DVD Talk Forum

DVD Talk Forum (https://forum.dvdtalk.com/)
-   Forum Feedback and Support (https://forum.dvdtalk.com/forum-feedback-support-4/)
-   -   New site encryption (https://forum.dvdtalk.com/forum-feedback-support/641417-new-site-encryption.html)

thetao 09-20-17 05:41 PM
New site encryption
 
I noticed last night that you enabled encryption on the site. The home page is unencrypted, but it kicks on when entering any of the forums. Umm, would you please consider relaxing this to support TLS 1.0 and not just 1.2? My phone is a Symbian smartphone and no Symbian phone on the planet supports 1.2. Otherwise I'll be visiting here about half as often. You don't deal with credit card numbers or other PII, so I don't think this should be a big deal. Thanks.

Bronkster 09-20-17 07:24 PM
Re: New site encryption
 
Is this why I'm getting all the "invalid redirect URL" messages - at home on desktop, not phone.

thetao 09-20-17 07:38 PM
Re: New site encryption
 
I wouldn't think so. An encryption problem would probably state "encryption" or "secure connection" somewhere. Assuming your browser isn't ancient, you might try more straightforward troubleshooting: reboot, clear the cache, run AV software, etc. You could also try disabling JavaScript, although this would be more a short-term band aid than a fix.

Sonic 09-20-17 07:41 PM
Re: New site encryption
 
Originally Posted by Bronkster (Post 13161034)
Is this why I'm getting all the "invalid redirect URL" messages - at home on desktop, not phone.
Yes I been getting that invalid URL message as well when I log on.

Simple fix: Edit your bookmark and put an "s" after the "http".

thetao 09-20-17 10:05 PM
Re: New site encryption
 
Originally Posted by Sonic (Post 13161050)
Simple fix: Edit your bookmark and put an "s" after the "http".
Thanks for the tip. I just realized the site isn't so much enforcing encryption as the admins simply hard-coded https:// links to each of the forums on the main page (and perhaps elsewhere). That's a cheap way of doing it, but one I can work around for the short term by manually removing the "s".

Edit: That trick doesn't work, as the browser never stores the failed link.

Nick Danger 09-21-17 11:39 AM
Re: New site encryption
 
I got an invalid redirect URL message when I logged in. It had nothing to do with bookmarks.

IBJoel 09-21-17 12:27 PM
Re: New site encryption
 
I'll let our tech team know about this. Thanks for the head's up, everyone.

mndtrp 09-21-17 01:06 PM
Re: New site encryption
 
Originally Posted by Nick Danger (Post 13161466)
I got an invalid redirect URL message when I logged in. It had nothing to do with bookmarks.
I got the same the first time. Reloaded the bookmark, and it logged me right in. I haven't seen it since.

thetao 09-29-17 08:24 PM
Re: New site encryption
 
Still hoping for a resolution...

TheBang 10-02-17 05:28 AM
Re: New site encryption
 
Originally Posted by thetao (Post 13168545)
Still hoping for a resolution...
TLS 1.0 is supported. You're probably having a cipher suite problem though, as I only see 2 TLS 1.0 ciphers supported, and both of them use elliptic curve:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

They're using CloudFlare to front their TLS. I don't think CloudFlare supports older/weaker cipher suites, so you're pretty much SOL.

thetao 10-02-17 11:45 PM
Re: New site encryption
 
You're right. When I force Firefox to use TLS 1.0, it still connects. Eliminating all the DHE and RC4 suites from my browser's supported list leaves me with just five options as far as CloudFlare is concerned.

While it's common for companies to not operate their own web servers, I haven't traditionally considered that when dealing with encryption issues, figuring "its still configurable". What's frustrating is that sites like Amazon and EBay still work fine on my phone, with (of the sites I visit often) only this forum and CamelCamelCamel causing problems, but which have precious little information to protect.

I see HTTP responses from dvdtalk.com cite CloudFlare in the server field. Is that noticed the connection? Otherwise it doesn't seem very obvious.

TheBang 10-03-17 05:04 AM
Re: New site encryption
 
Amazon and eBay have a vested financial interest (and vast technical resources) in ensuring that the greatest number of users can access their site.

I noticed CloudFlare because I ran the SSL Labs test for your problem to see what the TLS profile looked like.

Just a couple years ago, it was still considered safe to run SSL 3.0 and export ciphers, meaning browsers and OS's going back to the late 90's still worked. The cryptographic attacks on the TLS protocols and the ciphers have come fast and furious since then, and it's only going to accelerate. Windows XP is already mostly left out of connecting to any HTTPS servers, and Vista is well on its way too.

I would not be surprised to see an exploit come out within the next two years that forces TLS 1.0 to have to be dropped from default configurations. Outside of that, PCI DSS is already mandating a final deadline of June 30, 2018, for TLS 1.0, so if you're saying your phone doesn't support TLS 1.2, then it will mostly become useless for any e-commerce site after that date.

Eric F 10-06-17 06:34 AM
Re: New site encryption
 
With Chrome I have to re-log into the site every time I visit it now, even if I check off the box which tells it to remember me.

EinCB 10-07-17 02:07 AM
Re: New site encryption
 
Originally Posted by Eric F (Post 13174426)
With Chrome I have to re-log into the site every time I visit it now, even if I check off the box which tells it to remember me.
This started happening to me recently with Firefox. However, whenever I enter a sub-forum, it shows that I'm logged in. I thought there was a problem with Cookie AutoDelete, but since the forum, for some reason, automatically logs me in, I no longer consider this a problem for me.

Adam Tyner 10-07-17 07:31 AM
Re: New site encryption
 
I bet it's because you're starting at http://forum.dvdtalk.com/ , but the login form routes you to https://forum.dvdtalk.com/ , and links to nearly all the main forums are also HTTPS, even from the insecure URL. If you update your bookmark, that could fix the problem.

I was running into the same thing, at least, and that corrected it for me. I needed to clear my browser history so the insecure version of the site would would stop auto filling too.

thetao 10-07-17 11:38 AM
Re: New site encryption
 
Originally Posted by TheBang (Post 13171162)
Amazon and eBay have a vested financial interest (and vast technical resources) in ensuring that the greatest number of users can access their site.
Indeed. And they do get more patronage for it.

Originally Posted by TheBang (Post 13171162)
I noticed CloudFlare because I ran the SSL Labs test for your problem to see what the TLS profile looked like.
Ah, I waded through several of those sites before finding http://howsmyssl.com/. Thanks. It's interesting how a detailed look at each IP appears to show every domain hosted on that shared server.

Originally Posted by TheBang (Post 13171162)
Just a couple years ago, it was still considered safe to run SSL 3.0 and export ciphers, meaning browsers and OS's going back to the late 90's still worked. The cryptographic attacks on the TLS protocols and the ciphers have come fast and furious since then, and it's only going to accelerate. Windows XP is already mostly left out of connecting to any HTTPS servers, and Vista is well on its way too.

I would not be surprised to see an exploit come out within the next two years that forces TLS 1.0 to have to be dropped from default configurations. Outside of that, PCI DSS is already mandating a final deadline of June 30, 2018, for TLS 1.0, so if you're saying your phone doesn't support TLS 1.2, then it will mostly become useless for any e-commerce site after that date.
I've had an exit strategy for months, but just need the time and money to follow through. It's unfortunate that Nokia never put a premium on encryption technology, as to the best of my knowledge even the 41 MP Nokia 808 Pureview, released in May 2012 and which received OS updates for several years, also never did better than TLS 1.0. OpenSSL added TLS 1.2 in March 2012, so I'd think there would have been time. I still have Opera Mini as a fallback option, but that comes with its own set of headaches. Until I upgrade phones, will probably be spending more time on Roobarb's Forum, which doesn't force SSL, doesn't use a bleeding-edge design, and doesn't easily overload my phone's memory.

Jon2 10-17-17 06:50 PM
Re: New site encryption
 
Made the changes mentioned by Adam, updated bookmark, cleared history, etc. ... even updated my browser (Safari), but I'm still getting the insecure connection warning.

TheBang 10-18-17 05:59 AM
Re: New site encryption
 
Originally Posted by Jon2 (Post 13183428)
BTW, anyone else clicking on the forum button (not the link under it) on the left side of the DVDTalk home page, selecting any forum page, and getting a "This is a non-secure form" dialogue box? It says it's sending it over an insecure connection. Happens in Safari and Firefox. Don't get it by clicking the link and going to the Forum page. This has been going on for about a week.
This is due to an HTTP (not HTTPS) form submission on the www.dvdtalk.com home page. There are several other HTTP links too.

IBobi, Looking at the home page source code, these links need to be updated to HTTPS:

Code:
<form action="http://forum.dvdtalk.com/forumdisplay.php" method="get" style="margin:0;">
Code:
<div align=center><a class="sbar" href="http://forum.dvdtalk.com/">Forum Home</a></div><br>
Code:
<a href="//www.dvdtalk.com/reviews/reviewers.php">Review Staff</a> |  <a href="//www.dvdtalk.com/welcome.html">About DVD Talk</a> | <a  href="//www.dvdtalk.com/subscribe.html">Newsletter Subscribe</a> | <a href="http://forum.dvdtalk.com/register.php">Join DVD Talk Forum</a> | <a href="http://www.internetbrands.com/careers">Careers</a>


All times are GMT -5. The time now is 08:19 AM.


Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.