|
|
|||
| forums: groups: | |||
|
"UMD now under SSL"
Whatup UMD fam. You probably noticed that now the entire site is under SSL protection, indicated by a little padlock in your browser location bar. That means that all communications between your browser and UMD will be completely encrypted before being sent either way.
It's not that we're transferring a lot of sensitive info back and forth--we use 3rd parties like Epoch to handle that. In fact, we make it a point not to collect or store personal information in the first place when we don't have to, because we don't want that liability. But given the world's state of deteriorating privacy, I think it's the moral thing to do, to go ahead and secure everything you do at this site. I mean, isn't it all private and sensitive until you decide it isn't?
For a connection to be truly secure, then everything on the page must come from a secure connection (including images and video embeds), or else a visitor may get a warning. For that reason, we can no longer allow hot-linking images via html anywhere on the site; All content must originate from UMD. You can paste links to images, but not use HTML to make them actually show up on the UMD. All pages are under SSL, including the individual download stores.
I believe that there are a few browsers that may have a problem with this, so please contact me if you have any problems.
Peace,
Messmaster
[Edit: If this is a train wreck, I'll turn it off if need be!]
It's not that we're transferring a lot of sensitive info back and forth--we use 3rd parties like Epoch to handle that. In fact, we make it a point not to collect or store personal information in the first place when we don't have to, because we don't want that liability. But given the world's state of deteriorating privacy, I think it's the moral thing to do, to go ahead and secure everything you do at this site. I mean, isn't it all private and sensitive until you decide it isn't?
For a connection to be truly secure, then everything on the page must come from a secure connection (including images and video embeds), or else a visitor may get a warning. For that reason, we can no longer allow hot-linking images via html anywhere on the site; All content must originate from UMD. You can paste links to images, but not use HTML to make them actually show up on the UMD. All pages are under SSL, including the individual download stores.
I believe that there are a few browsers that may have a problem with this, so please contact me if you have any problems.
Peace,
Messmaster
[Edit: If this is a train wreck, I'll turn it off if need be!]
Stay messy, my friends
It looks like in Firefox anyway images can still be hot-linked, however objects cannot be embedded (interestingly though, the Video Archive still works). In Firefox, you can reveal the embedded YouTube vid below by clicking the "shield" next to the "padlock" in the address bar as pictured at the bottom of this post.
EDIT: I'll be darned. Embedding still sometimes works too (as of this writing). Compare the blocked YouTube embed here: https://umd.net/forums/slapstickstuffs-why-cant#463898
Some test code/media...
[img src="http://pievids.com/images/tws-22-0248/scene1/11.jpg"] ⇩ below ⇩
[image removed -MM]
[object width="640" height="480"][param name="movie" value="https://www.youtube.com/v/rSYxBhUUuu8&hl=en"][/param][param name="wmode" value="transparent"][/param][embed src="https://www.youtube.com/v/rSYxBhUUuu8&hl=en" type="application/x-shockwave-flash" wmode="transparent"][/embed][/object]
⇩ below ⇩
EDIT: I'll be darned. Embedding still sometimes works too (as of this writing). Compare the blocked YouTube embed here: https://umd.net/forums/slapstickstuffs-why-cant#463898
Some test code/media...
[img src="http://pievids.com/images/tws-22-0248/scene1/11.jpg"] ⇩ below ⇩
[image removed -MM]
[object width="640" height="480"][param name="movie" value="https://www.youtube.com/v/rSYxBhUUuu8&hl=en"][/param][param name="wmode" value="transparent"][/param][embed src="https://www.youtube.com/v/rSYxBhUUuu8&hl=en" type="application/x-shockwave-flash" wmode="transparent"][/embed][/object]
⇩ below ⇩
 Love you, too |
smess said: It looks like in Firefox anyway images can still be hot-linked.... Embedding still sometimes works too
Hotlinking hasn't been prevented programmatically yet.
I've worked to make youtube embeds and UMD store plugs still work, by dynamically updating their requests to https. I've just now made a change to make other types of Youtube embeds work, too.
M
Stay messy, my friends
kittenish said: Is this causing download stores to not work? Every time I click a link for a store (including to the iWam store in your sig) it redirects to the home page.
The sigs have been updated, and a few other things. Thanks.
Stay messy, my friends
I like embedding my images. 
wetandmessy| wamclub | mywam | mudmatches
Saturation Hall, Langstonedale
Lord of the Pies
First reaction, do not like. That's pretty much my entire promotional system (and many years of development work) down the pan, and it'll affect quite a few others, including some very major producers, the same way.
It also means a trainload of extra work for the UMD servers having to encrypt every single http request, so load per user will go up a lot, though possibly with the new hardware that doesn't matter.
It also means a trainload of extra work for the UMD servers having to encrypt every single http request, so load per user will go up a lot, though possibly with the new hardware that doesn't matter.
Saturation Hall - Forth! The Gungemaidens!
DungeonMasterOne said: First reaction, do not like. That's pretty much my entire promotional system (and many years of development work) down the pan, and it'll affect quite a few others, including some very major producers, the same way.
It's not really something I can control. If I want to secure the entire site, then everything served on our pages must come directly from umd.net, not external sources. On the other hand, if you can serve your images through secure https, then I can work with you to allow that.
Stay messy, my friends
Saturation Hall, Langstonedale
Lord of the Pies
Messmaster said:
It's not really something I can control. If I want to secure the entire site, then everything served on our pages must come directly from umd.net, not external sources. On the other hand, if you can serve your images through secure https, then I can work with you to allow that.
DungeonMasterOne said: First reaction, do not like. That's pretty much my entire promotional system (and many years of development work) down the pan, and it'll affect quite a few others, including some very major producers, the same way.
It's not really something I can control. If I want to secure the entire site, then everything served on our pages must come directly from umd.net, not external sources. On the other hand, if you can serve your images through secure https, then I can work with you to allow that.
Aha - OK, that would work. SSL certs are cheap enough, easy to stick one on wench.gungemaster.com and then serve the promos from that instead of plain http. And we certainly have the server horsepower to handle it at our end. Other producers with their own servers or half-decent hosting should be able to do the same. Hadn't actually realised it was OK to serve a secure page made of elements from different secure sources, had always assumed browsers would object to that the same way they object to mixed secure and non-secure content on the same page - you learn something every day!
Ta for taking that point on board, appreciated.
One other potential downside though, the change may have locked some people out of the UMD again - both Opera on my phone and Firefox on this Windows PC regard http and https sites as entirely different entities, so I had to re-enter my username and password to log in.
Saturation Hall - Forth! The Gungemaidens!
DungeonMasterOne said:
both Opera on my phone and Firefox on this Windows PC regard http and https sites as entirely different entities, so I had to re-enter my username and password to log in.
both Opera on my phone and Firefox on this Windows PC regard http and https sites as entirely different entities, so I had to re-enter my username and password to log in.
Good. Your usernames and passwords are now transmitted securely when you log in. That was part of the point
Stay messy, my friends
I guess I see now. If I go to a SSL certified Google image search page like https://www.google.com/search?q=%22messygirl.com%22&tbm=isch, there are no warnings because the images shown are actually coming from a Google affiliated server like Gstatic. But click one of the pics and the triangle-exclam symbol appears next to the padlock because the actual image from another site becomes an embedded part of the page. I could envision the first part being achieved programmatically in a UMD posting (parsing the text, loading the image on a server, rewriting the text, etc.) but I fully understand that you don't have a Google team handy for such extravagances.
It's a shame though. I wonder what the SSL thinking is behind that, because surely there is nothing dangerous about a JPEG, is there? Weird.
It's a shame though. I wonder what the SSL thinking is behind that, because surely there is nothing dangerous about a JPEG, is there? Weird.
Saturation Hall, Langstonedale
Lord of the Pies
smess said: I guess I see now. If I go to a SSL certified Google image search page like https://www.google.com/search?q=%22messygirl.com%22&tbm=isch, there are no warnings because the images shown are actually coming from a Google affiliated server like Gstatic. But click one of the pics and the triangle-exclam symbol appears next to the padlock because the actual image from another site becomes an embedded part of the page. I could envision the first part being achieved programmatically in a UMD posting (parsing the text, loading the image on a server, rewriting the text, etc.) but I fully understand that you don't have a Google team handy for such extravagances.
It's a shame though. I wonder what the SSL thinking is behind that, because surely there is nothing dangerous about a JPEG, is there? Weird.
It's a shame though. I wonder what the SSL thinking is behind that, because surely there is nothing dangerous about a JPEG, is there? Weird.
That's it exactly. The reasoning is that there are all kind of other things that can be included in a page, plus there may well be some kind of jpeg exploit that no-one's discovered yet. When I first started administering servers, nearly 20 years ago now, it sometimes felt that a new remote root exploit in core software was being discovered every other week, and since then exploits that couldn't even have been imagined in the 1990s have wrought complete havoc across the networks. So better to warn about any non-secure content on a secure page, however benign it might appear to be, just in case.
Saturation Hall - Forth! The Gungemaidens!
smess said:
I wonder what the SSL thinking is behind that, because surely there is nothing dangerous about a JPEG, is there? Weird.
I wonder what the SSL thinking is behind that, because surely there is nothing dangerous about a JPEG, is there? Weird.
Not that I know of. The idea behind encrypting everything isn't really about preventing viruses tho. It's to prevent the middlemen who ARE skimming our connections and tracking and storing everything that we do. It is UMD's tin hat, and I'm following Google's advice to encrypt every page, and for the same reason.
There's nothing inherently terrible about mixed content. It's just that the lock icon that your browser shows you would be a lie if some of the content on the page wasn't delivered securely. So the lock would turn yellow, or even worse, users will get a pop-up error message.
M
Stay messy, my friends
Messmaster said: Whatup UMD fam. You probably noticed that now the entire site is under SSL protection, indicated by a little padlock in your browser location bar. That means that all communications between your browser and UMD will be completely encrypted before being sent either way.
It's not that we're transferring a lot of sensitive info back and forth--we use 3rd parties like Epoch to handle that. In fact, we make it a point not to collect or store personal information in the first place when we don't have to, because we don't want that liability. But given the world's state of deteriorating privacy, I think it's the moral thing to do, to go ahead and secure everything you do at this site. I mean, isn't it all private and sensitive until you decide it isn't?
For a connection to be truly secure, then everything on the page must come from a secure connection (including images and video embeds), or else a visitor may get a warning. For that reason, we can no longer allow hot-linking images via html anywhere on the site; All content must originate from UMD. You can paste links to images, but not use HTML to make them actually show up on the UMD. All pages are under SSL, including the individual download stores.
I believe that there are a few browsers that may have a problem with this, so please contact me if you have any problems.
Peace,
Messmaster
[Edit: If this is a train wreck, I'll turn it off if need be!]
It's not that we're transferring a lot of sensitive info back and forth--we use 3rd parties like Epoch to handle that. In fact, we make it a point not to collect or store personal information in the first place when we don't have to, because we don't want that liability. But given the world's state of deteriorating privacy, I think it's the moral thing to do, to go ahead and secure everything you do at this site. I mean, isn't it all private and sensitive until you decide it isn't?
For a connection to be truly secure, then everything on the page must come from a secure connection (including images and video embeds), or else a visitor may get a warning. For that reason, we can no longer allow hot-linking images via html anywhere on the site; All content must originate from UMD. You can paste links to images, but not use HTML to make them actually show up on the UMD. All pages are under SSL, including the individual download stores.
I believe that there are a few browsers that may have a problem with this, so please contact me if you have any problems.
Peace,
Messmaster
[Edit: If this is a train wreck, I'll turn it off if need be!]
Do I understand correctly that pasting html links is still OK?
doctor_splash said:
Do I understand correctly that pasting html links is still OK?
Do I understand correctly that pasting html links is still OK?
Yeah, you don't have to do anything different. This is only for folks to used to use HTML to make images show up inside of the posts.
M
Stay messy, my friends
Note that now, HTML images will be automatically converted to plain links unless https is used.
Peace,
MM
Peace,
MM
Stay messy, my friends
It appears that unless to are logged onto the site links to individual download stores no longer work.
XOXO Leila
DIDVP said: It appears that unless to are logged onto the site links to individual download stores no longer work.
I can't seem to reproduce the problem. Can you let me know which link you're trying that isn't working?
Stay messy, my friends
DIDVP said: It appears that unless to are logged onto the site links to individual download stores no longer work.
For me on Firefox anyway, those links work whether I'm logged in or not. Don't know if this is anything, but when I visit DIDVP's store https://didvp.umd.net/ I get the "shield" icon next to the padlock as depicted in my first post in this thread. However when I visit this newer store https://reverend-slymsfords-splosher.umd.net/ that shield does not appear. One difference I see in the two stores is that in the page source for DIDVP's store there is an insecure link to a stylesheet from googleapis in the first few lines of code, whereas in the newer store that does not appear. Having said that, this (relic?) stylesheet link appears in DIDVP's store whether I'm logged in or not.
Messmaster said:
I can't seem to reproduce the problem. Can you let me know which link you're trying that isn't working?
DIDVP said: It appears that unless to are logged onto the site links to individual download stores no longer work.
I can't seem to reproduce the problem. Can you let me know which link you're trying that isn't working?
Well now it's working. I'm not sure what was going on, maybe just a browser issue, but seems to be fixed now. I also checked a bunch of my promotional links and they seem to be fine too so I have no complaints
XOXO Leila
Saturation Hall, Langstonedale
Lord of the Pies
Messmaster said: Note that now, HTML images will be automatically converted to plain links unless https is used.
Looks like this has broken the "starring" images for models in scenes, judging by this post: https://umd.net/forums/maria-brags-that-everything-is - thought you'd want to know.
Saturation Hall - Forth! The Gungemaidens!
DungeonMasterOne said:
Looks like this has broken the "starring" images for models in scenes, judging by this post: https://umd.net/forums/maria-brags-that-everything-is - thought you'd want to know.
Messmaster said: Note that now, HTML images will be automatically converted to plain links unless https is used.
Looks like this has broken the "starring" images for models in scenes, judging by this post: https://umd.net/forums/maria-brags-that-everything-is - thought you'd want to know.
You guys are the best. Thanks. I've updated it so that images using relative links are kept intact.
M
Stay messy, my friends
Saturation Hall, Langstonedale
Lord of the Pies
Messmaster said:
You guys are the best. Thanks. I've updated it so that images using relative links are kept intact.
DungeonMasterOne said:
Looks like this has broken the "starring" images for models in scenes, judging by this post: https://umd.net/forums/maria-brags-that-everything-is - thought you'd want to know.
Messmaster said: Note that now, HTML images will be automatically converted to plain links unless https is used.
Looks like this has broken the "starring" images for models in scenes, judging by this post: https://umd.net/forums/maria-brags-that-everything-is - thought you'd want to know.
You guys are the best. Thanks. I've updated it so that images using relative links are kept intact.
Not sure if the fix is fully working, when I posted this one - https://umd.net/forums/modesty-the-bride-takes-on-eve - I got two blank squares where the models profile images should have been and the code showed the file as something like "no-image.jpg". I manually hacked it to pull in the images from their profiles, which is why they are full-length instead of the usual square ones.
TBH I prefer the full length ones, might make a point of doing that by hand for major scenes in future.
Saturation Hall - Forth! The Gungemaidens!
Thanks for noticing that. I've updated the https links there.
M
M
Stay messy, my friends
FYI you probably want to disable RC4 in the allowed ciphers since the only benefit these days is mitigating BEAST and that's kind of solved by TLS. It depends on how many ancient IE6 users still hit the site, which is hopefully a number between 0 and, well, 0. :sick:
Messmaster said:
It's not really something I can control. If I want to secure the entire site, then everything served on our pages must come directly from umd.net, not external sources. On the other hand, if you can serve your images through secure https, then I can work with you to allow that.
DungeonMasterOne said: First reaction, do not like. That's pretty much my entire promotional system (and many years of development work) down the pan, and it'll affect quite a few others, including some very major producers, the same way.
It's not really something I can control. If I want to secure the entire site, then everything served on our pages must come directly from umd.net, not external sources. On the other hand, if you can serve your images through secure https, then I can work with you to allow that.
Hmm, I recently updated my site to secure https as well, partly in order to still be able to hotlink promotional images in here. It would be great if you could allow hotlinking images from secure sources!
It's not WAM if the hair stays clean
Saturation Hall, Langstonedale
Lord of the Pies
Model images on download promos are still b0rked I'm afraid - by default it's giving me an image source of this: 
where it should be putting the URL of the model's image (for all models in a scene).
It is however apparently putting the URL of a model's image in the "titlte" attribute of the model image. (e.g. this one for one of mine:
)
where it should be putting the URL of the model's image (for all models in a scene). It is however apparently putting the URL of a model's image in the "titlte" attribute of the model image. (e.g. this one for one of mine:
)Saturation Hall - Forth! The Gungemaidens!
Sponsors
Design & Code ©1998-2025 Loverbuns, LLC 18 U.S.C. 2257 Record-Keeping Requirements Compliance Statement
Epoch Billing Support Log In