VGMdb
Go Back   VGMdb Forums > VGMdb Site Related > News and Announcements
Register FAQ Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old Oct 14, 2017, 04:51 PM
Gigablah's Avatar
Gigablah Gigablah is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 2,403
Default Making VGMdb more secure: HTTPS support

VGMdb is now available for browsing through a private, encrypted connection at https://vgmdb.net !

With over half of Internet traffic now secured through SSL/TLS, and browsers starting to hold non-secure sites accountable, implementing HTTPS protection is now a necessity.

During the initial phase you may run into bad redirects to the non-https site or mixed content warnings; please report them so we can get it fixed. Once it's verified that everything is working well, we can turn on HSTS and enforce secure browsing by default.
Reply With Quote
  #2  
Old Oct 16, 2017, 12:10 AM
CHz's Avatar
CHz CHz is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 3,976
Default

RSS feeds give out HTTP links when accessed over HTTPS:

https://vgmdb.net/db/rss.php
https://vgmdb.net/album/new/feed
https://vgmdb.net/album/upcoming/feed
https://vgmdb.net/artist/1/feed

I don't know how many others there are lying around
Reply With Quote
  #3  
Old Oct 18, 2017, 03:03 PM
Datschge's Avatar
Datschge Datschge is offline
Senior Member
 
Join Date: Mar 2008
Posts: 745
Default

To be honest HSTS is quite a hassle I'd only do as a final step. Just forcible upgrading every access to https and getting a better TLS security rating is sufficient.

Thanks for the efforts in any case!
Reply With Quote
  #4  
Old Oct 21, 2017, 01:20 AM
LiquidAcid LiquidAcid is offline
Trusted Editor
 
Join Date: May 2008
Posts: 1,644
Default

I guess then a few other HTTPS issues have to be addressed as well:
- first redirection when entering a new shop link with https prefix
- Amazon Japan shop link filtering if the link has https prefix

I've just added a link here, and both the first direction fails, and the Link shows up on the album page (which it shouldn't).
Reply With Quote
  #5  
Old Oct 21, 2017, 02:37 AM
cal's Avatar
cal cal is offline
VGMdb Staff
 
Join Date: May 2011
Posts: 2,735
Default

To be honest, I'd rather not be redirected at all when adding shop links. It's annoying.
Reply With Quote
  #6  
Old Oct 21, 2017, 03:11 AM
Gigablah's Avatar
Gigablah Gigablah is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 2,403
Default

The links in the RSS feeds have been fixed.

The shop links code will need some refactoring. The redirection was originally for visual confirmation that the link works, but we can make this a background job.
Reply With Quote
  #7  
Old Oct 21, 2017, 03:20 AM
Efendija's Avatar
Efendija Efendija is offline
VGMdb Staff
 
Join Date: Aug 2011
Location: Serbia
Posts: 2,009
Default

First (automatic) redirection to a https shop link is always failing, not something which happens on VGMdb https site version only (clarifying that just in case).

Also noting that every Amazon link (not exclusive to Japan ones) will be shown on the album page if entered with https. About the filtering in the first place though, isn't it perhaps time to stop it? More than five years passed since the incident (closer to six actually) and some of us are regularly adding (visible) Amazon links with no problems whatsoever.

Last edited by Efendija; Oct 21, 2017 at 04:09 AM.
Reply With Quote
  #8  
Old Nov 2, 2017, 10:12 AM
Alcahest's Avatar
Alcahest Alcahest is offline
Senior Member
 
Join Date: Apr 2008
Posts: 173
Default

All images (album images, preview, front, etc..) have stopped showing up on Win XP SP3 (while browing with either http or https).
Code:
media.vgm.io
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS 1.2
The rest of the site still works perfectly fine using https.
Code:
vgmdb.net
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS 1.0
Hoping there's a solution..

Last edited by Alcahest; Nov 2, 2017 at 04:07 PM.
Reply With Quote
  #9  
Old Nov 2, 2017, 01:37 PM
dancey's Avatar
dancey dancey is offline
Trusted Editor
 
Join Date: Dec 2007
Location: New Jersey
Posts: 1,428
Default

I have no idea how it works or how to do it, but can you make http:// automatically redirect to https:// when hitting regular http:// URLs? I usually access the site by typing "vgmd" in Chrome omnibar and then hitting down arrow + enter to hit the first cache result, which is vgmdb.net/forums/search.php?do=getnew. Or by typing "vgmdb.net search criteria" to automatically start a search.

I think most websites do this automatically because it's never anything I have to think about. For example, if I manually type "http://www.paypal.com", I get automatically redirected to https:. I assume websites have some sort of "you're using a client that supports https so we're going to serve that to you automatically" thing, but :shrug:
Reply With Quote
  #10  
Old Nov 2, 2017, 02:53 PM
Nisto's Avatar
Nisto Nisto is offline
VGMdb Advisor
 
Join Date: Sep 2009
Posts: 1,189
Default

dancey: that's essentially what HSTS is for. So once they've confirmed that links are working properly, Gigablah will enable it and the site should start redirecting non-secure connections to https://
Reply With Quote
  #11  
Old Nov 8, 2017, 06:23 AM
Gigablah's Avatar
Gigablah Gigablah is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 2,403
Default

Quote:
Originally Posted by Alcahest View Post
All images (album images, preview, front, etc..) have stopped showing up on Win XP SP3 (while browing with either http or https).
Code:
media.vgm.io
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS 1.2
media.vgm.io (and sibling subdomains) are proxied by Cloudflare. Apparently the free plan doesn't have SHA-1 fallback for older browsers (e.g. those on Win XP): https://support.cloudflare.com/hc/en...rowser-Support

I've upgraded to a monthly paid plan. Please let me know if that fixes images on your side.


Quote:
Originally Posted by dancey View Post
can you make http:// automatically redirect to https:// when hitting regular http:// URLs?
Yep, that's indeed what I plan to do, after the legacy browser issue is confirmed fixed.

I think I'll be using redirect rules, though. HSTS can screw up the site if it's not done properly.
Reply With Quote
  #12  
Old Nov 8, 2017, 06:29 AM
Alcahest's Avatar
Alcahest Alcahest is offline
Senior Member
 
Join Date: Apr 2008
Posts: 173
Default

Quote:
Originally Posted by Gigablah View Post
media.vgm.io (and sibling subdomains) are proxied by Cloudflare. Apparently the free plan doesn't have SHA-1 fallback for older browsers (e.g. those on Win XP): https://support.cloudflare.com/hc/en...rowser-Support

I've upgraded to a monthly paid plan. Please let me know if that fixes images on your side.
Absolutely, the images are back!
Thank you very much.
(So now the site works also 100% with https on legacy browsers / XP)

Last edited by Alcahest; Nov 8, 2017 at 06:42 AM.
Reply With Quote
  #13  
Old Jan 15, 2018, 06:50 PM
dancey's Avatar
dancey dancey is offline
Trusted Editor
 
Join Date: Dec 2007
Location: New Jersey
Posts: 1,428
Default

Any update on this? It is, at least as of this posting, still http and not using HSTS.
Reply With Quote
  #14  
Old Jan 16, 2018, 06:45 AM
Gigablah's Avatar
Gigablah Gigablah is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 2,403
Default

I will not be turning on HSTS at this time, but I will turn on HTTPS redirection soon (aiming for this weekend).

Since there are users on legacy browser versions or operating systems (XP) who may have issues with HTTPS, the non-HTTP site will still be available as a fallback.
Reply With Quote
  #15  
Old Jan 16, 2018, 06:55 AM
dancey's Avatar
dancey dancey is offline
Trusted Editor
 
Join Date: Dec 2007
Location: New Jersey
Posts: 1,428
Default

Quote:
Originally Posted by Gigablah View Post
Since there are users on legacy browser versions or operating systems (XP) who may have issues with HTTPS, the non-HTTP site will still be available as a fallback.
This is your fault, Alcahest.
Reply With Quote
  #16  
Old Jan 16, 2018, 07:11 AM
Alcahest's Avatar
Alcahest Alcahest is offline
Senior Member
 
Join Date: Apr 2008
Posts: 173
Default

Quote:
Originally Posted by dancey View Post
This is your fault, Alcahest.
Well I'm not sure I've already reported everything works ok on https / XP now that the images are fixed.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Automatic HTTPS redirection Gigablah News and Announcements 6 Jan 22, 2018 04:15 AM
LPTN-0034~5: Making*Lovers Original Soundtrack Teioh Album Discussions 0 Jan 18, 2018 12:26 PM
Tapatalk support for forums? Jotamide Questions and Comments 7 Nov 14, 2013 04:16 PM
Making a simple VGMdb-style website for VMG concerts & live shows Namorbia Miscellaneous Discussion 13 Sep 27, 2012 04:04 AM
Thank you VGMdb!! JDWasabi Miscellaneous Discussion 12 Oct 31, 2009 05:19 AM