Test https post (aka Google Chrome sucks)

[lordsmurf]

The latest Chrome update broke the site, send it into an infinite loading loop. Google really sucks at SSL/https, and this latest attempt to force sites to use SSL, and break the sites, proves it beyond a doubt.

Anyway, SSL added (it will be messy for many more days).

Testing attachment function:

gargamel-avatar289606.jpg

[hodgey]

test test

posting using the non-https site seems bugged now? at least on firefox

[admin]

The latest Chrome update is having a fit with the site. Chrome is becoming a POS lately.

[RobustReviews]

At last!

I would recommend you set the Cloudflare up properly though, there are a few things that still aren't set up properly and it's pretty easy to 'jump over' the CF with moderate determination.

There's also an open goal somewhere on this site too.

PM if you want to discuss.

[lordsmurf]

Quote:

Originally Posted by RobustReviews

At last!

I would recommend you set the Cloudflare up properly though, there are a few things that still aren't set up properly and it's pretty easy to 'jump over' the CF with moderate determination.

There's also an open goal somewhere on this site too.

PM if you want to discuss.

As has been discussed before, this isn't simple, and some stuff may have to remain broken until the new site is ready. vBulletin core, for example, predates modern SSL, and is a b!tch to get working.

Chrome forced this BS about 3 days ago. Ironically, the site is probably less secure now, not more, because of all the workarounds. Which is also why it was not attempted in the past.

https/SSL isn't what people think it is. They see a pretty padlock, and assume it's "secure" (whatever that means). Ridiculous.

CloudFlare is setup properly. It's not the problem.

I don't know what "open goal" means. Please clarify.

[RobustReviews]

Quote:

Originally Posted by lordsmurf

As has been discussed before, this isn't simple, and some stuff may have to remain broken until the new site is ready. vBulletin core, for example, predates modern SSL, and is a b!tch to get working.

Chrome forced this BS about 3 days ago. Ironically, the site is probably less secure now, not more, because of all the workarounds. Which is also why it was not attempted in the past.

https/SSL isn't what people think it is. They see a pretty padlock, and assume it's "secure" (whatever that means). Ridiculous.

CloudFlare is setup properly. It's not the problem.

I don't know what "open goal" means. Please clarify.

I'm more than aware of the purpose of SSL, don't conflate what I'm trying to gently tell you with thinking a padlock makes a site secure. As I said previously the purpose for a site like this SSL is more of an SEO tool than anything else.

I think you forget there are a lot of posters here with a lot of skills and interests, we are not all clueless idiots who don't know a TLD from a reverse proxy.

What issues make you think it's less secure now? Maybe we can help?

Also I don't use Chrome (yuck) but I am using a Chromium based browser at the moment (Brave) and haven't had any issues if that helps in any way with diagnosis?

Do you want me to clarify on the open forum?

[lordsmurf]

Quote:

Originally Posted by RobustReviews

I'm more than aware of the purpose of SSL, don't conflate what I'm trying to gently tell you with thinking a padlock makes a site secure.

Well, good. Too many folks think it prevents hacking, etc. Again, all ridiculous. All SSL does is encrypt form data, which you'd want on unknown networks, or untrustworthy VPNs. Those are minority needs.

Quote:

As I said previously the purpose for a site like this SSL is more of an SEO tool than anything else.

Sad, isn't it?

Quote:

I think you forget there are a lot of posters here with a lot of skills and interests, we are not all clueless idiots who don't know a TLD from a reverse proxy.

Problem there is that the few times I've posted about needing something, there's usually no responses, or limited responses. To date, I've only gotten 3 solutions to dozens of posted needs. So I've lost faith in this approach in recent years, I'll just have to pay a reputable coder or small business, when we can't figure it out here. Or we'll just have to all do without.

Quote:

What issues make you think it's less secure now? Maybe we can help?

The backend of vB fails without CF exclusions. The security hole must be limited.

Quote:

Also I don't use Chrome (yuck)

For the forum, I use Firefox. But on tablet, Google Chrome.

Quote:

but I am using a Chromium based browser at the moment (Brave) and haven't had any issues if that helps in any way with diagnosis?

This issue was reported about 2-3 days ago. Not just us, but many sites, see Reddit subs for Chrome. I suspected, as did some others, that it was badly forced SSL. And it definitely was. My tablet updated this weekend, and the site entered a redirect loop in that browser. Everything else seems fine, be it Edge, Firefox, Brave, Chromium, and others.

Quote:

Do you want me to clarify on the open forum?

If you think it needs to be private, PM it.

[RobustReviews]

As I said, the CF isn't doing its job from this perspective.

This is WP underneath isn't it?

I can imagine now anybody looking at a messy PHP site just doesn't want the 'agro' of fixing it, it is slowly (!) dying thank heavens, shame as PHP8 actually looks quite impressive, but prehistoric PHP as I'm sure you're only too aware is a nightmare to maintain. I actually quite like PHP for what it is, and we all cut out teeth on it, it's childishly simple sometimes but spaghetti PHP is an absolute pest to try and maintain.

I'm not suggesting that PHP itself is the problem per-se, but as you know it's a bloody minefield to straighten out, doubly so as it is here, a rather old version running in 2022. Might be a reason people don't want to 'get involved'?

The old adage about the 'Swiss Army Chainsaw' springs to mind.

AWS does not support PHP natively in Lambda functions which I think might be quite telling for how things are moving.

Anyway, this wasn't a discussion of PHP but more a potential reason why some people are a bit shy to chip in?

I'm very pro SSL being adopted, whilst for legacy sites it is a pain I can fully see the logic in it and since Lets Encrypt and their ilk there is little reason if any for it not to become a complete standard. Even on here I would wager there are often large chucks of personal data transmitted in PMs etc. I fully appreciate your remarks about the purpose of SSL and I do understand your misgivings about public perceptions but some burden in my opinion, should be shared with the user. Remember passwords and similar from this site can be easily captured and it's now no more than a little trickier than plaintext with MD5.

Whether you 'care' or not - or shift the burden is your call, I'm not writing your compliance statements, but adding SSL in my opinion is no bad thing, especially when MD5 is being used. I still can't believe MD5 is now 30 years old.

As you know this is also open to other exploits.

Then we move on to on databases....

[lordsmurf]

SSL isn't a bad thing, but it's also not the wheel or sliced bread. It's an ancient piece of the web going back decades, and is mostly a placebo. Something for Google's PR to claim "more security" when in facts it's not really. It's quite amusing when you consider how unsafe DNS is. The web itself is spaghetti code.

WP is the main site, yes.
vB is the forum.
php and MySQL are what they are. Yes, comparatively, somewhat easy. But obvious learning curves.

[RobustReviews]

Quote:

Originally Posted by lordsmurf

SSL isn't a bad thing, but it's also not the wheel or sliced bread. It's an ancient piece of the web going back decades, and is mostly a placebo. Something for Google's PR to claim "more security" when it facts it's not really. It's quite amusing when you consider how unsafe DNS is. The web itself is spaghetti code.

WP is the main site, yes.
vB is the forum.
php and MySQL are what they are. Yes, comparatively, somewhat easy. But obvious learning curves.

Old yes, (remember the Thwaite* seals on sites!?) but it is incrementally improved and hasn't stood still by any margin.

It's no bad thing, at least it stops the most simple exploits for PW theft. I know we can blame the user, but like I said, if everybody shoulders a bit of burden then a huge major flaw becomes somewhat deminished.

SQL (proper) and old PHP I'm sure you know are a disastrous combination if not very carefully handled, I think you're still running procedural calls to the DB here, again, something I would audit carefully.... It only takes one little mistake if you're following?

*Brits who adore the late Rik Mayall instantly reminded of 'Mr Twat? It's pronounced Thwaite gag.... Swear filter test too

[lordsmurf]

Quote:

Originally Posted by RobustReviews

Old yes, (remember the Thwaite* seals on sites!?)

Thank gave me a chuckle. I forgot about those.

Right now, the headers are not displaying on the site, at least in Chrome. No idea what's wrong, everything looks correct. The crappy old menu was javascript, and we'll try to do a pure CSS in a few days.

[RobustReviews]

Quote:

Originally Posted by lordsmurf

The crappy old menu was javascript, and we'll try to do a pure CSS in a few days.

Burn it, burn it with fire.

100% on CSS these days, nasty ancient JQuery type JS is just nasty and also nasty.

[lordsmurf]

Quote:

Originally Posted by RobustReviews

Burn it, burn it with fire.
100% on CSS these days, nasty ancient JQuery type JS is just nasty and also nasty.

Was JS ever not nasty? It was a necessary evil at the time.

Bad JS was replaced by bad CMS plugins, with bad, dupe, worthless, and looping php.

Sadly, not all JS can be replaced. Part of the SSL issue is non-compliance within the plugins themselves. This is what we tried to avoid. If Google Chrome didn't have such a large % user base, we'd have fully ignored like we did with IE and Safari years ago.

[RobustReviews]

Quote:

Originally Posted by lordsmurf

Was JS ever not nasty? It was a necessary evil at the time.

Bad JS was replaced by bad CMS plugins, with bad, dupe, worthless, and looping php.

Sadly, not all JS can be replaced. Part of the SSL issue is non-compliance within the plugins themselves. This is what we tried to avoid. If Google Chrome didn't have such a large % user base, we'd have fully ignored like we did with IE and Safari years ago.

Modern JS has a place, old crusty JS tarted up with the clown-shoes JQuery is just passé now. It was alright when we all went Bootstrap mad years ago and soon woke up from the delusion. You're right about a necessary evil though, completely. Wholly unavoidable.

As I've said before, trying to ignore these things whilst trying to be a repository of web-hosting information to me at least, looks a bit suspect, but it's your site ultimately, do as you wish, I'm just making a suggestion.

It's only going to get worse, not better.

[Hushpower]

Better revert, LS, I can't see any main menus in Edge or Chrome.

[lordsmurf]

Quote:

Originally Posted by Hushpower

Better revert, LS, I can't see any main menus in Edge or Chrome.

New menus will be created this weekend. https broke the JS menu.

[admin]

Menu fixed. It was actually easier to edit the JS than write a new CSS menu. This is all temp anyway, new site is still in pipeline.

[Xentorst]

When is the new site?