Test userstyles.org over HTTPS

Comments

• there.is.only.xul

  March 2014 edited March 2014

  I have no problems that I seen. Was able to edit and post a style, browse and search like normal.
• _Diamonique

  March 2014

  Does this have anything to do with not being able to update styles in Chrome through the Sylish extension?
• LouCypher

  March 2014

  Update failed - server unreachable. on Stylish for Chrome.
• JasonBarnabe

  March 2014

  Fixed, thanks for reporting. You may need to clear your cache to have it work immediately.
• LouCypher

  March 2014

  It's working now. Thanks.
• denilsonsa

  April 2014 edited April 2014

  Fixed, thanks for reporting. You may need to clear your cache to have it work immediately.

  How to clear the cache? Which cache, the entire browser cache?
  
  It would be better if you released an updated version of Stylish for Chrome to make the update seamless.
• JasonBarnabe

  April 2014

  Clearing the cache would only be necessary for those who tried to update between March 27 and 29, and by now the cache should've expired anyway...
• denilsonsa

  April 2014

  I still get "Update failed - server unreachable." for most of my styles. By looking at the developer network console, I noticed that the requests that fail are on HTTP, and those that work are on HTTPS.
  
  The JavaScript console has lots of messages like this:

  XMLHttpRequest cannot load http://update.userstyles.org/97161.md5. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'chrome-extension://fjnbnpbmkenffdnngjfgmeleoegfcffe' is therefore not allowed access. 
• JasonBarnabe

  April 2014

  Hmm, so maybe the cache doesn't expire that quickly after all.
  
  I will be doing an update that makes it uses the HTTPS update URLs. This whole initiative is on pause to give time for people to upgrade Stylish due to https://github.com/JasonBarnabe/stylish-chrome/issues/9
• war59312

  April 2014 edited April 2014

  Hi,
  
  Glad to see you have decided to support SSL/TLS. :D
  
  Please make it more secure. ;)
  
  Enable TLS 1.2.
  Support Robust Forward Secrecy.
  Enable Strict Transport Security (HSTS). (Once HTTPS is default of course)
  
  See report @ https://www.ssllabs.com/ssltest/analyze.html?d=userstyles.org
  
  Details on how and why to fix these issues. Should not take much time and effort to fix.
  
  Thanks,
  
  Will
• JasonBarnabe

  May 2014

  The forum is now using https. Let me know if you see problems.
• makondo

  May 2014 edited May 2014

  Oh no!!! You also added those stupid no-avatar images!!! I hate that stuff. How do i get rid of it?
  
  
  EDIT: i just realized i had them hidden before but needed to update for https change and the new rule.
• mikedl

  May 2014 edited May 2014

  I dunno, put in an avatar?
  Or use:
  IMG[class="ProfilePhotoMedium"][src*="https://secure.gravatar.com/avatar.php?gravatar"] {opacity: 0!important;}
• monn43

  May 2014

  
• decembre

  May 2014

  denilsonsa and war59312 avatars are too selected by this rule:
  
  IMG[class="ProfilePhotoMedium"][src*="https://secure.gravatar.com/avatar.php?gravatar"] {opacity: 0!important;}
  How to select only the Default Avatar ?
• makondo

  May 2014 edited May 2014

  Good question! I'm still fiddling with this and can't get it right. Somehow you need to drop' _id_id=eablahblahblah' part. But for some reason those 2 have the same id.
  I hate that googl stuff!
• hideheader

  May 2014

  Don't hijack the thread with your selector questions, Makondo. You of all people should know better.
• hideheader

  June 2014

  @JasonBarnabe: Are you planning to transmogrify the @document expressions for the Userstyles.org styles? I noticed today that my Userstyles.org styles are falling off when I follow a link from the Firefox Style Manager to a style page.
• JasonBarnabe

  June 2014

  Wasn't planning on it, but I probably should...
• JasonBarnabe

  June 2014

  http://userstyles.org now redirects to https://userstyles.org. Let's see we get a flood of complaints...
  
  Forum login actually didn't work with https; I had to recompile PHP (!) to make it work.
• decembre

  June 2014

  If you want a working
  Table View Plus (version 4.2.0 )
  
  You need to edit it.
  - Add this include:
  // @include http*://userstyles.org*
  - Find / Change all userstyles' http to https
  - And maybe the links userscripts.org to userscripts-mirror.org (it's the script icon)
• makondo

  June 2014

  It is working, srazzano made this change a while back when Jason first tried https, the last version is 4.3.0.
• decembre

  June 2014

  I use 4.2.0 because the install count (the +/- XX number) , seems not working for me with the last update ...
• makondo

  June 2014 edited June 2014

  Post it in the script feedback for Sonny (when he comes back from vacation). 4.3.0 works fine for me but if you mean the stats, he eliminated them, was a pain and not accurate anyway. This is really not a place to discuss this you know, has nothing to do with the thread
• NotTheMama

  June 2014 edited June 2014

  http://userstyles.org now redirects to https://userstyles.org. Let's see we get a flood of complaints...
  

  Is this why Youtube video frames are no longer showing up on the pages here which usually have them (firstrun, help)? (Yes, it looks like active mixed content is being blocked.)
  
  
• war59312

  June 2014

  Sad to see still on TLS 1.0/ :(
  
  And now even worse: "This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224), but probably not exploitable."
  
  Very easy and cheap to fix these issues.
  
  I see your running nginx/1.4.3. Why? Hope you backported the two security issues?
  
  At the least you should be on nginx-1.4.7. Really should be on stable, which is nginx-1.6.0.
  
  Like I said, its very easy to fix this.
  
  See PDF @ https://bettercrypto.org/ which details settings to use in nginx. :)
  
  Also, here on the forums it's downloading insecure content from:
  
  The page at 'https://forum.userstyles.org/discussion/41197/test-userstyles-org-over-https#Item_11' was loaded over HTTPS, but displayed insecure content from 'http://a.ly/url/8kk': this content should also be loaded over HTTPS.
  
  The page at 'https://forum.userstyles.org/discussion/41197/test-userstyles-org-over-https#Item_11' was loaded over HTTPS, but displayed insecure content from 'http://i.imgur.com/iy2e5.gif': this content should also be loaded over HTTPS.
  
  The page at 'https://forum.userstyles.org/discussion/41197/test-userstyles-org-over-https#Item_11' was loaded over HTTPS, but displayed insecure content from 'http://a.ly/url/8kk': this content should also be loaded over HTTPS.
  
  The page at 'https://forum.userstyles.org/discussion/41197/test-userstyles-org-over-https#Item_11' was loaded over HTTPS, but displayed insecure content from 'http://i.imgur.com/iy2e5.gif': this content should also be loaded over HTTPS.
  
  The page at 'https://forum.userstyles.org/discussion/41197/test-userstyles-org-over-https#Item_11' was loaded over HTTPS, but displayed insecure content from 'http://aa.x10.mx/http://probablyprogramming.com/wp-content/uploads/2009/03/handtinyblack.gif?16394': this content should also be loaded over HTTPS.
  
  The page at 'https://forum.userstyles.org/discussion/41197/test-userstyles-org-over-https#Item_11' was loaded over HTTPS, but displayed insecure content from 'http://probablyprogramming.com/wp-content/uploads/2009/03/handtinyblack.gif?16394': this content should also be loaded over HTTPS.
  
  That's the problem with using https on forums. By default browser will block all user uploaded/linked content that is not https as well.
  
  So either only allow users to link to https content or not at all. Either wise, users wont see the content by default anyways or will get the evil "partially encrypted" msgs.
  
  Though some ssl is better than none too.. So could just live with it..
• JasonBarnabe

  June 2014

  I see your running nginx/1.4.3. Why? Hope you backported the two security issues?
  
  At the least you should be on nginx-1.4.7. Really should be on stable, which is nginx-1.6.0.

  My nginx comes from Passenger, and that was the latest version available in the last big upgrade. I've upgraded again, and now we're on nginx 1.6.0.

  Also, here on the forums it's downloading insecure content from:

  Yeah, I know. This is not a security issue in this scenario, and requiring people to have HTTPS for whatever images they want to use is kind of onerous, so getting the warning when on the forum is the best case for now.
• JasonBarnabe

  June 2014

  Is this why Youtube video frames are no longer showing up on the pages here which usually have them (firstrun, help)? (Yes, it looks like active mixed content is being blocked.)
  

  Fixed, thanks for reporting.
  
• JasonBarnabe

  June 2014

  Sad to see still on TLS 1.0/ :(
  
  And now even worse: "This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224), but probably not exploitable."

  Now we're on TLS 1.2 and that page says the OpenSSL vulnerability is fixed.
• war59312

  June 2014

  Nicely done. :)
  
  BTW Robust Forward Secrecy can be added easily enough, shows you how in that pdf I inked to prior.
  
  Also, Strict Transport Security (HSTS) can be enabled in seconds.
  
  Very good guide: https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/
  
  Could even enable SPDY support via this guide. :D