|
I am wondering why TeamLiquid doesn't use or enforce HTTPS connections.
It has been an eyesore for me for years to be honest and although there might have been (a) good reason(s) for it back in 2010-2011, I don't think it fits in this era.
"HTTPS access is only available to TL Staff. Please use www.teamliquid.net."
You've already got the certificates and the possibility to use https, so why is this blocked for normal users?
Get rid of HTTP and enforce HTTPS. At this moment TL scores a very solid A on SSLLabs, and I'm sure R!CH atleast is very capable of doing this in a quick afternoon. https://www.ssllabs.com/ssltest/analyze.html?d=teamliquid.net&s=2607:5300:60:cd52:2d72:9352:b1ea:2427
If not possible, I would be very interested in the reasons why, as I can't think of any.
edit; spelling
|
I read somewhere that afreeca streams is the "problem", they don't use https.
edit: liquidhearth and liquiddota, liquipedia etc are using https.
|
Hmm, while were here, any way to get afreeca streams to go fullscreen without leaving TL?
|
51135 Posts
On August 12 2018 23:32 R1CH wrote: We don't have HTTPS yet as Afreeca streams don't support running over HTTPS. Once they do, we'll update teamliquid.net to have HTTPS support as well.
|
On August 23 2018 18:05 GTR wrote:Show nested quote +On August 12 2018 23:32 R1CH wrote: We don't have HTTPS yet as Afreeca streams don't support running over HTTPS. Once they do, we'll update teamliquid.net to have HTTPS support as well.
Ah thanks for the answer! However this doesn't justify the reason. Isn't it simply possible to segment the Afreeca pages and redirect users on Teamliquid.net/streams/*(AfreecaStreams) to HTTP and leave all the rest on HTTPS?
I don't view afreeca, but I do care about security. Not using HTTP (not even the login page!!) is simply irresponsible. We can have best of both worlds by redirecting the Afreeca pages to HTTP and force HTTPS on all other pages.
I could demonstrate the various attack vectors, but I don't want to, as I don't believe this to be necessary. I believe our TL Admins are more than well aware of the dangers of using HTTP (as demonstrated by having solid security fundamentals for all other TeamLiquid related websites).
|
Mixing HTTPS and HTTP is a bad idea, the connection can be permanently downgraded once someone hits a HTTP page. Best practices also require enabling HSTS, which prevents the use of HTTP.
For now we're still waiting on Afreeca, they should hopefully be ready some time this month.
|
On September 04 2018 19:16 R1CH wrote: Mixing HTTPS and HTTP is a bad idea, the connection can be permanently downgraded once someone hits a HTTP page. Best practices also require enabling HSTS, which prevents the use of HTTP.
For now we're still waiting on Afreeca, they should hopefully be ready some time this month.
I was not a fan either of mixing, but it is a better workaround than nothing at all. Downgrading users from a https to http is in itself another extra step in the security process and therefore harder for malicious actors to misuse. Best practices are ofcourse very welcome, but not always applicable (as in your current case).
If the timeframe for Afreeca is only a matter of months, I think it is perfectly fine to wait, but I don't think it is acceptable to wait much longer than that (i.e. another year).
I've waited for over 5 years before creating this post about it, so a few more months should be perfectly fine. I love TL, which is actually the only reason I even bothered posting this.
|
bumping this thread - today i noticed the not secure in upper left corner of browser and recalled this thread. can you just simply have the link to afreeca on the right link directly to the external afreeca stream instead of having it play inside TL?
sounds like afreeca doesnt care about basic security measures but doesnt mean TL should be dragged down as a result
|
Afreeca's implementation is working now, just need to find the time to upgrade all our links.
|
|
|
Nice, no more red not secure warning on top of my browser.
|
Nice
Edit: getting an error on afreeca streams
|
On October 25 2018 00:12 R1CH wrote: HTTPS is live now!
Nice!
|
On October 25 2018 17:18 jimminy_kriket wrote: Nice
Edit: getting an error on afreeca streams Can you open dev tools (F12), refresh the page and take a screenshot of the console tab?
|
|
Thanks, I'm actually seeing that as well, it was working fine yesterday. I've reported it to Afreeca, hopefully it is fixed soon.
|
Should be fixed as of now.
|
|
On October 25 2018 00:12 R1CH wrote: HTTPS is live now!
Great job!
|
|
|
|