-
Everything looking good to me on Mac OSX 10.6 with 4 gig memory. I'm using that shitty home broadband connection provided by Orange which has never really been all that fast or meaty.
Tried Firefox 13, Safari 5.1.7, and Chrome 21.0.229383838477474783829290146 (or whatever the version number after the last dot was), no problems with any of them and my machine probably has one of the worst specs going.
-
I'm not getting any images/gifs loading. Firefox, mac osx 10.6.8
me too!
So... Safari is doing it too?
OK, questions time.
Those experiencing this:
What OS and version?
What browser and version?
How much RAM in your hardware?
What connection are you on?I'll see if there is a pattern and build a test environment.
Mac Os X - 10.7.4
Firefox 15.0
4gb
Sky broadband -
I didn't, and don't, like the https experiment. I'd see it, and then I'd consciously not really want to be on Lfgss. It makes me think of Internet payment sites like PayPal or when I'm doing Internet banking. Psychologically, its off-putting, though the actual experience was similar to before. It just makes the sites feel less approachable.
-
That's the strangest reaction to a more secure web site that I've ever seen.
VB, a secure website is so because it has restrictions.......you know this one million times better than I. Accessibility is more attractive than restrictions, even with the associated and increased risks. I'm only stating my personal view of my experience. Sorry.
-
If you use a password on LFGSS that you use anywhere else, then I really hope that you're using https.
Fact is: Anyone can listen in between your browser and my server and get that password during login.
Then, if you login via https and visit a site over http, then as your cookie is the only thing that overcomes the stateless nature of http, your cookie is your authentication mechanism, and in some ways should be protected as much as your password.
Except, over http it can be sniffed by anyone between my server and your browser.
Worse, if someone put a JavaScript file in the [IMG] tag and you used a slightly older browser that sniffed the content of files fetched over http, then your browser would execute this malicious JavaScript and could then expose your cookie.
The only ways to prevent this:
1) Login over https
2) Serve all logged in pages over https
3) Ensure that user uploaded items aren't malicious
4) Strip all user uploaded content of scripts
5) Ensure that all user embedded items come from different web domainsBut your reaction is: "Psychologically, its off-putting".
If someone can login as you, then they can see your email address. They will be able to read your PMs. They may be able to then see what your PayPal details are. Or they could learn enough about you to guess passwords you use on your email account (the vast majority of people still use passwords that are common, simple, and guessable if you know them). In the best case, they could just send spam using your account.
http isn't just unencrypted, but given the complexity of the application stack it should be considered to be fully public and exposed. Creating a man in the middle attack is shockingly easier than it should be, especially for anyone who works at or can gain access to an ISP.
For me, other incentives are there to make things secure.
For example there are companies that sell services to ISPs to insert adverts into the white space of pages such as Phorm Webwise. There is third party tracking by companies like Facebook to observe activity on other web sites (cookies on requests to fbcdn.com).
All sites should be SSL-only. The web as it is today is a dangerous place. But as most websites are not yet SSL-only there are issues with moving things along. I'd rather not be last to the party though, there are many real benefits to getting it to work.
The mixed content warnings were covered only a couple of days ago when a Microsoft developer tore Tesco a new arsehole: http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html
Either you have security, or you don't. Security is only as strong as the weakest link, and if the weakest link is that logins, sessions and communication is all in plain text, then it's pretty weak.
-
If you use a password on LFGSS that you use anywhere else
1234 - the same password I have on my luggage. -
Right... so clearly the 25ms gained per image isn't worth some users not receiving the images... so for http I've disabled that.
So the logic as it stands is:
If LFGSS is accessed over http, just serve the image from wherever.
If LFGSS is accessed over https and the image comes from LFGSS, serve it direct from LFGSS over https.
If LFGSS is accessed over https and the image comes from a https link, just serve the image.The rule that affects anything:
If LFGSS is accessed over https and the image comes from a http link that isn't LFGSS, then proxy the image via https://sslcache.se to avoid mixed content warnings.That's it. Nothing more than that.
If I turn it off... pretty much everyone gets a mixed content warning over https. If I leave it on, as it stands a couple of people might get grey boxes instead of images.
I'm building a Windows VM to test the image problem on.
-
The only ways to prevent this:
1) Login over https
2) Serve all logged in pages over https
3) Ensure that user uploaded items aren't malicious
4) Strip all user uploaded content of scripts
5) Ensure that all user embedded items come from different web domainsBut your reaction is: "Psychologically, its off-putting".
You've made a nice list there, which means that GA2G will be fine with it, I reckon. :)
-
1234 - the same password I have on my luggage.
Oh really? That's mega-secure. My luggage only has three digits, so I always use '123'.
-
Any issues now? Murtle can't get on he reckons..
These new, secure protocols don't take too kindly to mumbled passwords. :)
bothwell
lemonade
GA2G
branwen
hms
Mirius
NotThamesWater
hippy
CasaSteve
Oliver Schick
BrickMan-
Post a reply
About
Subtle changes, bugs and feedback
Posted by
@Velocio
Eh? I haven't changed anything.
Hit another image heavy page ;)