TTLG|Thief|Bioshock|System Shock|Deus Ex|Mobile
Results 1 to 9 of 9

Thread: HTTPS

  1. #1
    Member
    Registered: Aug 2009
    Location: Cracow, Poland

    HTTPS

    How is that possible there is no HTTPS on forums? What are the chances to provide it so that Garrett wont be able to steal my password?

  2. #2
    Member
    Registered: Aug 2009
    Location: Cracow, Poland
    Well, it works now. But on HTTPS the look is a bit different than HTTP... It looks like a mobile version. BTW, IMHO you should consider redirecting HTTP to HTTPS.

  3. #3
    Member
    Registered: May 2002
    Location: Between dreams and shadows...
    The issue is that if you access the page using https://, some of the javascript files and a bunch of image files are still being loaded over http:// (the page contains several literal http:// URLs, rather than using protocol independent URLs. For example, one javascript tag uses src="http://www.ttlg.com/forums/clientscript/spoilers.js" when it could either use the https:// or just src="//www.ttlg.com/forums/clientscript/spoilers.js"). You'll need to allow mixed content to view the pages fully until someone wrangles the template to fix that.

  4. #4
    Administrator
    Registered: Oct 2000
    Location: Athens of the North
    This has been planned for a little while and as noted, although the server was set to deliver over https not everything was ready to make the switch (there was some very old styling on the forum). If all's well then you shouldn't get any weird styling now but there's a possibility you may need to flush your browser cache if you see anything amiss. Redirects are on as well - vbulletin doesn't really work with allowing both http and https at the same time as it's not great at generating protocol independent URLs from its settings. If there's still any weirdness let me know and I'll look into it.

  5. #5
    Moderator
    Registered: Jan 2003
    Location: NeoTokyo
    I don't know if this is related, but when I go to a forum sometimes I get a URL that looks like this:
    https://www.ttlg.com/forums/forumdisplay.php?f=70&f=70

    Where the forum id number (&f=70) is repeated twice, and it just recognizes the second one.
    E.g., the link https://www.ttlg.com/forums/forumdisplay.php?f=70&f=74 will go to GenGaming (f=74).

    Everything still works normally; that's just a weird buggy thing that's only started recently AFAIK and I thought worth reporting.

  6. #6
    Administrator
    Registered: Oct 2000
    Location: Athens of the North
    Almost certainly was when you had a bookmark or a link to a forum via http and it was being redirected to https. I can't understand why you would have two different forum IDs in that case but now it shouldn't append the spurious ID.

  7. #7
    Moderator
    Registered: Jan 2003
    Location: NeoTokyo
    This is old news now, but just to explain that last part, this was happening as part of my browser's auto-fill of a URL. You start typing in ttlg and the URL is going to automatically fill with the old http address including the 70 forum ID, and then that's when it evidently was getting redirected to https and getting the extra ID appendage.

    What was happening in the second case was when I would let the URL fill in and change the forum number by hand in the URL bar, e.g., from 70 to 74 in the case where I got the two different forum IDs. The problem just ended one day, presumably because the URL fill-in fills in with the https address now or you fixed something under the hood.

  8. #8
    New Member
    Registered: Mar 2019

    HTTPS settings

    Hey guys, just wanted to let whoever runs this site know that the way you've got HTTPS configured basically means it's going to stop working in less than a year. The site is currently connecting using TLS 1.0, which is going to be disabled by every major browser by March 2020. In either Apache or nginx it's trivially easy to turn on TLS 1.2 and, with very slightly more work, 1.3 (don't bother with 1.1 because it's also going away in a year.) The ciphers you're using are also a little on the weak side which makes me wonder if someone over-specified the cipher string in your web server configuration. Going back to the default string might be more worthwhile.

    Basically, you want an "A" or at the VERY LEAST a B the following test web site. Going for "A+" is nice but not really necessary for a site that doesn't do e-commerce:

    https://www.ssllabs.com/ssltest/anal...d=www.ttlg.com

    Basically try to eliminate as many orange lines below "configuration" as you can and you'll be OK. If you're worried about ancient browsers, leave on TLS 1.0 and/or 1.1 - as long as 1.2 or 1.3 is on modern browsers will use that first. I suspect eventually that grade will go down with 1.0 and 1.1 enabled, so keep checking back every couple months.

    TLS 1.0 is broken enough right now, and being shot in the head soon enough, that you're arguably actually better off going back to insecure http if making the 1.2 and cipher changes aren't possible or easy.

    If you want any guidance feel free to reach out. This site was super useful to me many years ago and I'm getting back into these old Looking Glass games, so I'd love for the site to continue!

  9. #9
    Administrator
    Registered: Oct 2000
    Location: Athens of the North
    Cheers - I'm aware we have limitations on that front some of which are down to the server platform. It's being looked at with a view to improve the score and avoid browsers blocking the site. Really appreciate the notes and great that you're getting back into the games

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •