thetao

I noticed last night that you enabled encryption on the site. The home page is unencrypted, but it kicks on when entering any of the forums. Umm, would you please consider relaxing this to support TLS 1.0 and not just 1.2? My phone is a Symbian smartphone and no Symbian phone on the planet supports 1.2. Otherwise I'll be visiting here about half as often. You don't deal with credit card numbers or other PII, so I don't think this should be a big deal. Thanks.

Bronkster

Is this why I'm getting all the "invalid redirect URL" messages - at home on desktop, not phone.

thetao

I wouldn't think so. An encryption problem would probably state "encryption" or "secure connection" somewhere. Assuming your browser isn't ancient, you might try more straightforward troubleshooting: reboot, clear the cache, run AV software, etc. You could also try disabling JavaScript, although this would be more a short-term band aid than a fix.

Sonic

Yes I been getting that invalid URL message as well when I log on.

Simple fix: Edit your bookmark and put an "s" after the "http".

thetao

Thanks for the tip. I just realized the site isn't so much enforcing encryption as the admins simply hard-coded https:// links to each of the forums on the main page (and perhaps elsewhere). That's a cheap way of doing it, but one I can work around for the short term by manually removing the "s".

Edit: That trick doesn't work, as the browser never stores the failed link.

Nick Danger

I got an invalid redirect URL message when I logged in. It had nothing to do with bookmarks.

IBJoel

I'll let our tech team know about this. Thanks for the head's up, everyone.

mndtrp

I got the same the first time. Reloaded the bookmark, and it logged me right in. I haven't seen it since.

thetao

Still hoping for a resolution...

TheBang

TLS 1.0 is supported. You're probably having a cipher suite problem though, as I only see 2 TLS 1.0 ciphers supported, and both of them use elliptic curve:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

They're using CloudFlare to front their TLS. I don't think CloudFlare supports older/weaker cipher suites, so you're pretty much SOL.

thetao

You're right. When I force Firefox to use TLS 1.0, it still connects. Eliminating all the DHE and RC4 suites from my browser's supported list leaves me with just five options as far as CloudFlare is concerned.

While it's common for companies to not operate their own web servers, I haven't traditionally considered that when dealing with encryption issues, figuring "its still configurable". What's frustrating is that sites like Amazon and EBay still work fine on my phone, with (of the sites I visit often) only this forum and CamelCamelCamel causing problems, but which have precious little information to protect.

I see HTTP responses from dvdtalk.com cite CloudFlare in the server field. Is that noticed the connection? Otherwise it doesn't seem very obvious.

TheBang

Amazon and eBay have a vested financial interest (and vast technical resources) in ensuring that the greatest number of users can access their site.

I noticed CloudFlare because I ran the SSL Labs test for your problem to see what the TLS profile looked like.

Just a couple years ago, it was still considered safe to run SSL 3.0 and export ciphers, meaning browsers and OS's going back to the late 90's still worked. The cryptographic attacks on the TLS protocols and the ciphers have come fast and furious since then, and it's only going to accelerate. Windows XP is already mostly left out of connecting to any HTTPS servers, and Vista is well on its way too.

I would not be surprised to see an exploit come out within the next two years that forces TLS 1.0 to have to be dropped from default configurations. Outside of that, PCI DSS is already mandating a final deadline of June 30, 2018, for TLS 1.0, so if you're saying your phone doesn't support TLS 1.2, then it will mostly become useless for any e-commerce site after that date.

Eric F

With Chrome I have to re-log into the site every time I visit it now, even if I check off the box which tells it to remember me.

EinCB

This started happening to me recently with Firefox. However, whenever I enter a sub-forum, it shows that I'm logged in. I thought there was a problem with Cookie AutoDelete, but since the forum, for some reason, automatically logs me in, I no longer consider this a problem for me.

Adam Tyner

I bet it's because you're starting at http://forum.dvdtalk.com/ , but the login form routes you to https://forum.dvdtalk.com/ , and links to nearly all the main forums are also HTTPS, even from the insecure URL. If you update your bookmark, that could fix the problem.

I was running into the same thing, at least, and that corrected it for me. I needed to clear my browser history so the insecure version of the site would would stop auto filling too.

thetao

Indeed. And they do get more patronage for it.

Ah, I waded through several of those sites before finding http://howsmyssl.com/. Thanks. It's interesting how a detailed look at each IP appears to show every domain hosted on that shared server.

I've had an exit strategy for months, but just need the time and money to follow through. It's unfortunate that Nokia never put a premium on encryption technology, as to the best of my knowledge even the 41 MP Nokia 808 Pureview, released in May 2012 and which received OS updates for several years, also never did better than TLS 1.0. OpenSSL added TLS 1.2 in March 2012, so I'd think there would have been time. I still have Opera Mini as a fallback option, but that comes with its own set of headaches. Until I upgrade phones, will probably be spending more time on Roobarb's Forum, which doesn't force SSL, doesn't use a bleeding-edge design, and doesn't easily overload my phone's memory.

Jon2

Made the changes mentioned by Adam, updated bookmark, cleared history, etc. ... even updated my browser (Safari), but I'm still getting the insecure connection warning.

TheBang

This is due to an HTTP (not HTTPS) form submission on the www.dvdtalk.com home page. There are several other HTTP links too.

IBobi, Looking at the home page source code, these links need to be updated to HTTPS: