Incorrect SSL forwarding when calling steemnova.intinte.org -> No secure connection
Expected behavior
If I want to play the Steemit Variant of the online classic Ogame, I expect a secure connection. Since it is common nowadays and there is a secure connection to the web pages with log-in function I would wish that steemnova.intinte.org is also secured in the future. SteemNova should always redirect its connections immediately to a secure connection.
Actual behavior
Currently it is possible to open the page with an unsecured / unsafe connection There is an active SSL certificate, but the website does not automatically redirect to the secure connection.
If you want to play the game in a public coffee or WLAN hotspot, for example, it might be possible to get the login data in plain text for someone who is on the same network, and thus the security of your own data is not guaranteed.
How to reproduce
Just go to the website of SteemNova Moons Ogame Steem Edition:
- Non Secure Version:http://steemnova.intinte.org
- Secured Version: https://steemnova.intinte.org
- Or just go to the non secured Login Page and type the https at the beginning of the url
- Browser: All Browser
- Operating system: All Browser Systems
Recording Of The Bug
Example of existing SSL Certificate
Non secured Website Alert on enter Text in Forms
Screenshot from .har File of Website http://steemnova.intinte.org/index.php?page=login after Login
thank you
Posted on Utopian.io - Rewarding Open Source Contributors
Hey @louis88 I am @utopian-io. I have just upvoted you!
Achievements
Suggestions
Get Noticed!
Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!
Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x
Thank you for the contribution. It has been approved.
@louis88 can you please remove the bug report from github as i will approve as it was a confirmed bug but now it is solved I think.
It would be great if you do so.
Thanks!!
You can contact us on Discord.
[utopian-moderator]
You are really fast. It is few hours since @fervi start to try open SSL connection on whole website.
The problem is that vanilla 2Moons/ogame engine, SteemNova is based on, didn't have support for HTTPS connection for YEARS. We are trying to make HTTPS happen (some routings don't work everywhere).
Can you elaborate what exactly is the problem?
Basic routing to ssl shouldn't be to hard to configure in apache2, maybe I can help :)
( I have configured automatic ssl redirection just 2 weeks ago^^ )
Could You please look at https://steemnova.intinte.org if it is good now?
It appears to be secured, but maybe there is some flaw.
The redirection works, but I see that it is a "301 - permanent redirect"
Maybe a 302 would be nicer, as 301 are cached indefinitely long and could cause bad problems:
http://getluky.net/2010/12/14/301-redirects-cannot-be-undon/
It shouldn't be a major problem with http -> https (one would never undo that, right? ;) )
But then again if dns is changed it would result in more redirects than necessary :)
@louis88, I like your contribution to open source project, so I upvote to support you.
Hehehe, mich kriegt ihr nicht zum mitspielen!!!!
Dann mach ich nix mehr anderes :D
Komisches Passwort @louis88 o.O
Ich dachte du hattest „1234“? ;P ..aber auf das da kommt jedenfalls keiner so schnell xP
You've got upvoted by
Utopian-1UP!You can give up to ten 1UP's to Utopian posts every day after they are accepted by a Utopian moderator and before they are upvoted by the official @utopian-io account. Install the @steem-plus browser extension to use 1UP. By following the 1UP-trail using SteemAuto you support great Utopian authors and earn high curation rewards at the same time.
1UP is neither organized nor endorsed by Utopian.io!