Site Move

By Shamus Posted Friday Jun 23, 2017

Filed under: Notices 43 comments

Due to overwhelming public demandUpwards of five people bugged me about it. I’m setting up this domain to work with SSL, which means that https://www.shamusyoung.com will be a thing. This will make the forums more secure, fix the domain currently squatting on the https version of this site, and may also help out the alarming number of people who are reporting that this site has recently been blocked by their employer.

However, this means the site is going to be disrupted. shamusyoung.com will be moved to a unique IP address, which means we’ll need to wait for the new DNS to shake out. If all goes well, then at some point this weekend the site will (from your point of view) vanish, and then reappear shortly after.

Also, I’m going to need to move the forums. They’re currently hosted at forums.shamusyoung.com, but they’re going to move to https://www.shamusyoung.com/forums so they can benefit from the added security.

I’ll post a notice here once the move is over. See you on the other side.

 

Footnotes:

[1] Upwards of five people bugged me about it.



From The Archives:
 

43 thoughts on “Site Move

  1. Misamoto says:

    There are forums, huh…?

    1. MarcoSnow says:

      This was news to me as well. I was pleasantly surprised to see that the forums feature a play-by-post section. What else aren’t you telling us about, Shamus?

      1. Daemian Lucifer says:

        What else aren't you telling us about, Shamus?

        He also has a patreon.

      2. Dreadjaws says:

        “What else aren't you telling us about, Shamus?”

        You can purchase Happy Meal toys separately.

        1. Jeff says:

          Unless they’re good/popular toys, in which case they won’t sell them separately.

          So basically you can do it when you don’t really want to, but can’t when you do.

      3. Duoae says:

        What the-?

        I’ve been coming here for countless years and I *assumed* that people were slyly, with a wink and a nudge, referring to the comments on these posts as “the forum”….

        I just realised I’ve been ignoring the darkened-out bar at the top of the site (though that is relatively new) to get to the content….

        1. Sleeping Dragon says:

          Unlike many other webauthors Shamus encourages having actual conversations in the comments and he has politely but firmly made it clear he does not want for the forums to siphon the relevant discussions away from the site. As a result it’s not that we’re avoiding mentioning it but it just doesn’t come up often.

  2. That’s gonna be an adjustment. I rely on the url autofill, so I don’t actually have your site or the forums bookmarked.

    1. =David says:

      Subscribe on Feedly, then you’ll know when it’s all over.

    2. Echo Tango says:

      You could probably just…click the bookmark button in your browser. I mean, it probably even works as intended. :P

    3. Follow him on Twitter. I am sure he’ll have an updated link in his bio.

    4. Zak McKracken says:

      the http link will likely continue working, so no worries.
      If you have something like “https everywhere” installed, it will automatically try to translate every http link to https. So I hope that this will automatically move my auto-complete address to use https.

  3. Leland Hulbert says:

    Will RSS feeds be affected?

    1. EwgB says:

      Seconded (so that Shamus knows there are at least two people using it)

  4. Jabrwock says:

    *updates bookmark* check

    I work with a not-for-profit, and we just got notified that we have to buy a certificate and switch to https, or else google will start ‘downvoting’ our search rating because we’re ‘insecure’.

    1. Echo Tango says:

      1) You can get certificates completely free of monetary cost, at Let’s Encrypt.

      2) Your website is actually insecure. A malicious user could man-in-the-middle your website, because it doesn’t have end-to-end encryption, with its identity certified.

      Any website that requires a user to enter sensitive information (like a password, payment information, or an address) is a target for malicious users[1]. If a website doesn’t do anything like that, then technically security isn’t required; Nobody’s really going to put in the effort to spoof users visiting a website full of cat pictures. However, most activities that are interesting require sensitive information; At minimum, this is usually an email address and password.

      Since most people are overwhelmed by the number of logins they need to keep track of, there’s a pretty good chaneg that password and email combination is being reused. If it can be grabbed from one insecure website, that person’s entire online persona is at risk. As pointed out above, it’s easy and free of cost to get a security certificate. Not setting up end-to-end encryption for a website is needlessly putting users at risk. That’s actually the reason Google is putting pressure on websites to get set up properly.

      [1] Usually criminals, but sometimes just annoying teenagers if you’re lucky.

      1. Nentuaby says:

        Even if your site IS completely passive, there’s no reason a man-in-the-middle attacker can’t make it *appear* to want the user to send sensitive information.

        “Welcome to ourcharity.com. Introducing the new ourcharity forums– chat with other caring members of your community! Sign up here >”

      2. Daemian Lucifer says:

        Usually criminals, but sometimes just annoying teenagers if you're lucky.

        I think the ratio is the other way.Mostly its just teenagers,and a few serious criminals here and there.

      3. Elemental Alchemist says:

        You can get certificates completely free of monetary cost, at Let's Encrypt.

        +1 for Let’s Encrypt. It has really changed the game, to the point where there is no longer any excuse for everyone not to switch to HTTPS.

        Once you have your certs installed, you can check your setup at SSL Labs – https://www.ssllabs.com/ssltest/ Chances are you’ll need to make a number of adjustments to things like your cipher suite and so forth. It is a little daunting initially if you haven’t had much to do with that side of things, but there are plenty of tutorials around that will get you sorted out.

        If a website doesn't do anything like that, then technically security isn't required

        I would say that technically isn’t true. Chances are at some point your content will be hotlinked to a site that is running HTTPS, and then you have unencrypted content on an encrypted page. Ultimately for the health of the internet, everyone should be switching to HTTPS.

      4. Zak McKracken says:

        Even worse than the man-in-the-middle scenario you describe is the one where a (potentially spoofed) website asks for your e-mail address, then triggers a password reset for that e-mail ddress in the background, while asking you for the information needed to impersonate you to your e-mail provider. There’s even a way to circumvent two-factor authentication that way.
        Won’t work everytime but it’s surprising what this can do.

        https://www.ieee-security.org/TC/SP2017/papers/207.pdf

        Solution: never use your mother’s actual maiden name for recovery questions but treat them like additional passwords, and store those securely in a password manager. And never re-use passwords (including those security questions).

        My e-mail acount was pwned in 2015. Since then, I’ve got a proper password manager (Keepass — works on Linux, Windows and Android! Probably iOS too), and use proper random passwords, except the master password for the password manager which I made a bit longer (>15 characters) to compensate for the fact that I changed a few characters to make it more memorable. I’m syncing the password database via syncthing, so I can update it on any device and have the results available on any other. The only exception (of course…) is my e-mail password because I sometimes need log on to webmail from a machine that is not mine….

        Since then, I’ve also developed a hatred for sites which limit password lengths and special characters. I have written more than a few angry mails to website operators who do this but the universal answer is “we care deeply about your security, our website is like totally safe or something”. I have continued to build hatred for websites which mandate user accounts for no apparent reason, too. That’s just asking for trouble.

        So thank you very much, Shamus, for allowing us all to comment here without a user account!

  5. moved to a unique IP address

    This is no longer a requirement for SSL/TLS thanks to Server Name Indication. You can run as many SSL sites on a single IP as you want.

    There’s also Subject Alternative Name so that a single cert can cover multiple domains and subdomains, meaning there is no technical reason to move the forums.

    Lets Encrypt by default generates SNI and SAN certificates, entirely free.

  6. MadTinkerer says:

    I’ve tried going to the https version and it says it’s not properly configured. I assume that’s going to be fixed?

    1. xKiv says:

      Does that sound like “fix the domain currently squatting on the https version of this site”?

  7. xKiv says:

    I am assuming both http:// versions (of shamusyoung.com and http://www.shamusyoung.com) will simply redirect to https://www.shamusyoung.com ?

  8. May the move go better than my last (physical) move. Turns out moving out of the dorms (for the last time) and driving 1k miles home is kinda nightmarsh when you’ve sprained both wrists/hands so badly you had to take your finals orally (couldn’t write, couldn’t type, couldn’t really drive except in a straight line, and packing happened only by the grace of God, painkillers, and good friends. Mostly the good friends and their friends, bribed by pizza and beer)

    1. Zak McKracken says:

      Ouch!

      I hate moving. Have moved so often that you could think I’m getting good at it. I’ve definitely gotten better but every move is still more annoying than the previous one. I start to understand people who just pay a moving company to do all the packing, moving unpacking and decorating the new place … until I realize what that would cost me.

      1. Daemian Lucifer says:

        until I realize what that would cost me.

        I used to think like that a while ago,so everything I could I did myself.But then,one day I thought to myself “How much is my free time worth to me?”.After that long think,it was actually rather easy for me to pay for a bunch of menial tasks that I could just do myself.Do a thorough house cleaning?Sure,I could spend hours doing that.But Id rather pay someone else to do it while I spend those hours enjoying myself.

        1. Zak McKracken says:

          Sure — but that always depends on how much money you have available and what you were planning to spend it on otherwise…

          In addition, I do take some pride in being able to do my stuff myself. Maybe not the complicated things but taking apart and putting together my furniture, including the kitchen, repairing my bycicle or changing tyres on my car. It doesn’t happen often and it’s way better for my back than the stuff I’m doing otherwise (most of which involve sitting in front of computers).

  9. Mephane says:

    I like this. Any chance that the site will default to https after the change? Many do that already, if you just type the address starting with www, you get automatically reach it via https.

    However this might just as well be a browser feature that they may try first to reach https and then default to http if the former is not available.

    1. Elemental Alchemist says:

      It’s fairly trivial to do a permanent redirect on the server-side so that all traffic is routed to the HTTPS site.

    2. Zak McKracken says:

      My recommendation: https://www.eff.org/https-everywhere. Works on most browsers and automatically turns http requests into https ones if possible. Will stil give you http if https fails, rather than showing ugly error screeens.

      1. Daemian Lucifer says:

        Your recommendation is to…eff it?….

        1. Zak McKracken says:

          EFFectively, yes :)

          The best solutions are always the ones where the user has to do as little as possible, and then everything works as well as it can. HTTPS everywhere is one of those. Install it once, and you’re good. The only thing better than that would be if browsers just acted like this by default. Which they totally should.

      2. xKiv says:

        That only works for sites added to their “supported sites” database, or to user rules in some xml file somewhere in, presumably, firefox profile. It does not actually try to enforce https everywhere (that wouldn’t even work, and wouldn’t be secure).

        I would use the “redirector” addon, which only rewites addresses that I told it to rewrite, but it lets me edit those rules easily in browser.

        1. Zak McKracken says:

          hmm… but these days I never really specify either profile when entering an address and usually end up with https — there must be something to make a browser default to trying “http://www.shamusyoung.com” rather than “http://www.shamusyoung.com” when I just enter “www.shamusyoung.com”.

          1. xKiv says:

            The normal way is (AFAIUI):
            (edited: added spaces inside urls, so links are not interpretted as links)
            1) enter domain.com
            2) browser tries http:// domain . com – finds nothing (or redirect to www . domain . com, or something else that says “you should be using www . domain . com instead”, but probably nothing)
            3) browser tries http:// www . domain . com – finds redirect to https:// www . domain . com
            4) browser tries https:// www . domain . com/ – finds a page

            Step 2 is controlled by browser (it can try a bunch of different transformations, including calling home for a search result). It is also where addons like https everywhere can plug in.

            Step 3 has to be configured by owner of the (web) server.

            1. Zak McKracken says:

              ohhkay, makes sense, thanks for the explanation.

              Also, does https work for anyone yet? It doesn’t for me.

  10. Fade2Gray says:

    That’s good news. I’ve spent the last few weeks taking my phone off Wi-Fi at work to check your site.

  11. Chrome chokes on the certificate, it does not recognize the root certificate. Apparently the cert is self-signed?

  12. Jimbo says:

    Trying to connect to the https site via Firefox, I get a warning page that tells me the connection is not secure:

    http://www.shamusyoung.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for the following names: sp-445.jeminnovation.com, mail.sp-445.com, sp-445.com, http://www.sp-445.com, http://www.sp-445.jeminnovation.com
    Error code: SEC_ERROR_UNKNOWN_ISSUER

  13. Leland Hulbert says:

    Seems to have worked now for the first time for me. Have to wait until Wednesday to see if it changed anything at work.

    1. Daemian Lucifer says:

      Works for me too.But the rss feed still links to the http version of the site,so maybe look at that one as well,Shamus.

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun. Your email address will not be published. Required fields are marked*

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!

You can quote someone like this:
Darth Vader said <blockquote>Luke, I am your father.</blockquote>

Leave a Reply

Your email address will not be published.