The Dink Network

The Dink Network - Proper HTTPS Support

April 22nd, 05:03 PM
custom_king.png
redink1
King Male United States xbox steam bloop
A mother ducking wizard 
I updated The Dink Network background code (Miasma) to correctly support https. I enabled experimental https support since around August, but a lot of things didn't work (like, uh, css) as a lot of resources were hard-coded to load from http://www.dinknetwork.com.

So, if you login to https://www.dinknetwork.com, you should see a nice 'Secure' reference before the URL, and it should actually look ok.

If you notice any problems, please let me know ASAP.

Thanks!
April 22nd, 05:05 PM
pq_frog.gif
Skurn
Peasant Equatorial Guinea steam duck bloop
can't flim flam the glim glam 
all my links are unclicked now. how dare you
April 22nd, 05:10 PM
custom_king.png
redink1
King Male United States xbox steam bloop
A mother ducking wizard 
I didn't think anyone would discover my nefarious plan a mere 2 minutes after announcing this.

Well played, sir, well played.
April 22nd, 05:29 PM
pq_frog.gif
Skurn
Peasant Equatorial Guinea steam duck bloop
can't flim flam the glim glam 
i discovered it while you were doing it. i also noticed the super obvious new anti-spam question.

restore the unsecure version
April 22nd, 06:02 PM
custom_king.png
redink1
King Male United States xbox steam bloop
A mother ducking wizard 
Weird; I thought I changed the anti-spam question back around... October 18th (according to my records). We were getting a fairly heavy amount of anonymous spam, and I think several spambots were programmed to enter 'banana' as the anti-spam response, so I changed it.

The unsecure version should still work (you don't have to go to https://)
April 23rd, 09:56 AM
duckdie.gif
bsitko
Peasant Male United States
 
Nice work, redink1. Next up is getting it to auto redirect to the https version.
April 23rd, 11:38 AM
spike.gif
SlipDink
Peasant Male United States bloop
2nd generation. No easy way to be free. 
So, we have https instead of (well, in addition to for the moment) http as a part of the DN. What was the reason for the conversion?

- Personally, I don't think that I would be worried if someone "broke into" my DN account, though it would be a little disconcerting to me, I admit. Do you think others would be more upset about this sort of thing?
- Are we worried about ISPs or other more nefarious types injecting ads (or scams) into pages?
- Is there a reason that we need to be certain that Search Engine Optimization is not putting our beloved http Dink network behind other Dink sites that use https?
- Is there concern with a lack of compatibility with Google's AMP (Accelerated Mobile Pages)?
- Do we need to reassure new visitors to the site that they are safe?

Anyway, I was just curious as to what made you decide to do it. Just in case you are wondering, I remain quite grateful for your efforts in maintaining this site, and all the Dink related matters that you have involved yourself in over the years.

Oh, and (for what it is worth) I agree with bsitko that auto-redirect to the https version should probably be the next step.

April 23rd, 12:52 PM
wizardb.gif
Bluedy
Peasant Male Romania steam bloop
Flyest artist you know 
I dunno about you but I treasure my bloop badge
April 23rd, 01:53 PM
duckdie.gif
bsitko
Peasant Male United States
 
It's where the web is going. Chrome will start popping up warnings on sites that aren't using http by June. Regardless of whether or not they have logins or not.
April 24th, 08:49 PM
custom_king.png
redink1
King Male United States xbox steam bloop
A mother ducking wizard 
I read that Chrome was going to start displaying warnings about sites being unsafe when accessed over http, and so I thought I might as well spend a bit of time to support https.

Interestingly enough, my web host currently provides certificates from one of the groups that Chrome is going to start distrusting around October (more info). I hope they transition to another provider soon.
April 26th, 09:02 PM
milder.gif
I suggest to make HTTPS support default, that is, automatically redirect from HTTP to HTTPS at least in web browsers. It is not a good idea to have passwords go over plaintext through the Internet. Some users might use their Dink Network passwords on other websites. You should do this ASAP for the security of the users of this site.

And as far as Dink Smallwood HD possibly not supporting this for DMODs, well I believe it uses HTTPS to check for updates from RTSoft so it ought to work for downloading DMODs from the Dink Network, so I doubt it would have any issue. Still, making sure that DMOD downloading within Dink Smallwood HD works is something to double-check after making HTTP traffic redirect to HTTPS, just to be absolutely sure.

I personally am a member of this site and have logged into it in the past over HTTP and am concerned about my own security. I am not worried about any of you guys being bad, I am worried about a man-in-the-middle attack, obviously the Dink Network itself is trustworthy, but plaintext passwords sent over HTTP are vulnerable to man-in-the-middle attacks anywhere their Internet traffic is routed through and it is easy to intercept data and this is very much a bad thing. A common packet capture and analysis tool like Wireshark can be used on a LAN to intercept all network traffic. So if someone is connected to a wireless LAN, public WiFi, and they visit the Dink Network website from there and login, very very easy for someone else to do a man-in-the-middle attack and get all their login info.

Sorry about that little network security rant, I used to not know very much about network security, like back when I became a member of this site I did not even notice that it was HTTP instead of HTTPS or think anything of it but I have learned more since then and most of what I learned was pretty disturbing, I got a Network+ certification from CompTIA, I admit I am still pretty lax about security compared to a lot of people. Like in macOS it requires me to have a password, so I have my password be a single space, since 1 character is the minimum number of characters and the spacebar is the biggest and most obvious key. On Windows 10 it requires me to have a pin number now and has complexity requirements and I figured out, the simplest possible pin number that meets those is 1000, easy to remember 1000. Prior to the new complexity requirements my pin number on Windows 10 was just all zeroes, 0000. I specifically have my sudoers files on macOS and Linux set to not require a password ever, under any circumstance, and I disable as many annoying “security” features as possible in most operating systems, like User Account Control on Windows and System Integrity Protection and Gatekeeper on macOS. So I am not the most security-conscious person out there, in fact I find security to be a real pain and get in the way of getting things done most of the time. But even I think that websites that use usernames and passwords should never ever use HTTP and the ones that do all need to switch to HTTPS-only.
April 27th, 08:33 PM
pq_frog.gif
Skurn
Peasant Equatorial Guinea steam duck bloop
can't flim flam the glim glam 
help, im being logged out automatically over and over again
April 27th, 08:40 PM
custom_king.png
redink1
King Male United States xbox steam bloop
A mother ducking wizard 
Until I get a permanent fix, please log in to https://www.dinknetwork.com instead of https://dinknetwork.com (the www is important).
April 27th, 10:34 PM
pq_frog.gif
Skurn
Peasant Equatorial Guinea steam duck bloop
can't flim flam the glim glam 
oh huh, it isn't doing it here. thought it was at some point.
May 1st, 05:20 PM
spike.gif
SlipDink
Peasant Male United States bloop
2nd generation. No easy way to be free. 
@redink1:
Today I'm getting this error (probably unrelated to https support) that is preventing me from editing my forum postings.

Modify Error
You can only modify a message that exists, silly wabbit.
May 2nd, 09:49 AM
spike.gif
SlipDink
Peasant Male United States bloop
2nd generation. No easy way to be free. 
@Skurn & redink1:
I'm getting logged out each time I submit an entry to the Forum, and I am using http, not https.

It's not the end of the world, but it is a bit of a nuisance.

Not being able to edit my posts is the end of the world though!
May 2nd, 10:01 AM
spike.gif
SlipDink
Peasant Male United States bloop
2nd generation. No easy way to be free. 
Also, I was logged in and then (it seems) I
was logged back out when I went to type up a new posting in the forum, replying to my fellow Dinkers. The [Login] button uppper right corner area of the web page no longer reliably indicates that you are logged in with a picture of your icon, though apparently, the forum [Reply] screen worked just fine ( either by auto logging me back in or ignoring the fact that the icon missing in the upper right of the page near the [Login] button was lying about me being logged out. ) Indeed, my icon was shown as a Lurker, during the whole time I typed this.

And the little <New!> floating icons that help me see which forum postings are the ones that I have not yet read are gone too. How dreadful! Now I have to read the dates on them to decide what to click on.

And, my hair is getting grey too! (Oh, wait, that probably has nothing to do with Dink, redink1 or https. Sorry.)
May 2nd, 03:16 PM
pq_frog.gif
Skurn
Peasant Equatorial Guinea steam duck bloop
can't flim flam the glim glam 
yeah the https one doesn't log you out. but i've been using the naughty dangerous one so long that i have to type it up to https://www.d each time. >_<
May 2nd, 04:50 PM
spike.gif
SlipDink
Peasant Male United States bloop
2nd generation. No easy way to be free. 
For me the https one provides this message, which I assume has something to do with the fact that the DN "web host currently provides certificates from one of the groups that Chrome is going to start distrusting around October ((more info)). I hope they transition to another provider soon." problem that redink1 mentioned.

This site can’t provide a secure connection
www.dinksmallwood.net sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
May 17th, 01:37 AM
seth.gif
Seth
Peasant Male Japan
 
Works for me, except for .dmod downloading. Using chrome:

https://files.dinknetwork.com/dmod/srchmili.dmod

(wow, what an awesome dmod) gives an error, but:

http://files.dinknetwork.com/dmod/srchmili.dmod

works. Not a big deal, but down the road browsers might be annoying about mixing https with http downloads.

Sadly, Dink HD doesn't currently support https with its own network stuff though.