The Dink Network

The Dink Network - Proper HTTPS Support

April 22nd 2018, 05:03 PM
custom_king.png
redink1
King He/Him United States bloop
A mother ducking wizard 
I updated The Dink Network background code (Miasma) to correctly support https. I enabled experimental https support since around August, but a lot of things didn't work (like, uh, css) as a lot of resources were hard-coded to load from http://www.dinknetwork.com.

So, if you login to https://www.dinknetwork.com, you should see a nice 'Secure' reference before the URL, and it should actually look ok.

If you notice any problems, please let me know ASAP.

Thanks!
April 22nd 2018, 05:05 PM
peasantmp.gif
Skurn
Peasant He/Him Equatorial Guinea duck bloop
can't flim flam the glim glam 
all my links are unclicked now. how dare you
April 22nd 2018, 05:10 PM
custom_king.png
redink1
King He/Him United States bloop
A mother ducking wizard 
I didn't think anyone would discover my nefarious plan a mere 2 minutes after announcing this.

Well played, sir, well played.
April 22nd 2018, 05:29 PM
peasantmp.gif
Skurn
Peasant He/Him Equatorial Guinea duck bloop
can't flim flam the glim glam 
i discovered it while you were doing it. i also noticed the super obvious new anti-spam question.

restore the unsecure version
April 22nd 2018, 06:02 PM
custom_king.png
redink1
King He/Him United States bloop
A mother ducking wizard 
Weird; I thought I changed the anti-spam question back around... October 18th (according to my records). We were getting a fairly heavy amount of anonymous spam, and I think several spambots were programmed to enter 'banana' as the anti-spam response, so I changed it.

The unsecure version should still work (you don't have to go to https://)
April 23rd 2018, 09:56 AM
duckdie.gif
bsitko
Peasant He/Him United States
 
Nice work, redink1. Next up is getting it to auto redirect to the https version.
April 23rd 2018, 11:38 AM
spike.gif
SlipDink
Peasant He/Him United States bloop rumble
2nd generation. No easy way to be free. 
So, we have https instead of (well, in addition to for the moment) http as a part of the DN. What was the reason for the conversion?

- Personally, I don't think that I would be worried if someone "broke into" my DN account, though it would be a little disconcerting to me, I admit. Do you think others would be more upset about this sort of thing?
- Are we worried about ISPs or other more nefarious types injecting ads (or scams) into pages?
- Is there a reason that we need to be certain that Search Engine Optimization is not putting our beloved http Dink network behind other Dink sites that use https?
- Is there concern with a lack of compatibility with Google's AMP (Accelerated Mobile Pages)?
- Do we need to reassure new visitors to the site that they are safe?

Anyway, I was just curious as to what made you decide to do it. Just in case you are wondering, I remain quite grateful for your efforts in maintaining this site, and all the Dink related matters that you have involved yourself in over the years.

Oh, and (for what it is worth) I agree with bsitko that auto-redirect to the https version should probably be the next step.

April 23rd 2018, 12:52 PM
wizardb.gif
Bluedy
Peasant He/Him Romania bloop rumble
I like Frutti Fresh 
I dunno about you but I treasure my bloop badge
April 23rd 2018, 01:53 PM
duckdie.gif
bsitko
Peasant He/Him United States
 
It's where the web is going. Chrome will start popping up warnings on sites that aren't using http by June. Regardless of whether or not they have logins or not.
April 24th 2018, 08:49 PM
custom_king.png
redink1
King He/Him United States bloop
A mother ducking wizard 
I read that Chrome was going to start displaying warnings about sites being unsafe when accessed over http, and so I thought I might as well spend a bit of time to support https.

Interestingly enough, my web host currently provides certificates from one of the groups that Chrome is going to start distrusting around October (more info). I hope they transition to another provider soon.
April 26th 2018, 09:02 PM
milder.gif
I suggest to make HTTPS support default, that is, automatically redirect from HTTP to HTTPS at least in web browsers. It is not a good idea to have passwords go over plaintext through the Internet. Some users might use their Dink Network passwords on other websites. You should do this ASAP for the security of the users of this site.

And as far as Dink Smallwood HD possibly not supporting this for DMODs, well I believe it uses HTTPS to check for updates from RTSoft so it ought to work for downloading DMODs from the Dink Network, so I doubt it would have any issue. Still, making sure that DMOD downloading within Dink Smallwood HD works is something to double-check after making HTTP traffic redirect to HTTPS, just to be absolutely sure.

I personally am a member of this site and have logged into it in the past over HTTP and am concerned about my own security. I am not worried about any of you guys being bad, I am worried about a man-in-the-middle attack, obviously the Dink Network itself is trustworthy, but plaintext passwords sent over HTTP are vulnerable to man-in-the-middle attacks anywhere their Internet traffic is routed through and it is easy to intercept data and this is very much a bad thing. A common packet capture and analysis tool like Wireshark can be used on a LAN to intercept all network traffic. So if someone is connected to a wireless LAN, public WiFi, and they visit the Dink Network website from there and login, very very easy for someone else to do a man-in-the-middle attack and get all their login info.

Sorry about that little network security rant, I used to not know very much about network security, like back when I became a member of this site I did not even notice that it was HTTP instead of HTTPS or think anything of it but I have learned more since then and most of what I learned was pretty disturbing, I got a Network+ certification from CompTIA, I admit I am still pretty lax about security compared to a lot of people. Like in macOS it requires me to have a password, so I have my password be a single space, since 1 character is the minimum number of characters and the spacebar is the biggest and most obvious key. On Windows 10 it requires me to have a pin number now and has complexity requirements and I figured out, the simplest possible pin number that meets those is 1000, easy to remember 1000. Prior to the new complexity requirements my pin number on Windows 10 was just all zeroes, 0000. I specifically have my sudoers files on macOS and Linux set to not require a password ever, under any circumstance, and I disable as many annoying “security” features as possible in most operating systems, like User Account Control on Windows and System Integrity Protection and Gatekeeper on macOS. So I am not the most security-conscious person out there, in fact I find security to be a real pain and get in the way of getting things done most of the time. But even I think that websites that use usernames and passwords should never ever use HTTP and the ones that do all need to switch to HTTPS-only.
April 27th 2018, 08:33 PM
peasantmp.gif
Skurn
Peasant He/Him Equatorial Guinea duck bloop
can't flim flam the glim glam 
help, im being logged out automatically over and over again
April 27th 2018, 08:40 PM
custom_king.png
redink1
King He/Him United States bloop
A mother ducking wizard 
Until I get a permanent fix, please log in to https://www.dinknetwork.com instead of https://dinknetwork.com (the www is important).
April 27th 2018, 10:34 PM
peasantmp.gif
Skurn
Peasant He/Him Equatorial Guinea duck bloop
can't flim flam the glim glam 
oh huh, it isn't doing it here. thought it was at some point.
May 1st 2018, 05:20 PM
spike.gif
SlipDink
Peasant He/Him United States bloop rumble
2nd generation. No easy way to be free. 
@redink1:
Today I'm getting this error (probably unrelated to https support) that is preventing me from editing my forum postings.

Modify Error
You can only modify a message that exists, silly wabbit.
May 2nd 2018, 09:49 AM
spike.gif
SlipDink
Peasant He/Him United States bloop rumble
2nd generation. No easy way to be free. 
@Skurn & redink1:
I'm getting logged out each time I submit an entry to the Forum, and I am using http, not https.

It's not the end of the world, but it is a bit of a nuisance.

Not being able to edit my posts is the end of the world though!
May 2nd 2018, 10:01 AM
spike.gif
SlipDink
Peasant He/Him United States bloop rumble
2nd generation. No easy way to be free. 
Also, I was logged in and then (it seems) I
was logged back out when I went to type up a new posting in the forum, replying to my fellow Dinkers. The [Login] button uppper right corner area of the web page no longer reliably indicates that you are logged in with a picture of your icon, though apparently, the forum [Reply] screen worked just fine ( either by auto logging me back in or ignoring the fact that the icon missing in the upper right of the page near the [Login] button was lying about me being logged out. ) Indeed, my icon was shown as a Lurker, during the whole time I typed this.

And the little <New!> floating icons that help me see which forum postings are the ones that I have not yet read are gone too. How dreadful! Now I have to read the dates on them to decide what to click on.

And, my hair is getting grey too! (Oh, wait, that probably has nothing to do with Dink, redink1 or https. Sorry.)
May 2nd 2018, 03:16 PM
peasantmp.gif
Skurn
Peasant He/Him Equatorial Guinea duck bloop
can't flim flam the glim glam 
yeah the https one doesn't log you out. but i've been using the naughty dangerous one so long that i have to type it up to https://www.d each time. >_<
May 2nd 2018, 04:50 PM
spike.gif
SlipDink
Peasant He/Him United States bloop rumble
2nd generation. No easy way to be free. 
For me the https one provides this message, which I assume has something to do with the fact that the DN "web host currently provides certificates from one of the groups that Chrome is going to start distrusting around October ((more info)). I hope they transition to another provider soon." problem that redink1 mentioned.

This site can’t provide a secure connection
www.dinksmallwood.net sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
May 17th 2018, 01:37 AM
seth.gif
Seth
Peasant He/Him Japan
 
Works for me, except for .dmod downloading. Using chrome:

https://files.dinknetwork.com/dmod/srchmili.dmod

(wow, what an awesome dmod) gives an error, but:

http://files.dinknetwork.com/dmod/srchmili.dmod

works. Not a big deal, but down the road browsers might be annoying about mixing https with http downloads.

Sadly, Dink HD doesn't currently support https with its own network stuff though.
May 23rd 2018, 09:07 AM
spike.gif
SlipDink
Peasant He/Him United States bloop rumble
2nd generation. No easy way to be free. 
@ all:
I have an very important (well, okay, I mean important to me and probably some other Dinkers) update on this matter: As of a few days ago, using https: in the chromium browser "works like it used to" under http:.

@ redink1:
Hooray! Thanks for your efforts on this matter redink1!

Am I correct in assuming that this "fix" is due mostly to the DN "web host" now NO LONGER providing certificates "from one of the groups that Chrome is going to start distrusting around October" OR was there something else that changed recently?

May 23rd 2018, 04:19 PM
peasantmp.gif
Skurn
Peasant He/Him Equatorial Guinea duck bloop
can't flim flam the glim glam 
can we get redirected to the https:// version yet
May 23rd 2018, 05:43 PM
spike.gif
SlipDink
Peasant He/Him United States bloop rumble
2nd generation. No easy way to be free. 
@Skurn: Yes, good idea! We want everyone to be able to easily get to the the DN.

@all:
Now, we just need Seth to add https to Dink HD. Should one of us formally request that?

BTW, it is great that the windoze Dink HD version is still 32 bit. Let's keep it that way so that the greatest number of windoze (or Wine) users can use it.
June 6th 2018, 10:35 PM
seth.gif
Seth
Peasant He/Him Japan
 
I'd like to add https support to Dink (my Proton SDK to be more accurate) but it's pretty low priority until people actually can't use DMODs because of it. Because no passwords or sensitive data is sent, http seems "good enough" for now?
June 9th 2018, 09:36 AM
custom_magicman.gif
magicman
Peasant They/Them Netherlands duck
Mmmm, pizza. 
HTTPS also prevents a MITM from serving malicious content to the client. While all the .dmod files on the DN are good with respect to the recently fixed unpacking bug, someone could still intercept the HTTP request for a .dmod file and serve up a bugged version instead.
June 9th 2018, 11:37 AM
spike.gif
SlipDink
Peasant He/Him United States bloop rumble
2nd generation. No easy way to be free. 
@magicman:
What would be the danger of a "bugged version" of a .dmod file which can only run DinkC in a closed interpreted environment?

Am I missing something?
June 9th 2018, 12:31 PM
custom_magicman.gif
magicman
Peasant They/Them Netherlands duck
Mmmm, pizza. 
When not running Dink 1.9.1 or DFArc 3.14 (at the time of writing the latest versions), unpacking a .dmod file can result in unpacking arbitrary files into arbitrary filesystem locations. There's a news post about that issue.

And apparently this not-HTTPS thing concerns not just Dink, but everything made with the Proton SDK. I don't know how widespread its use is, but if some other library can bug out when dealing with external resources, this can get nasty.
June 9th 2018, 11:12 PM
duckdie.gif
liquid141
Peasant They/Them
Sons of liberty 
I remember ccleaner being infected recently https://thehackernews.com/2018/04/ccleaner-malware-attack.html

are we looking at the same issue here ?
June 10th 2018, 08:11 PM
seth.gif
Seth
Peasant He/Him Japan
 
Adding HTTPS support to Dink's downloading would be good, but because Dink isn't vulnerable to "zip-slip" anymore I don't see it as an emergency.

I'm not aware of any other Proton-based app/game downloading and unzipping files, but yeah, if they are, they should make sure they don't allow the "../" trick in filenames and/or be using https. This applies to any engine/sdk, really.
June 12th 2018, 09:55 PM
custom_king.png
redink1
King He/Him United States bloop
A mother ducking wizard 
I believe I've fixed the issue that would require you to specify www.dinknetwork.com to get things like cookies to work (dinknetwork.com will automatically redirect to www.dinknetwork.com).

If anyone has any issues where you are unable to stay logged in, please let me know as soon as possible.
June 13th 2018, 12:57 AM
sob_scorpr.gif
Bouncycles
Peasant He/Him Germany
I've got no mouth 
Now everything works fine for me. Thank you