Canalplan Bug Tracker



Anonymous Login
2017-04-23 06:41 BST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000253Canalplan [All Projects] Generalpublic2017-03-14 15:07
ReporterShultzy 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
PlatformMicrosoftOSWindowsOS Version8.1
Product VersionProduct Build 
Target VersionFixed in Version 
Summary0000253: Migrating to HTTPS [was: Insecure password warning in Firefox]
DescriptionI couldn't find a HTTPS site for CP so assume there isn't one.

Insecure password warning in Firefox is a new feature that is available starting in Firefox version 51. It displays a grey lock icon with a red strike-through in the address bar, when a login page you’re viewing does not have a secure connection.
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0000999

Stephen Atty (administrator)

Last edited: 2017-03-10 13:35

View 5 revisions

No there aren't any SSLs for Canalplan yet.... we either have to buy them or mess around with letsencrypt or other free SSL cert providers.

As we're basically using virtual SSL hosts this turns letsencrypt into a painful manual process every 90 days...

I'm going to look at startssl again to see if their 3 year certs will be usable - their control panel is a lot better but I seem to recall it not being happy working across domains once you'd installed your client certificate in their browser.

Also until all external sites (like geograph) are on HTTPS then upgrading Canalplan to HTTPS will just cause countless insecure content warnings.. which will be more worrying for people not logging in... and things like UKWR and FlagCounter will stop working.

~0001000

Stephen Atty (administrator)

Start SSL have been blacklisted by Mozilla and Google.

I've done some work reconfiguring my sites and now have auto renew for lets encrypt working. So we should be able to do it for canalplan once we've worked out how to handle the non SSL content.

~0001001

Nick Atty (administrator)

For example, just viewing the home page over HTTPS generates warnings for the following things:
http://img.webring.com/r/w/waterways/navbarlogo
http://img.webring.com/blank.gif - these are the UK waterways web ring
http://www.ukwrs.co.uk/ranking/button.php?id=58 - the website ranking tool
http://s10.flagcounter.com/count/eBE/bg_AAFFAA/txt_000000/border_CCCCCC/columns_1/maxflags_8/viewers_0/labels_1/pageviews_0/flags_0/ - the visits counter with flags
http://www.google.co.uk/cse - the search box

and blocks these:
http://static.rpxnow.com/js/lib/rpx.js - this is the "social log-on" feature.
http://pagead2.googlesyndication.com/pagead/show_ads.js (twice)
http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js' - the adverts that pay for the site!
http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en - more of the search box
http://connect.facebook.net/en_US/all.js - the "like us on Facebook" box

Many of these are going to be trivial to fix just by changing the URL, but either we need to fix them all, or we need to parametise all the URLs for testing HTTPS while still running on HTTP.

At some stage we will definitely do it, but for the time being there are other things to do.

The real threat to your password is that I've not secured the database properly - which is why I strongly recommend you don't use the password you use for CanalPlanAC for any other site, not that some national intelligence agency is targeting users of CanalPlan.

~0001003

Stephen Atty (administrator)

I'm sure the FB one can be upgraded to HTTPS without any issues at all (even on the live site).

You can fix the google ad errors by moving from

<script async src="http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>

to
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>

We're using the second version in the ads for here and the boat index and it works perfectly.

So it might be worth making those changes on the next release just to streamline things.

There seems to be no secure version of the rpxnow page.

~0001004

Shultzy (updater)

Thanks for the info. I use secure passwords generated by a password manager so I should be "reasonably safe"

~0001005

Nick Atty (administrator)

Google ads and Facebook successfully migrated. Janrain (rpx-now) (social-media logon) should work - I can call it but need some magic configuration to ensure I return to the HTTPS beta site...

We're going to lose some features - I'll use the same magic configuration to turn them off (currently the web ring and the two counters).

Hope to have a working index page on beta by the end of the weekend.

~0001006

Stephen Atty (administrator)

Last edited: 2017-03-12 09:44

View 2 revisions

Social media logon fails with:

Invalid Parameter: token_url must be a URI

Edited to add : it seems to work now... Wonder if it was a caching issue?

~0001007

Stephen Atty (administrator)

Last edited: 2017-03-12 09:57

View 2 revisions

Flagcounter will work with SSL but you need a pro subscription (this is from their FAQ) :

I have an SSL encrypted page, how can I use Flag Counter without a warning message from my browser?

With a Flag Counter Pro subscription, we do support SSL. A subscription is required because encrypting the image puts an additional load on our servers. After upgrading, simply regenerate your HTML code, and check the "Use SSL" option.

It looks like this would cost $29.99 per year...... which is a lot to just put a little counter on the site.

~0001008

Stephen Atty (administrator)

webring.com don't seem to support HTTPS at all.

We've talked to UKWR about SSL - might be worth restarting that discussion. Let's encrypt should allow them to create and maintain an SSL.

~0001009

Nick Atty (administrator)

Social media things wasn't a caching issue - it was me changing the code to try to get the return working (and I'd never registered beta with them, nor configured it to return to beta!).

ukwr is working over https - looks like they've got it working on your advice. So is flagcounter without a subscription (at the moment). Flagcounter is fun but not worth paying for.

I'm now deciding whether to download the web ring to the server, find a way of hiding it on the https sites (the index page is not fully dynamic to reduce load, so I can't do it that way) or just dump it. It must be about the last webring in operation. I doubt many people use it.

The nice thing is that the location services are working again.

This isn't as painful as I thought it might be. I'm moving away from protocol neutral URLs as there's no harm in making them HTTPS all the time.

~0001010

Stephen Atty (administrator)

We could do our own flag counter... you can get high level IP address block to country data...

~0001011

Stephen Atty (administrator)

OK I've got the certificates and created the configuration for the canalplan ssl server.

I suggest once we're happy that we enable a HTTPS redirect on the existing canalplan site and let that run...

~0001012

Stephen Atty (administrator)

Looking ahead I've raised a ticket with Geograph asking about HTTPS support....

~0001013

Stephen Atty (administrator)

Waterways Webring has 46 sites... You should be able to see your stats on how many people have come via there.

Looking into the server logs it looks like none this year and 7 last year....

~0001014

Nick Atty (administrator)

Thanks for putting that query in - I'd just determined that geograph doesn't work under HTTPS.

You can now plan routes on the beta and visit gazetteer pages. So it is sort of working. I think, from your stats, I'll just kill the webring and tidy the home page up a bit.

Fairly soon I think we need a little logging script and to start using Content-Security-Policy-Report-Only

~0001015

Stephen Atty (administrator)

We seem to have lost Facebook on the list of social logins

~0001016

Nick Atty (administrator)

I get it - a new private window pointed at beta gives me:

Google + Facebook
Flickr Wordpress
Yahoo! Blogger

~0001017

Stephen Atty (administrator)

Last edited: 2017-03-12 13:40

View 5 revisions

Its there now but if I login using FB it then gets stuck in a loop when you try to go the bugtracker..... It does it on the live site too.

It looks like MANTIS_STRING_COOKIE isn't getting set properly - its set to a dash rather than an MD5 hash.

Logging in using the Canalplan native logon works and the cookie gets set

~0001023

Stephen Atty (administrator)

Reply from Geograph:

A member of the team has replied to your support request, #716595 with the following response:

Yes, this is currently being implemented.

ETA is at least a few weeks out however :(

Hope that helps,
Barry



So that's good to know....

~0001024

Shultzy (updater)

Sorry its causing you a lot of hassle.

~0001025

Stephen Atty (administrator)

It's not really causing us hassle - it's something that we were going to have to do in order to keep our search rankings up and to keep up the google ads (they haven't said that they wont show them on non ssl sites but they've made it quite clear that ads on non ssl sites will have reduced payments).

We can upgrade each bit in turn and then once everything is on HTTPs we can turn on HTTPS for canalplan.
+Notes

-Issue History
Date Modified Username Field Change
2017-03-10 12:51 Shultzy New Issue
2017-03-10 13:19 Stephen Atty Note Added: 0000999
2017-03-10 13:29 Stephen Atty Note Edited: 0000999 View Revisions
2017-03-10 13:31 Stephen Atty Note Edited: 0000999 View Revisions
2017-03-10 13:33 Stephen Atty Note Edited: 0000999 View Revisions
2017-03-10 13:35 Stephen Atty Note Edited: 0000999 View Revisions
2017-03-10 19:43 Stephen Atty Note Added: 0001000
2017-03-11 08:12 Nick Atty Note Added: 0001001
2017-03-11 10:12 Stephen Atty Note Added: 0001003
2017-03-11 15:34 Shultzy Note Added: 0001004
2017-03-12 09:10 Nick Atty Summary Insecure password warning in Firefox => Migrating to HTTPS [was: Insecure password warning in Firefox]
2017-03-12 09:10 Nick Atty Note Added: 0001005
2017-03-12 09:37 Stephen Atty Note Added: 0001006
2017-03-12 09:44 Stephen Atty Note Edited: 0001006 View Revisions
2017-03-12 09:52 Stephen Atty Note Added: 0001007
2017-03-12 09:55 Stephen Atty Note Added: 0001008
2017-03-12 09:57 Stephen Atty Note Edited: 0001007 View Revisions
2017-03-12 10:06 Nick Atty Note Added: 0001009
2017-03-12 10:14 Stephen Atty Note Added: 0001010
2017-03-12 10:32 Stephen Atty Note Added: 0001011
2017-03-12 10:48 Stephen Atty Note Added: 0001012
2017-03-12 11:02 Stephen Atty Note Added: 0001013
2017-03-12 11:37 Nick Atty Note Added: 0001014
2017-03-12 12:24 Stephen Atty Note Added: 0001015
2017-03-12 13:09 Nick Atty Note Added: 0001016
2017-03-12 13:16 Stephen Atty Note Added: 0001017
2017-03-12 13:17 Stephen Atty Note Edited: 0001017 View Revisions
2017-03-12 13:28 Stephen Atty Note Edited: 0001017 View Revisions
2017-03-12 13:32 Stephen Atty Note Edited: 0001017 View Revisions
2017-03-12 13:40 Stephen Atty Note Edited: 0001017 View Revisions
2017-03-14 13:12 Stephen Atty Note Added: 0001023
2017-03-14 13:45 Shultzy Note Added: 0001024
2017-03-14 15:07 Stephen Atty Note Added: 0001025
+Issue History