Security issues?
LD4all » Helpdesk

#1: Security issues? Author: Alot PostPosted: Tue 30 Oct, 2018
    ----
I've recently noticed that I get a notification symbol when visiting ld4all, the one with an "i" in a circle that says "Your connection to this site is not secure"

When posting, it has very recently (like in the past few days) changed into a triangle with an "i" in it, with the same message. Also "http" is double crossed out and in red on the warning message.

I've just tried visiting the site using https before the url, and it works, but the look is completely different, with images and backgrounds not loading. It looks like a slow connection version of the website.

I don't recall making any setting changes on my browser before noticing this. Have yet to check if it's the same on a computer. ld4all seems to be the only site where I've experienced this.


Also I just found out that when I use this slow browser version with https, I can post without needing to go to incognito mode. (from this older issue)

#2:  Author: FiXato PostPosted: Wed 31 Oct, 2018
    ----
This seems to be mostly caused by so-called 'mixed-content'; content still served over http while using the https version of the website.
Since http content is susceptible to man-in-the-middle attacks that would for instance allow rewriting its content and thus the site, such (active) content is not loaded while the main site itself is loaded over https.
Browsers make a distinction between passive/display content (images/media objects) and active content (external stylesheets, scripts, etc). Passive content might still be loaded, but active content definitely won't and will generate errors.

Since the CSS stylesheet isn't loaded, a lot of the design elements and layout styling is missing, making the site look like it's loaded over a slow connection, as you put it.

LD4All currently still uses absolute http links for certain active and passive content where relative or protocol-relative href/src's would suffice:




  • Stylesheet is loaded over http (http://www.ld4all.com/css/LD4all.css), while a relative path (/css/LD4all.css) would suffice. IIRC ld4all's forum used to be accessible from forum.ld4all.com rather than using a redirect, so this is probably a leftover from that era. Alternatively this could be solved by using a protocol-relative URL: //www.ld4all.com/css/LD4all.css (note the missing http: / https:), though AFAIK nowadays it's recommended to use https links whenever content can be served over https.
  • Favicon also still has a hardcoded http:// URL.
  • Google search form still uses http: http://www.google.com/coop/cse/brand?form=cse-search- box&lang=en
  • Several images seem to be hard-coded to http:

  • There are still some Google Analytics script source URLs that are hard-coded to http rather than https. Actually, urchin.js for instance is loaded several times, while a single call to it via a script tag would suffice:
    Code:
    <script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
    </script>
    <script type="text/javascript">
    _uacct = "UA-706489-1";
    urchinTracker();
    </script>
    <script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
    </script>
    <script type="text/javascript">
    _uacct = "UA-706489-5";
    urchinTracker();
    </script>
    <script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
    </script>
    <script type="text/javascript">
    _uacct = "UA-706489-3";
    urchinTracker();
    </script>

    Qu probably wants to regenerate her analytics code, as I'm quite sure the google-analytics domain is rather outdated, and superseded by the googletagmanager (which I actually also see loaded at the top of the page, so I'm guessing these script tags at the bottom are actually superfluous. If it's to track it on multiple properties, that probably also is better done with additional gtag() calls rather than the above code and multiple external script loads).
  • The AddThis social-network bookmarking script is loaded over http, and I think is also still using an outdated URL. Probably will want to regenerate the code for this if LD4All wants to keep using this.
  • Webchat uses a form action that submits to http rather than https. Unfortunately this isn't something Q can fix, as Chat4all's webchat currently doesn't run on https apparently. I've forwarded this issue to Chat4all's Adonix though.


It's likely the actual CSS file also still has http-only links in there, but as it wasn't loaded, I couldn't easily get an overview of it through the debugger without manually changing things.

#3:  Author: Eilatan PostPosted: Wed 31 Oct, 2018
    ----
FiXato wrote:
  • Stylesheet is loaded over http (http://www.ld4all.com/css/LD4all.css), while a relative path (/css/LD4all.css) would suffice. IIRC ld4all's forum used to be accessible from forum.ld4all.com rather than using a redirect, so this is probably a leftover from that era.


It is still accessible this way. kiekeboe

#4:  Author: Alot PostPosted: Wed 31 Oct, 2018
    ----
Thanks for explaining, FiXato. I just checked and it was the same on a computer, so I guess it's normal for everyone then.

#5:  Author: FiXato PostPosted: Tue 06 Nov, 2018
    ----
Eilatan wrote:
FiXato wrote:
  • Stylesheet is loaded over http (http://www.ld4all.com/css/LD4all.css), while a relative path (/css/LD4all.css) would suffice. IIRC ld4all's forum used to be accessible from forum.ld4all.com rather than using a redirect, so this is probably a leftover from that era.


It is still accessible this way. kiekeboe


Not quite. While that address is accessible, all it does is redirect to ld4all.com/forum, rather than retain the forum.ld4all.com host. Hence, there is no need to actually specify the host when loading assets, as it'll always be hosted on the same domain.

#6:  Author: Qu PostPosted: Thu 03 Jan, 2019
    ----
kiekeboe *Qu probably wants to rewrite all HTML sometime nuu

also. It's not outdated. It's vintage yes

#7:  Author: Qu PostPosted: Fri 04 Jan, 2019
    ----
*Qu points at the padlock at the top (use https://LD4all.com/forum )

^^



LD4all » Helpdesk


Page 1 of 1
printed from the LD4all.com lucid dreaming forum. Content copyrighted by the author.
Lucid dreamers unite! visit LD4all.com