Site Login/Cookies

Hi,

I seem to have to log in again every time I visit this site. (This is particularly irritating for me as I’ve got a tediously-long email address.)

Could we have a “store my details in a cookie” tickbox?

Thanks, Adam

P.S. Also, how come the site certificate always needs manually accepting?

P.P.S. Also also, what’s the cause of the “do you want to display both secure and non-secure items” pop-up? (I think this one might be IE-only)

The cookie request does have security implications, but is tracked by the feature request in ticket 108.

Your web browser ought to offer you the choice of installing Comodo’s InstantSSL root certificate, which should then stop it repeatedly asking for confirmation. If not, I can only suggest that you read the browser’s documentation regarding its behaviour with HTTPS sites and certificates it thinks it does not recognise. Make sure you access the site via “www.riscosopen.org” and not any of our other domains, as SSL certificates are very expensive and we could only afford one to match the .org domain.

The “secure and non-secure items” one is strange, though sometimes Rails will generate resource URLs that fetch by HTTP despite the rest of the page being HTTPS. Perhaps IE is worried about that.

I recommend you give Firefox or Opera a try, both completely free, rather than using IE; several areas of the site use CSS features which are several years old, but still aren’t implemented even in IE 7. You may find that the site as a whole performs better using a different browser. I know “use a different browser” is a fairly poor answer, but the Windows-based alternatives are such a step up (in my opinion) that I really think you should give them a whirl if at all possible.

I’m using Opera 9.20. When I go to log in, I get the pop up warning box with the message: bq.- The server’s name “www.riscosopen.co.uk” does not match the certificate’s name “www.riscosopen.org”. Somebody may be trying to eavesdrop on you. The install button is greyed out. Why use a certificate at all?

Adam

P.S. At work I have no choice but to use an old version of IE so the “change browser” advice is no good to me ;)

Ah, so you’re trying to visit “www.riscosopen.co.uk” rather than “www.riscosopen.org”. As I mentioned before, we could only afford an SSL certificate to cover the .org domain, though the site serves the same data for .com, .org.uk and .co.uk too. This means you get a certificate mismatch for the other domains.

If you’re visiting from a bookmark make sure that it’s set up for “www.riscosopen.org” rather than “www.riscosopen.co.uk” and that should sort things out for you.

Why use a certificate at all?

It’s how HTTPS works. We need a certificate to be able to serve pages over HTTPS - it’s part of how the protocol verifies the identity of the site to which you are trying to connect, to help make sure that it can’t be impersonated by someone else. We need HTTPS to make sure that your login details are secure when you sign in to Hub. Otherwise, someone could steal your login information and start making offensive forum posts, news comments etc. under your name.

Certificates are issued by trusted Certificate Authorities; the web site’s SSL certificate identifies the web site as genuine and signs itself using the Certificate Authority’s own root certificate. There’s a chain of trust involved. The web browser needs to have the root certificates for your chosen Certificate Authority installed, else it will have to ask the user for confirmation (IE 7 even says that the whole site is untrustworthy and shouldn’t be visited).

There are a small number of free / open Certificate Authorities out there but they don’t have their root certificates installed in major web browsers. Basically, since MSIE has 85+% of browser share, whichever company pays MS the most is most likely to get its root certificate installed in MSIE by default, so the free vendors don’t really stand a chance. Can’t understand why Firefox doesn’t include them though.

The bottom line is we are forced to use a commercial Certificate Authority to issue our HTTPS certificate and they charge a lot of money. Our choice of Comodo InstantSSL was made because it was the cheapest we could find with good browser support, though it still doesn’t have 100% browser coverage for its root certificate and the particular package we chose only provides a site certificate that covers a single domain.

From fundraising efforts like Wakefield we may be able to afford better certificate coverage in future, though for now I’m keeping an eye on our bandwidth costs – after the source code release, we’ve shipped over thirty times more data in the last 24 hours than our previous average :-)

P.S. At work I have no choice but to use an old version of IE so the “change browser” advice is no good to me ;)

Well, sorry about that. But ultimately, MSIE 6 is a very, very old browser and we do only develop the site in our spare time – it’s impossible to fully support every browser (hence only patchy support for things like Browse, or even NetSurf in places). The site does basically function throughout, although aesthetics do suffer.

If you have specific pages that generate excessive warnings, feel free to register a bug report. I can’t guarantee a speedy fix but at least the issue will be tracked.

[.org vs. .uk thing]

Ah, I see. I’ll change my bookmark :)

Why use a certificate at all? It’s how HTTPS works. [snip] We need HTTPS to make sure that your login details are secure

Oh, right. To be honest I’m personally not that bothered about SSL just for a web forum (and most other forums I’ve used don’t seem to bother) but fair enough… ;)

Adam

If I logged in under your credentials and started slandering people, you might get more worried! That other forums are less secure is more a statement about how poor security is on the majority of web sites, rather than how over the top we are, IMHO. You only need to read a couple of comp.risks digests to become sufficiently paranoid :-D

In our case, though, the Hub log in system gives you access to news article comments, full access to the bug tracker and so-on. For ROOL staff it also provides elevated privileges including access to the site’s various administrative interfaces, so someone compromising our accounts could do more damage. Although we have a reasonable backup strategy, I’m in no hurry to test it in anger…

Out of interest, if you want to use SSL but only on one of your numerous domains, why not have the others redirect users to the domain that the certificate is registered for?

Hi!

GoDaddy.com offers cheap SSL certificates from about 20 US$ per year. You might want to get their 6-in-1 offer, to get certificates for the same site name with up to six different TLDs for about 70 US$.

99% of all browsers have their root certificate included. A detailed list is available at: http://help.godaddy.com/article.php?article_id=1139&topic_id=235

BTW, I’m not affiliated with GoDaddy, cause I just noticed that this looks very much like spam. I just use their certificates a lot for web design projects.

Never heard of them before. Thanks. We have the Comodo certificate for IIRC two years anyway, but GoDaddy could be used to cover the other domains perhaps.

Out of interest, if you want to use SSL but only on one of your numerous domains, why not have the others redirect users to the domain that the certificate is registered for?

It’s four years late, but here’s the reason: The certificate negotiation happens before the web server gets to handle the request. By the time redirection occurs (and we do redirect) the user has already been asked about the certificate mismatch, if they came in via an unusual domain variant.

…We changed to using GoDaddy ages ago, too.