SSL in the playroom (translation)

8 messages, 1 pages: 1  ↖ Go back to topic list

1. Saniel_Morse,

Hello, I come up with a very important post for the playroom from many other's point of view in the spanish Playroom. This has been posted by the user matar.desgarrar, if you want to contact him; I'm just translating, as always. So here we go:

Good evening. As a result of a tweet I saw some days ago, I looked and I've realized that the Playroom's page indeed has no SSL. This means that data is sent to the server without encripting, interceptable for someone with knowledgements on this subject, I mean I'm not one of them. I just post it so that you can write your opinion, I'm seriously considering to take this to the french Playroom. BTW, saying "there's no money" is not an excuse. The Playroom has its own servers and Let's Encrypt can be run on them, the autority certifier which is the most popular one and accepted by the most part of browsers which offers free certificates. I've tested it and it is really compatible with the most part of web browsers. Best regards.

2. el_pichon,

It works! The website is accessible via https! Now the only remaining task is set a redirection from http to https, forcing secure traffic.

3. Aminiel,

Hello,

HTTPS works, but works only on the website. Thank you Zorvax for installing it. We can't force HTTPS at the moment though, beacause the web client is still in HTTP.

WE will try to switch the web client to HTTPS in the next few weeks or months, too. However, please note that the windows client will probably never switch to a secure connection, or perhaps much later (because I need to master OpenSSL first, and it is said to be extemely complicated)

Latest edition by Aminiel, Dec 11 2016 09:40:00

4. el_pichon,

Aminiel, did you see my penetration test? I think I have invited all admins to the discusion, but I'm not sure. The thread is in spanish, but I think that it's easily understandable or translatable.
Regards.

5. matar.desgarrar,

First of all, thanks aminiel for the implementation.. that's not completely, but that's a beginning below is a message posted at the spanish part, I suppose that the www domain was missing from the command to generate certificates
Regards
-
Hello, HTTPS works, but it's still open. My curiosity is why Let's Encrypt doesn't generate the certificates correctly, I say that because if you write
https://qcsalon.net
it works so fine, but if you add the cannonycal name, it is, with www it requests to add a security exception. I noticed this because I've seen much sites where Let's Encrypt works well.

6. Aminiel,

Because the canonical name is without wwww for qcsalon.net. We defined it so on Google.

Nowadays, the prefix www is useless.

7. Aminiel,

Now you can connect to the web client via HTTPS and have a secure connection.

Note that everything is still in clear (not at all encrypted) when using the windows client. I hope I will be able to do it soon.

8. Saniel_Morse,

Thank you Aminiel for making this possible! I know it's not completely done yet, but this might be the first step in order to increase security in the future!

Nothing else to say from me.

Best regards,

Eagala.

8 messages, 1 pages: 1  ↖ Go back to topic list

Answer to topic

You must be connected in order to be allowed to post