The Dink Network - Proper HTTPS Support
I updated The Dink Network background code (Miasma) to correctly support https. I enabled experimental https support since around August, but a lot of things didn't work (like, uh, css) as a lot of resources were hard-coded to load from http://www.dinknetwork.com.
So, if you login to https://www.dinknetwork.com, you should see a nice 'Secure' reference before the URL, and it should actually look ok.
If you notice any problems, please let me know ASAP.
Thanks!
So, if you login to https://www.dinknetwork.com, you should see a nice 'Secure' reference before the URL, and it should actually look ok.
If you notice any problems, please let me know ASAP.
Thanks!
all my links are unclicked now. how dare you
I didn't think anyone would discover my nefarious plan a mere 2 minutes after announcing this.
Well played, sir, well played.
Well played, sir, well played.
i discovered it while you were doing it. i also noticed the super obvious new anti-spam question.
restore the unsecure version
restore the unsecure version
Weird; I thought I changed the anti-spam question back around... October 18th (according to my records). We were getting a fairly heavy amount of anonymous spam, and I think several spambots were programmed to enter 'banana' as the anti-spam response, so I changed it.
The unsecure version should still work (you don't have to go to https://)
The unsecure version should still work (you don't have to go to https://)
Nice work, redink1. Next up is getting it to auto redirect to the https version.
So, we have https instead of (well, in addition to for the moment) http as a part of the DN. What was the reason for the conversion?
- Personally, I don't think that I would be worried if someone "broke into" my DN account, though it would be a little disconcerting to me, I admit. Do you think others would be more upset about this sort of thing?
- Are we worried about ISPs or other more nefarious types injecting ads (or scams) into pages?
- Is there a reason that we need to be certain that Search Engine Optimization is not putting our beloved http Dink network behind other Dink sites that use https?
- Is there concern with a lack of compatibility with Google's AMP (Accelerated Mobile Pages)?
- Do we need to reassure new visitors to the site that they are safe?
Anyway, I was just curious as to what made you decide to do it. Just in case you are wondering, I remain quite grateful for your efforts in maintaining this site, and all the Dink related matters that you have involved yourself in over the years.
Oh, and (for what it is worth) I agree with bsitko that auto-redirect to the https version should probably be the next step.
- Personally, I don't think that I would be worried if someone "broke into" my DN account, though it would be a little disconcerting to me, I admit. Do you think others would be more upset about this sort of thing?
- Are we worried about ISPs or other more nefarious types injecting ads (or scams) into pages?
- Is there a reason that we need to be certain that Search Engine Optimization is not putting our beloved http Dink network behind other Dink sites that use https?
- Is there concern with a lack of compatibility with Google's AMP (Accelerated Mobile Pages)?
- Do we need to reassure new visitors to the site that they are safe?
Anyway, I was just curious as to what made you decide to do it. Just in case you are wondering, I remain quite grateful for your efforts in maintaining this site, and all the Dink related matters that you have involved yourself in over the years.
Oh, and (for what it is worth) I agree with bsitko that auto-redirect to the https version should probably be the next step.
I dunno about you but I treasure my bloop badge
It's where the web is going. Chrome will start popping up warnings on sites that aren't using http by June. Regardless of whether or not they have logins or not.
I read that Chrome was going to start displaying warnings about sites being unsafe when accessed over http, and so I thought I might as well spend a bit of time to support https.
Interestingly enough, my web host currently provides certificates from one of the groups that Chrome is going to start distrusting around October (more info). I hope they transition to another provider soon.
Interestingly enough, my web host currently provides certificates from one of the groups that Chrome is going to start distrusting around October (more info). I hope they transition to another provider soon.
I suggest to make HTTPS support default, that is, automatically redirect from HTTP to HTTPS at least in web browsers. It is not a good idea to have passwords go over plaintext through the Internet. Some users might use their Dink Network passwords on other websites. You should do this ASAP for the security of the users of this site.
And as far as Dink Smallwood HD possibly not supporting this for DMODs, well I believe it uses HTTPS to check for updates from RTSoft so it ought to work for downloading DMODs from the Dink Network, so I doubt it would have any issue. Still, making sure that DMOD downloading within Dink Smallwood HD works is something to double-check after making HTTP traffic redirect to HTTPS, just to be absolutely sure.
I personally am a member of this site and have logged into it in the past over HTTP and am concerned about my own security. I am not worried about any of you guys being bad, I am worried about a man-in-the-middle attack, obviously the Dink Network itself is trustworthy, but plaintext passwords sent over HTTP are vulnerable to man-in-the-middle attacks anywhere their Internet traffic is routed through and it is easy to intercept data and this is very much a bad thing. A common packet capture and analysis tool like Wireshark can be used on a LAN to intercept all network traffic. So if someone is connected to a wireless LAN, public WiFi, and they visit the Dink Network website from there and login, very very easy for someone else to do a man-in-the-middle attack and get all their login info.
Sorry about that little network security rant, I used to not know very much about network security, like back when I became a member of this site I did not even notice that it was HTTP instead of HTTPS or think anything of it but I have learned more since then and most of what I learned was pretty disturbing, I got a Network+ certification from CompTIA, I admit I am still pretty lax about security compared to a lot of people. Like in macOS it requires me to have a password, so I have my password be a single space, since 1 character is the minimum number of characters and the spacebar is the biggest and most obvious key. On Windows 10 it requires me to have a pin number now and has complexity requirements and I figured out, the simplest possible pin number that meets those is 1000, easy to remember 1000. Prior to the new complexity requirements my pin number on Windows 10 was just all zeroes, 0000. I specifically have my sudoers files on macOS and Linux set to not require a password ever, under any circumstance, and I disable as many annoying “security” features as possible in most operating systems, like User Account Control on Windows and System Integrity Protection and Gatekeeper on macOS. So I am not the most security-conscious person out there, in fact I find security to be a real pain and get in the way of getting things done most of the time. But even I think that websites that use usernames and passwords should never ever use HTTP and the ones that do all need to switch to HTTPS-only.
And as far as Dink Smallwood HD possibly not supporting this for DMODs, well I believe it uses HTTPS to check for updates from RTSoft so it ought to work for downloading DMODs from the Dink Network, so I doubt it would have any issue. Still, making sure that DMOD downloading within Dink Smallwood HD works is something to double-check after making HTTP traffic redirect to HTTPS, just to be absolutely sure.
I personally am a member of this site and have logged into it in the past over HTTP and am concerned about my own security. I am not worried about any of you guys being bad, I am worried about a man-in-the-middle attack, obviously the Dink Network itself is trustworthy, but plaintext passwords sent over HTTP are vulnerable to man-in-the-middle attacks anywhere their Internet traffic is routed through and it is easy to intercept data and this is very much a bad thing. A common packet capture and analysis tool like Wireshark can be used on a LAN to intercept all network traffic. So if someone is connected to a wireless LAN, public WiFi, and they visit the Dink Network website from there and login, very very easy for someone else to do a man-in-the-middle attack and get all their login info.
Sorry about that little network security rant, I used to not know very much about network security, like back when I became a member of this site I did not even notice that it was HTTP instead of HTTPS or think anything of it but I have learned more since then and most of what I learned was pretty disturbing, I got a Network+ certification from CompTIA, I admit I am still pretty lax about security compared to a lot of people. Like in macOS it requires me to have a password, so I have my password be a single space, since 1 character is the minimum number of characters and the spacebar is the biggest and most obvious key. On Windows 10 it requires me to have a pin number now and has complexity requirements and I figured out, the simplest possible pin number that meets those is 1000, easy to remember 1000. Prior to the new complexity requirements my pin number on Windows 10 was just all zeroes, 0000. I specifically have my sudoers files on macOS and Linux set to not require a password ever, under any circumstance, and I disable as many annoying “security” features as possible in most operating systems, like User Account Control on Windows and System Integrity Protection and Gatekeeper on macOS. So I am not the most security-conscious person out there, in fact I find security to be a real pain and get in the way of getting things done most of the time. But even I think that websites that use usernames and passwords should never ever use HTTP and the ones that do all need to switch to HTTPS-only.
help, im being logged out automatically over and over again
Until I get a permanent fix, please log in to https://www.dinknetwork.com instead of https://dinknetwork.com (the www is important).
oh huh, it isn't doing it here. thought it was at some point.
@redink1:
Today I'm getting this error (probably unrelated to https support) that is preventing me from editing my forum postings.
Modify Error
You can only modify a message that exists, silly wabbit.
Today I'm getting this error (probably unrelated to https support) that is preventing me from editing my forum postings.
Modify Error
You can only modify a message that exists, silly wabbit.
@Skurn & redink1:
I'm getting logged out each time I submit an entry to the Forum, and I am using http, not https.
It's not the end of the world, but it is a bit of a nuisance.
Not being able to edit my posts is the end of the world though!
I'm getting logged out each time I submit an entry to the Forum, and I am using http, not https.
It's not the end of the world, but it is a bit of a nuisance.
Not being able to edit my posts is the end of the world though!
Also, I was logged in and then (it seems) I
was logged back out when I went to type up a new posting in the forum, replying to my fellow Dinkers. The [Login] button uppper right corner area of the web page no longer reliably indicates that you are logged in with a picture of your icon, though apparently, the forum [Reply] screen worked just fine ( either by auto logging me back in or ignoring the fact that the icon missing in the upper right of the page near the [Login] button was lying about me being logged out. ) Indeed, my icon was shown as a Lurker, during the whole time I typed this.
And the little <New!> floating icons that help me see which forum postings are the ones that I have not yet read are gone too. How dreadful! Now I have to read the dates on them to decide what to click on.
And, my hair is getting grey too! (Oh, wait, that probably has nothing to do with Dink, redink1 or https. Sorry.)
was logged back out when I went to type up a new posting in the forum, replying to my fellow Dinkers. The [Login] button uppper right corner area of the web page no longer reliably indicates that you are logged in with a picture of your icon, though apparently, the forum [Reply] screen worked just fine ( either by auto logging me back in or ignoring the fact that the icon missing in the upper right of the page near the [Login] button was lying about me being logged out. ) Indeed, my icon was shown as a Lurker, during the whole time I typed this.
And the little <New!> floating icons that help me see which forum postings are the ones that I have not yet read are gone too. How dreadful! Now I have to read the dates on them to decide what to click on.
And, my hair is getting grey too! (Oh, wait, that probably has nothing to do with Dink, redink1 or https. Sorry.)
yeah the https one doesn't log you out. but i've been using the naughty dangerous one so long that i have to type it up to https://www.d each time. >_<
For me the https one provides this message, which I assume has something to do with the fact that the DN "web host currently provides certificates from one of the groups that Chrome is going to start distrusting around October ((more info)). I hope they transition to another provider soon." problem that redink1 mentioned.
This site can’t provide a secure connection
www.dinksmallwood.net sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
This site can’t provide a secure connection
www.dinksmallwood.net sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Works for me, except for .dmod downloading. Using chrome:
https://files.dinknetwork.com/dmod/srchmili.dmod
(wow, what an awesome dmod) gives an error, but:
http://files.dinknetwork.com/dmod/srchmili.dmod
works. Not a big deal, but down the road browsers might be annoying about mixing https with http downloads.
Sadly, Dink HD doesn't currently support https with its own network stuff though.
https://files.dinknetwork.com/dmod/srchmili.dmod
(wow, what an awesome dmod) gives an error, but:
http://files.dinknetwork.com/dmod/srchmili.dmod
works. Not a big deal, but down the road browsers might be annoying about mixing https with http downloads.
Sadly, Dink HD doesn't currently support https with its own network stuff though.
@ all:
I have an very important (well, okay, I mean important to me and probably some other Dinkers) update on this matter: As of a few days ago, using https: in the chromium browser "works like it used to" under http:.
@ redink1:
Hooray! Thanks for your efforts on this matter redink1!
Am I correct in assuming that this "fix" is due mostly to the DN "web host" now NO LONGER providing certificates "from one of the groups that Chrome is going to start distrusting around October" OR was there something else that changed recently?
I have an very important (well, okay, I mean important to me and probably some other Dinkers) update on this matter: As of a few days ago, using https: in the chromium browser "works like it used to" under http:.
@ redink1:
Hooray! Thanks for your efforts on this matter redink1!
Am I correct in assuming that this "fix" is due mostly to the DN "web host" now NO LONGER providing certificates "from one of the groups that Chrome is going to start distrusting around October" OR was there something else that changed recently?
can we get redirected to the https:// version yet
@Skurn: Yes, good idea! We want everyone to be able to easily get to the the DN.
@all:
Now, we just need Seth to add https to Dink HD. Should one of us formally request that?
BTW, it is great that the windoze Dink HD version is still 32 bit. Let's keep it that way so that the greatest number of windoze (or Wine) users can use it.
@all:
Now, we just need Seth to add https to Dink HD. Should one of us formally request that?
BTW, it is great that the windoze Dink HD version is still 32 bit. Let's keep it that way so that the greatest number of windoze (or Wine) users can use it.
I'd like to add https support to Dink (my Proton SDK to be more accurate) but it's pretty low priority until people actually can't use DMODs because of it. Because no passwords or sensitive data is sent, http seems "good enough" for now?
HTTPS also prevents a MITM from serving malicious content to the client. While all the .dmod files on the DN are good with respect to the recently fixed unpacking bug, someone could still intercept the HTTP request for a .dmod file and serve up a bugged version instead.
@magicman:
What would be the danger of a "bugged version" of a .dmod file which can only run DinkC in a closed interpreted environment?
Am I missing something?
What would be the danger of a "bugged version" of a .dmod file which can only run DinkC in a closed interpreted environment?
Am I missing something?
When not running Dink 1.9.1 or DFArc 3.14 (at the time of writing the latest versions), unpacking a .dmod file can result in unpacking arbitrary files into arbitrary filesystem locations. There's a news post about that issue.
And apparently this not-HTTPS thing concerns not just Dink, but everything made with the Proton SDK. I don't know how widespread its use is, but if some other library can bug out when dealing with external resources, this can get nasty.
And apparently this not-HTTPS thing concerns not just Dink, but everything made with the Proton SDK. I don't know how widespread its use is, but if some other library can bug out when dealing with external resources, this can get nasty.
I remember ccleaner being infected recently https://thehackernews.com/2018/04/ccleaner-malware-attack.html
are we looking at the same issue here ?
are we looking at the same issue here ?
Adding HTTPS support to Dink's downloading would be good, but because Dink isn't vulnerable to "zip-slip" anymore I don't see it as an emergency.
I'm not aware of any other Proton-based app/game downloading and unzipping files, but yeah, if they are, they should make sure they don't allow the "../" trick in filenames and/or be using https. This applies to any engine/sdk, really.
I'm not aware of any other Proton-based app/game downloading and unzipping files, but yeah, if they are, they should make sure they don't allow the "../" trick in filenames and/or be using https. This applies to any engine/sdk, really.
I believe I've fixed the issue that would require you to specify www.dinknetwork.com to get things like cookies to work (dinknetwork.com will automatically redirect to www.dinknetwork.com).
If anyone has any issues where you are unable to stay logged in, please let me know as soon as possible.
If anyone has any issues where you are unable to stay logged in, please let me know as soon as possible.
Now everything works fine for me. Thank you