2017 10:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.