New site encryption
#1
Senior Member
Thread Starter
New site encryption
I noticed last night that you enabled encryption on the site. The home page is unencrypted, but it kicks on when entering any of the forums. Umm, would you please consider relaxing this to support TLS 1.0 and not just 1.2? My phone is a Symbian smartphone and no Symbian phone on the planet supports 1.2. Otherwise I'll be visiting here about half as often. You don't deal with credit card numbers or other PII, so I don't think this should be a big deal. Thanks.
#3
Senior Member
Thread Starter
Re: New site encryption
I wouldn't think so. An encryption problem would probably state "encryption" or "secure connection" somewhere. Assuming your browser isn't ancient, you might try more straightforward troubleshooting: reboot, clear the cache, run AV software, etc. You could also try disabling JavaScript, although this would be more a short-term band aid than a fix.
#4
#5
Senior Member
Thread Starter
Re: New site encryption
Thanks for the tip. I just realized the site isn't so much enforcing encryption as the admins simply hard-coded https:// links to each of the forums on the main page (and perhaps elsewhere). That's a cheap way of doing it, but one I can work around for the short term by manually removing the "s".
Edit: That trick doesn't work, as the browser never stores the failed link.
Edit: That trick doesn't work, as the browser never stores the failed link.
Last edited by thetao; 09-21-17 at 01:41 AM.
#7
Administrator
Re: New site encryption
I'll let our tech team know about this. Thanks for the head's up, everyone.
#8
DVD Talk Legend
#10
DVD Talk Hall of Fame
Re: New site encryption
TLS 1.0 is supported. You're probably having a cipher suite problem though, as I only see 2 TLS 1.0 ciphers supported, and both of them use elliptic curve:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
They're using CloudFlare to front their TLS. I don't think CloudFlare supports older/weaker cipher suites, so you're pretty much SOL.
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
They're using CloudFlare to front their TLS. I don't think CloudFlare supports older/weaker cipher suites, so you're pretty much SOL.
#11
Senior Member
Thread Starter
Re: New site encryption
You're right. When I force Firefox to use TLS 1.0, it still connects. Eliminating all the DHE and RC4 suites from my browser's supported list leaves me with just five options as far as CloudFlare is concerned.
While it's common for companies to not operate their own web servers, I haven't traditionally considered that when dealing with encryption issues, figuring "its still configurable". What's frustrating is that sites like Amazon and EBay still work fine on my phone, with (of the sites I visit often) only this forum and CamelCamelCamel causing problems, but which have precious little information to protect.
I see HTTP responses from dvdtalk.com cite CloudFlare in the server field. Is that noticed the connection? Otherwise it doesn't seem very obvious.
While it's common for companies to not operate their own web servers, I haven't traditionally considered that when dealing with encryption issues, figuring "its still configurable". What's frustrating is that sites like Amazon and EBay still work fine on my phone, with (of the sites I visit often) only this forum and CamelCamelCamel causing problems, but which have precious little information to protect.
I see HTTP responses from dvdtalk.com cite CloudFlare in the server field. Is that noticed the connection? Otherwise it doesn't seem very obvious.
#12
DVD Talk Hall of Fame
Re: New site encryption
Amazon and eBay have a vested financial interest (and vast technical resources) in ensuring that the greatest number of users can access their site.
I noticed CloudFlare because I ran the SSL Labs test for your problem to see what the TLS profile looked like.
Just a couple years ago, it was still considered safe to run SSL 3.0 and export ciphers, meaning browsers and OS's going back to the late 90's still worked. The cryptographic attacks on the TLS protocols and the ciphers have come fast and furious since then, and it's only going to accelerate. Windows XP is already mostly left out of connecting to any HTTPS servers, and Vista is well on its way too.
I would not be surprised to see an exploit come out within the next two years that forces TLS 1.0 to have to be dropped from default configurations. Outside of that, PCI DSS is already mandating a final deadline of June 30, 2018, for TLS 1.0, so if you're saying your phone doesn't support TLS 1.2, then it will mostly become useless for any e-commerce site after that date.
I noticed CloudFlare because I ran the SSL Labs test for your problem to see what the TLS profile looked like.
Just a couple years ago, it was still considered safe to run SSL 3.0 and export ciphers, meaning browsers and OS's going back to the late 90's still worked. The cryptographic attacks on the TLS protocols and the ciphers have come fast and furious since then, and it's only going to accelerate. Windows XP is already mostly left out of connecting to any HTTPS servers, and Vista is well on its way too.
I would not be surprised to see an exploit come out within the next two years that forces TLS 1.0 to have to be dropped from default configurations. Outside of that, PCI DSS is already mandating a final deadline of June 30, 2018, for TLS 1.0, so if you're saying your phone doesn't support TLS 1.2, then it will mostly become useless for any e-commerce site after that date.
#13
Banned
Re: New site encryption
With Chrome I have to re-log into the site every time I visit it now, even if I check off the box which tells it to remember me.
#14
Re: New site encryption
This started happening to me recently with Firefox. However, whenever I enter a sub-forum, it shows that I'm logged in. I thought there was a problem with Cookie AutoDelete, but since the forum, for some reason, automatically logs me in, I no longer consider this a problem for me.
#15
DVD Talk Reviewer/ Admin
Join Date: Sep 1999
Location: Greenville, South Cackalack
Posts: 28,824
Received 1,882 Likes
on
1,238 Posts
Re: New site encryption
I bet it's because you're starting at http://forum.dvdtalk.com/ , but the login form routes you to https://forum.dvdtalk.com/ , and links to nearly all the main forums are also HTTPS, even from the insecure URL. If you update your bookmark, that could fix the problem.
I was running into the same thing, at least, and that corrected it for me. I needed to clear my browser history so the insecure version of the site would would stop auto filling too.
I was running into the same thing, at least, and that corrected it for me. I needed to clear my browser history so the insecure version of the site would would stop auto filling too.
#16
Senior Member
Thread Starter
Re: New site encryption
I noticed CloudFlare because I ran the SSL Labs test for your problem to see what the TLS profile looked like.
Just a couple years ago, it was still considered safe to run SSL 3.0 and export ciphers, meaning browsers and OS's going back to the late 90's still worked. The cryptographic attacks on the TLS protocols and the ciphers have come fast and furious since then, and it's only going to accelerate. Windows XP is already mostly left out of connecting to any HTTPS servers, and Vista is well on its way too.
I would not be surprised to see an exploit come out within the next two years that forces TLS 1.0 to have to be dropped from default configurations. Outside of that, PCI DSS is already mandating a final deadline of June 30, 2018, for TLS 1.0, so if you're saying your phone doesn't support TLS 1.2, then it will mostly become useless for any e-commerce site after that date.
I would not be surprised to see an exploit come out within the next two years that forces TLS 1.0 to have to be dropped from default configurations. Outside of that, PCI DSS is already mandating a final deadline of June 30, 2018, for TLS 1.0, so if you're saying your phone doesn't support TLS 1.2, then it will mostly become useless for any e-commerce site after that date.
#17
DVD Talk Gold Edition
Re: New site encryption
Made the changes mentioned by Adam, updated bookmark, cleared history, etc. ... even updated my browser (Safari), but I'm still getting the insecure connection warning.
#18
DVD Talk Hall of Fame
Re: New site encryption
BTW, anyone else clicking on the forum button (not the link under it) on the left side of the DVDTalk home page, selecting any forum page, and getting a "This is a non-secure form" dialogue box? It says it's sending it over an insecure connection. Happens in Safari and Firefox. Don't get it by clicking the link and going to the Forum page. This has been going on for about a week.
IBobi, Looking at the home page source code, these links need to be updated to HTTPS:
Code:
<form action="http://forum.dvdtalk.com/forumdisplay.php" method="get" style="margin:0;">
Code:
<div align=center><a class="sbar" href="http://forum.dvdtalk.com/">Forum Home</a></div><br>
Code:
<a href="//www.dvdtalk.com/reviews/reviewers.php">Review Staff</a> | <a href="//www.dvdtalk.com/welcome.html">About DVD Talk</a> | <a href="//www.dvdtalk.com/subscribe.html">Newsletter Subscribe</a> | <a href="http://forum.dvdtalk.com/register.php">Join DVD Talk Forum</a> | <a href="http://www.internetbrands.com/careers">Careers</a>