Forum Feedback and Support Post forum feedback and related problems, here.

New site encryption

Old 09-20-17, 05:41 PM
  #1  
Senior Member
Thread Starter
 
Join Date: Dec 2009
Location: Pennsylvania
Posts: 961
New site encryption

I noticed last night that you enabled encryption on the site. The home page is unencrypted, but it kicks on when entering any of the forums. Umm, would you please consider relaxing this to support TLS 1.0 and not just 1.2? My phone is a Symbian smartphone and no Symbian phone on the planet supports 1.2. Otherwise I'll be visiting here about half as often. You don't deal with credit card numbers or other PII, so I don't think this should be a big deal. Thanks.
thetao is offline  
Old 09-20-17, 07:24 PM
  #2  
DVD Talk Legend
 
Bronkster's Avatar
 
Join Date: Aug 2002
Location: AnaheimLand, SoCal
Posts: 15,517
Re: New site encryption

Is this why I'm getting all the "invalid redirect URL" messages - at home on desktop, not phone.
Bronkster is offline  
Old 09-20-17, 07:38 PM
  #3  
Senior Member
Thread Starter
 
Join Date: Dec 2009
Location: Pennsylvania
Posts: 961
Re: New site encryption

I wouldn't think so. An encryption problem would probably state "encryption" or "secure connection" somewhere. Assuming your browser isn't ancient, you might try more straightforward troubleshooting: reboot, clear the cache, run AV software, etc. You could also try disabling JavaScript, although this would be more a short-term band aid than a fix.
thetao is offline  
Old 09-20-17, 07:41 PM
  #4  
DVD Talk Legend
 
Sonic's Avatar
 
Join Date: May 1999
Posts: 18,139
Re: New site encryption

Originally Posted by Bronkster View Post
Is this why I'm getting all the "invalid redirect URL" messages - at home on desktop, not phone.
Yes I been getting that invalid URL message as well when I log on.

Simple fix: Edit your bookmark and put an "s" after the "http".
Sonic is offline  
Old 09-20-17, 10:05 PM
  #5  
Senior Member
Thread Starter
 
Join Date: Dec 2009
Location: Pennsylvania
Posts: 961
Re: New site encryption

Originally Posted by Sonic View Post
Simple fix: Edit your bookmark and put an "s" after the "http".
Thanks for the tip. I just realized the site isn't so much enforcing encryption as the admins simply hard-coded https:// links to each of the forums on the main page (and perhaps elsewhere). That's a cheap way of doing it, but one I can work around for the short term by manually removing the "s".

Edit: That trick doesn't work, as the browser never stores the failed link.

Last edited by thetao; 09-21-17 at 01:41 AM.
thetao is offline  
Old 09-21-17, 11:39 AM
  #6  
DVD Talk Legend
 
Nick Danger's Avatar
 
Join Date: Mar 2001
Location: Albuquerque
Posts: 22,348
Re: New site encryption

I got an invalid redirect URL message when I logged in. It had nothing to do with bookmarks.
Nick Danger is offline  
Old 09-21-17, 12:27 PM
  #7  
Administrator
 
Join Date: Sep 2015
Posts: 521
Re: New site encryption

I'll let our tech team know about this. Thanks for the head's up, everyone.
IBJoel is offline  
Old 09-21-17, 01:06 PM
  #8  
DVD Talk Legend
 
Join Date: May 2004
Location: a mile high, give or take a few feet
Posts: 13,434
Re: New site encryption

Originally Posted by Nick Danger View Post
I got an invalid redirect URL message when I logged in. It had nothing to do with bookmarks.
I got the same the first time. Reloaded the bookmark, and it logged me right in. I haven't seen it since.
mndtrp is offline  
Old 09-29-17, 08:24 PM
  #9  
Senior Member
Thread Starter
 
Join Date: Dec 2009
Location: Pennsylvania
Posts: 961
Re: New site encryption

Still hoping for a resolution...
thetao is offline  
Old 10-02-17, 05:28 AM
  #10  
DVD Talk Limited Edition
 
Join Date: Feb 2000
Location: Sunny Hawaii
Posts: 6,662
Re: New site encryption

Originally Posted by thetao View Post
Still hoping for a resolution...
TLS 1.0 is supported. You're probably having a cipher suite problem though, as I only see 2 TLS 1.0 ciphers supported, and both of them use elliptic curve:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

They're using CloudFlare to front their TLS. I don't think CloudFlare supports older/weaker cipher suites, so you're pretty much SOL.
TheBang is offline  
Old 10-02-17, 11:45 PM
  #11  
Senior Member
Thread Starter
 
Join Date: Dec 2009
Location: Pennsylvania
Posts: 961
Re: New site encryption

You're right. When I force Firefox to use TLS 1.0, it still connects. Eliminating all the DHE and RC4 suites from my browser's supported list leaves me with just five options as far as CloudFlare is concerned.

While it's common for companies to not operate their own web servers, I haven't traditionally considered that when dealing with encryption issues, figuring "its still configurable". What's frustrating is that sites like Amazon and EBay still work fine on my phone, with (of the sites I visit often) only this forum and CamelCamelCamel causing problems, but which have precious little information to protect.

I see HTTP responses from dvdtalk.com cite CloudFlare in the server field. Is that noticed the connection? Otherwise it doesn't seem very obvious.
thetao is offline  
Old 10-03-17, 05:04 AM
  #12  
DVD Talk Limited Edition
 
Join Date: Feb 2000
Location: Sunny Hawaii
Posts: 6,662
Re: New site encryption

Amazon and eBay have a vested financial interest (and vast technical resources) in ensuring that the greatest number of users can access their site.

I noticed CloudFlare because I ran the SSL Labs test for your problem to see what the TLS profile looked like.

Just a couple years ago, it was still considered safe to run SSL 3.0 and export ciphers, meaning browsers and OS's going back to the late 90's still worked. The cryptographic attacks on the TLS protocols and the ciphers have come fast and furious since then, and it's only going to accelerate. Windows XP is already mostly left out of connecting to any HTTPS servers, and Vista is well on its way too.

I would not be surprised to see an exploit come out within the next two years that forces TLS 1.0 to have to be dropped from default configurations. Outside of that, PCI DSS is already mandating a final deadline of June 30, 2018, for TLS 1.0, so if you're saying your phone doesn't support TLS 1.2, then it will mostly become useless for any e-commerce site after that date.
TheBang is offline  
Old 10-06-17, 06:34 AM
  #13  
DVD Talk Limited Edition
 
Join Date: Mar 2000
Location: Somewhere in the boonies, MA
Posts: 7,475
Re: New site encryption

With Chrome I have to re-log into the site every time I visit it now, even if I check off the box which tells it to remember me.
Eric F is online now  
Old 10-07-17, 02:07 AM
  #14  
DVD Talk Ultimate Edition
 
Join Date: May 2010
Posts: 4,485
Re: New site encryption

Originally Posted by Eric F View Post
With Chrome I have to re-log into the site every time I visit it now, even if I check off the box which tells it to remember me.
This started happening to me recently with Firefox. However, whenever I enter a sub-forum, it shows that I'm logged in. I thought there was a problem with Cookie AutoDelete, but since the forum, for some reason, automatically logs me in, I no longer consider this a problem for me.
EinCB is offline  
Old 10-07-17, 07:31 AM
  #15  
DVD Talk Reviewer/ Admin
 
Adam Tyner's Avatar
 
Join Date: Sep 1999
Location: Greenville, South Cackalack
Posts: 21,593
Re: New site encryption

I bet it's because you're starting at http://forum.dvdtalk.com/ , but the login form routes you to https://forum.dvdtalk.com/ , and links to nearly all the main forums are also HTTPS, even from the insecure URL. If you update your bookmark, that could fix the problem.

I was running into the same thing, at least, and that corrected it for me. I needed to clear my browser history so the insecure version of the site would would stop auto filling too.
Adam Tyner is online now  
Old 10-07-17, 11:38 AM
  #16  
Senior Member
Thread Starter
 
Join Date: Dec 2009
Location: Pennsylvania
Posts: 961
Re: New site encryption

Originally Posted by TheBang View Post
Amazon and eBay have a vested financial interest (and vast technical resources) in ensuring that the greatest number of users can access their site.
Indeed. And they do get more patronage for it.

Originally Posted by TheBang View Post
I noticed CloudFlare because I ran the SSL Labs test for your problem to see what the TLS profile looked like.
Ah, I waded through several of those sites before finding http://howsmyssl.com/. Thanks. It's interesting how a detailed look at each IP appears to show every domain hosted on that shared server.

Originally Posted by TheBang View Post
Just a couple years ago, it was still considered safe to run SSL 3.0 and export ciphers, meaning browsers and OS's going back to the late 90's still worked. The cryptographic attacks on the TLS protocols and the ciphers have come fast and furious since then, and it's only going to accelerate. Windows XP is already mostly left out of connecting to any HTTPS servers, and Vista is well on its way too.

I would not be surprised to see an exploit come out within the next two years that forces TLS 1.0 to have to be dropped from default configurations. Outside of that, PCI DSS is already mandating a final deadline of June 30, 2018, for TLS 1.0, so if you're saying your phone doesn't support TLS 1.2, then it will mostly become useless for any e-commerce site after that date.
I've had an exit strategy for months, but just need the time and money to follow through. It's unfortunate that Nokia never put a premium on encryption technology, as to the best of my knowledge even the 41 MP Nokia 808 Pureview, released in May 2012 and which received OS updates for several years, also never did better than TLS 1.0. OpenSSL added TLS 1.2 in March 2012, so I'd think there would have been time. I still have Opera Mini as a fallback option, but that comes with its own set of headaches. Until I upgrade phones, will probably be spending more time on Roobarb's Forum, which doesn't force SSL, doesn't use a bleeding-edge design, and doesn't easily overload my phone's memory.
thetao is offline  
Old 10-17-17, 06:50 PM
  #17  
DVD Talk Special Edition
 
Join Date: Mar 2002
Posts: 1,991
Re: New site encryption

Made the changes mentioned by Adam, updated bookmark, cleared history, etc. ... even updated my browser (Safari), but I'm still getting the insecure connection warning.
Jon2 is offline  
Old 10-18-17, 05:59 AM
  #18  
DVD Talk Limited Edition
 
Join Date: Feb 2000
Location: Sunny Hawaii
Posts: 6,662
Re: New site encryption

Originally Posted by Jon2 View Post
BTW, anyone else clicking on the forum button (not the link under it) on the left side of the DVDTalk home page, selecting any forum page, and getting a "This is a non-secure form" dialogue box? It says it's sending it over an insecure connection. Happens in Safari and Firefox. Don't get it by clicking the link and going to the Forum page. This has been going on for about a week.
This is due to an HTTP (not HTTPS) form submission on the www.dvdtalk.com home page. There are several other HTTP links too.

IBobi, Looking at the home page source code, these links need to be updated to HTTPS:

Code:
<form action="http://forum.dvdtalk.com/forumdisplay.php" method="get" style="margin:0;">
Code:
<div align=center><a class="sbar" href="http://forum.dvdtalk.com/">Forum Home</a></div><br>
Code:
<a href="//www.dvdtalk.com/reviews/reviewers.php">Review Staff</a> |  <a href="//www.dvdtalk.com/welcome.html">About DVD Talk</a> | <a  href="//www.dvdtalk.com/subscribe.html">Newsletter Subscribe</a> | <a href="http://forum.dvdtalk.com/register.php">Join DVD Talk Forum</a> | <a href="http://www.internetbrands.com/careers">Careers</a>
TheBang is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.