HTTPS on NationStates

[The Blaatschapen]

I'm guessing it's something to do with your computer or its settings?

No, not really.

[[violet]]

Now that the https site is fully operational,

It's not; it's still in testing. It will probably not go away, though.

[Usual People In Life]

Right:

I've noticed the thread in tech about transferring site delivery Protocol from HTTP to HTTPS. I remember reading something about the Internet Archive in that it doesn't archive sites on secure servers. Is there a way for NS to tell IA that it's still welcome to archive the site despite HTTPS? Also, I've spotted a Google Ad in F7 regarding getting the new UK 2014 coins free, but the misleading bit in the ad seems to make out that in the reservation pack 'coins aren't included' as well as '+ P&P' in tiny letters on the ad. Is that ad NS Legal? Can't provide a link as I'm using my 3DS.

Reminds me, we could always start accepting BitCoins for NS site payments in the NS Store! "Sorry sir, the supporter status costs £2.00 but it also costs 30000 BitCoins!" Now that's expensive!

[Auralia]

I've noticed the thread in tech about transferring site delivery Protocol from HTTP to HTTPS. I remember reading something about the Internet Archive in that it doesn't archive sites on secure servers. Is there a way for NS to tell IA that it's still welcome to archive the site despite HTTPS?

Won't the site remain available over HTTP?

[Shadow Afforess]

Any chance of enabling SPDY support? https://code.google.com/p/mod-spdy/

Done!

It makes me sad that the forums do not support spdy.

http://spdycheck.org/#forum.nationstates.net

I also spent several hours messing with my SSL configuration, and got you beat

https://www.ssllabs.com/ssltest/analyze ... usplus.net > https://www.ssllabs.com/ssltest/analyze ... states.net

Looks like you have a duplicate intermediate certificate.

[[violet]]

SPDY enabled! Must have forgotten about that.

That SSL report is handy, thanks. I don't think we have a certificate problem, though... we seem to be downgraded for not supporting Forward Secrecy, which we can't do easily on our Apache version.

[Shadow Afforess]

SPDY enabled! Must have forgotten about that.

That SSL report is handy, thanks. I don't think we have a certificate problem, though... we seem to be downgraded for not supporting Forward Secrecy, which we can't do easily on our Apache version.

What the report is saying is that it's duplicated and not nessecary . When you created the bundled CRT you did not need to include that one. It's basically a wasted 2kb on every SSL handshake, which can add up.

For PFS I had to generate a DH key... Not sure if Apache supports it, but I would hope so.

http://security.stackexchange.com/quest ... y-exchange

That key bumped me from an A to A+. Took an HOUR to generate the 4096 bit one. Don't do it on production!

[[violet]]

When you created the bundled CRT you did not need to include that one. It's basically a wasted 2kb on every SSL handshake, which can add up.

I read that some mobile devices can bork without it, but I am paranoid about extra overhead in the SSL handshake, so I killed it.

For PFS I had to generate a DH key... Not sure if Apache supports it, but I would hope so.

I've only had a quick peek, but it seems our Apache only supports the slower DH methods, not ECDHE.

[Shadow Afforess]

I understand. I had to play a lot of shenanigans to find an up to date install of nginx for ubuntu 12.04. The only version I was using before didn't even support spdy either...

[Shadow Afforess]

FYI: http://filippo.io/Heartbleed/#nationstates.net

http://heartbleed.com/

[Wind in the Willows]

Yes, I would gladly pay a small fee to log in over SSL.

[Shadow Afforess]

Yes, I would gladly pay a small fee to log in over SSL.

You can already use https for free. Simply go to https://www.nationstates.net.

[[violet]]

FYI: http://filippo.io/Heartbleed/#nationstates.net

http://heartbleed.com/

Oh wow, I patched the server and restarted as soon as the news came out, but there is a problem with mod-spdy that prevented it from working... even with mod-spdy disabled! Now fixed.

[Glen-Rhodes]

With this on the front page of the New York Times, maybe there should be a news announcement that the vulnerability has already been patched?


Sent from my iPhone using Tapatalk

[Enfaru]

Maybe even y'know a momentary reminder to update passwords? *here's hoping NationStates didn't get hacked*

[Nullarni]

Maybe even y'know a momentary reminder to update passwords? *here's hoping NationStates didn't get hacked*

Well, considering how small our community is, (in relation to the rest of the internet,) and how there is little to no money or goods actually being exchanged on this site, there is very little incentive for outside parties to attack NS. I really would't be too concerned about it.

[Shadow Afforess]

With this on the front page of the New York Times, maybe there should be a news announcement that the vulnerability has already been patched?


Sent from my iPhone using Tapatalk

Considering that 98% of NS users still use the insecure http site, it's not newsworthy here. If https only were enforced I would agree.

[Enfaru]

So... ahem...switched >_> to https...

Might want to inform the EFF that NationStates has an https option, because I had to create my own ruleset for it...

[Shadow Afforess]

So... ahem...switched >_> to https...

Might want to inform the EFF that NationStates has an https option, because I had to create my own ruleset for it...

It's rather new. I plan on setting NS++ to force https soon too...

[Enfaru]

That gets my vote *avid user*

[Kazmr]

So... ahem...switched >_> to https...

Might want to inform the EFF that NationStates has an https option, because I had to create my own ruleset for it...

That's because its still in trial.

[[violet]]

SSL certificates have been rekeyed.

[Shadow Afforess]

SSL certificates have been rekeyed.

Ditto. NS++'s certificate has been reissued.

[Aksun]

SSL certificates have been rekeyed.

Would you recommend that we change our passwords?

[[violet]]

SSL certificates have been rekeyed.

Would you recommend that we change our passwords?

It's definitely possible that any information such as passwords that you transmitted to a HeartBleed-vulnerable server, which includes the NationStates https one, were leaked to a snooper. For absolute security, you should consider all such information potentially compromised, and change passwords.

In our case, we only just started testing HTTPS on the site recently and it isn't officially supported yet. So unless you have manually visited it, you won't have used SSL on NationStates, and HeartBleed isn't relevant. (What is relevant is that your password is transmitted over HTTP, which isn't encrypted, and is vulnerable to different kinds of snooping.)

If you have been using the https site, and you are concerned that your password may have been leaked via HeartBleed, you must change it. There's no way to tell what a HeartBleed-vulnerable server may have leaked over the last two years, which is why everyone is recommending that you change passwords now: we just can't tell what might have gotten out. It seems unlikely that an attacker would go after your password on a game site like this, as opposed to a somewhere that takes your credit card, but we can't know for sure.