SSL Implementation soon...

Announcements related to BNT and the BlackNova.net site.

User avatar
TheMightyDude
Site Admin
Posts: 311
Joined: Thu Apr 17, 2014 09:15 UTC

SSL Implementation soon...

Post by TheMightyDude » Fri Jul 15, 2016 14:31 UTC

Hello All

Just giving you all a heads up that we will soon be setting up SSL for all sites for blacknova.net so that we can secure our users information.

This will allow us to hop over to a secure page when players login onto the games once they are back up, the forums and so on.
TheMightyDude::Blacknova Development.
Development Blog YouTube Dev Channel Twitter Twitch

User avatar
TheMightyDude
Site Admin
Posts: 311
Joined: Thu Apr 17, 2014 09:15 UTC

Re: SSL Implementation Completed...

Post by TheMightyDude » Fri Jul 15, 2016 16:08 UTC

Ok, I have completed the SSL side of things, and I have also enabled encrypted cookies (assuming that works) for the forums.

So it should now be listing the server as:

Connection
Protocol TLS 1.2
Key Exchange ECDHE_RSA
Cipher Suite AES_128_GCM

So at least the forums are more secure than they were before.
TheMightyDude::Blacknova Development.
Development Blog YouTube Dev Channel Twitter Twitch

thekabal
Posts: 100
Joined: Sat Apr 19, 2014 22:32 UTC

Re: SSL Implementation Completed...

Post by thekabal » Fri Jul 29, 2016 17:55 UTC

TheMightyDude wrote:Ok, I have completed the SSL side of things, and I have also enabled encrypted cookies (assuming that works) for the forums.

So it should now be listing the server as:

Connection
Protocol TLS 1.2
Key Exchange ECDHE_RSA
Cipher Suite AES_128_GCM

So at least the forums are more secure than they were before.
Awesome! You might want to take a peek at https://cipherli.st/ , which is copy/paste easy to get you up to an A on https://www.ssllabs.com/ssltest/ . (Right now blacknova.net is at a T, and if you ignore the certificate name mismatch, its a C because it is still vulnerable to Poodle).

That is the config I'm using on https://kabal-invasion.com/ , which is now at an A+. I'll be moving the Kabal Invasion code to require SSL, as there is really no justification for not using SSL anymore!

Thanks for doing this on the forums, it's nice having SSL!!

User avatar
TheMightyDude
Site Admin
Posts: 311
Joined: Thu Apr 17, 2014 09:15 UTC

Re: SSL Implementation Completed...

Post by TheMightyDude » Sat Jul 30, 2016 04:25 UTC

thekabal wrote:
TheMightyDude wrote:Ok, I have completed the SSL side of things, and I have also enabled encrypted cookies (assuming that works) for the forums.

So it should now be listing the server as:

Connection
Protocol TLS 1.2
Key Exchange ECDHE_RSA
Cipher Suite AES_128_GCM

So at least the forums are more secure than they were before.
Awesome! You might want to take a peek at https://cipherli.st/ , which is copy/paste easy to get you up to an A on https://www.ssllabs.com/ssltest/ . (Right now blacknova.net is at a T, and if you ignore the certificate name mismatch, its a C because it is still vulnerable to Poodle).

That is the config I'm using on https://kabal-invasion.com/ , which is now at an A+. I'll be moving the Kabal Invasion code to require SSL, as there is really no justification for not using SSL anymore!

Thanks for doing this on the forums, it's nice having SSL!!
I just cannot seem to get it any better than "A" for the forums :(

I have not setup blacknova.net yet, so it falls back to the first SSL Cert on Apache's List and if there is no SSL Virtual Host setup it falls back to NON SSL (i.e. http://)
TheMightyDude::Blacknova Development.
Development Blog YouTube Dev Channel Twitter Twitch

User avatar
TheMightyDude
Site Admin
Posts: 311
Joined: Thu Apr 17, 2014 09:15 UTC

Re: SSL Implementation soon...

Post by TheMightyDude » Sat Jul 30, 2016 04:59 UTC

Ok, I have upgraded my SSL Certs to 4096bits, hopefully this will be better, there is nothing I can do for protocol side of things due to that would break it for old android devices.

Well 4096bit key didn't change anything :(

Cert Status

So I guess that's going to have to do.

To get A+ I would be killing off support to other slightly older browsers and older mobile devices.
Its like saying you cannot enter this site due to you are using an Apple Device or like blocking all mobile devices and only allowing users using a desktop browser, which I think is bad road to head down.

Also now all SSL virtual hosts that are not in use as yet all redirect to http://blacknova.net :)
It was just me being far to lazy :P
TheMightyDude::Blacknova Development.
Development Blog YouTube Dev Channel Twitter Twitch

User avatar
TheMightyDude
Site Admin
Posts: 311
Joined: Thu Apr 17, 2014 09:15 UTC

Re: SSL Implementation Completed...

Post by TheMightyDude » Sat Jul 30, 2016 07:42 UTC

thekabal wrote:Thanks for doing this on the forums, it's nice having SSL!!
Well I plan to do something with SSL on the games, just haven't had any other good day (health wise) to do any coding.

Also I have noticed that you have Strict Transport Security (HSTS) enabled, I was going to do that when I added the SSL stuff, sadly it becomes an issue like for on these forums where users use avatars that are linked using non SSL means.
TheMightyDude::Blacknova Development.
Development Blog YouTube Dev Channel Twitter Twitch

User avatar
TheMightyDude
Site Admin
Posts: 311
Joined: Thu Apr 17, 2014 09:15 UTC

Re: SSL Implementation soon...

Post by TheMightyDude » Sat Jul 30, 2016 10:17 UTC

Ok, I was wrong about the A+ Rating :P
We now have it for just the forums.

Updated Cert Status

And it supports everything that is listed on that site apart from the following:

[Incorrect certificate because this client doesn't support SNI]
#1 Android 2.3.7 No SNI 2 RSA 2048 (SHA256) | TLS 1.0 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | DH 2048

#2 IE 6 / XP No FS 1 No SNI 2 Server closed connection

#3 IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure

[Client does not support DH parameters > 1024 bits]
#4 Java 6u45 No SNI 2 RSA 2048 (SHA256) | TLS 1.0 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | DH 2048

I can only resolve the first issue, but only once I resolve the SNI problem, the other 3 are old versions which I am not prepared to make the server valuable just so people that are too lazy to upgrade they devices/computers etc.
TheMightyDude::Blacknova Development.
Development Blog YouTube Dev Channel Twitter Twitch

thekabal
Posts: 100
Joined: Sat Apr 19, 2014 22:32 UTC

Re: SSL Implementation soon...

Post by thekabal » Sat Jul 30, 2016 18:17 UTC

Killer work! Thanks for taking the time to do it.

You are a great steward for Blacknova Traders!!

User avatar
TheMightyDude
Site Admin
Posts: 311
Joined: Thu Apr 17, 2014 09:15 UTC

Re: SSL Implementation soon...

Post by TheMightyDude » Sat Jul 30, 2016 19:39 UTC

thekabal wrote:Killer work! Thanks for taking the time to do it.

You are a great steward for Blacknova Traders!!
Yeah, I lost some score from the Cipher Strength when I added some of the 128bit AES to support some of the other devices etc, I was trying to keep it with a minimum of 256bit AES, but sadly that wasn't the case.

I was tweaking the SSL Settings for ages trying to get A+ then to realise that Strict Transport Security (HSTS) was needed to get that LOL.

As for the SNI, there is noting I can do about that and is what happens when you run several domains on the same server each using SSL.

And the incorrect named SSL cert is a valid cert which is linked to the domain that is set as the default SSL Virtual Host and its only needed to open up the initial SSL connection so that it an read the http headers so it know what virtual host it needs to load up and what SSL Cert it then needs to load.

You only see the incorrect name when the SSL Virtual Host isn't setup for the host in question, if the SSL Virtual Host is setup you don't get that name mismatch warning message.

So the only issues is that Android 2.3.7, IE 6, IE 8 / XP and Java 6u45 won't be able to access the site, so no loss there then LOL.
TheMightyDude::Blacknova Development.
Development Blog YouTube Dev Channel Twitter Twitch

thekabal
Posts: 100
Joined: Sat Apr 19, 2014 22:32 UTC

Re: SSL Implementation soon...

Post by thekabal » Sat Jul 30, 2016 20:07 UTC

TheMightyDude wrote: So the only issues is that Android 2.3.7, IE 6, IE 8 / XP and Java 6u45 won't be able to access the site, so no loss there then LOL.
Truth. While BNT is definitely an "old-school" game, people need to run browsers less than 5 years old (IE9). I mean, that isn't an unreasonable requirement at all. They are literally unsafe using browsers that old, so it is more of a public service than anything else.

On the TKI side, I'm anxiously awaiting the release of PHP-7.1, we are going to require it so we can get void return types. I am absolutely shocked at how many errors were in the game from loose typing and assumptions about what type some variables were. Its an unreasonable requirement to be sure, but I'd rather be ahead of most and squash the bugs now. That way when everyone else (hosting companies, etc) catch up, the game is ready and solid.

Post Reply