NEWS: Forum Update week of Sept 24th-28th, Downtimes

[Turmfalke2]

While you are at it, could we also get IPv6?

Code: Select all

$ dig -t AAAA @ns1.domaindiscount24.net forum.egosoft.com

; <<>> DiG 9.11.2-P1 <<>> -t AAAA @ns1.domaindiscount24.net forum.egosoft.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13457
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;forum.egosoft.com.             IN      AAAA

;; AUTHORITY SECTION:
egosoft.com.            28800   IN      SOA     ns1.domaindiscount24.net. tech.key-systems.net. 2018090403 10800 3600 604800 28800

;; Query time: 39 msec
;; SERVER: 94.23.153.36#53(94.23.153.36)
;; WHEN: Fri Sep 21 18:49:30 CEST 2018
;; MSG SIZE  rcvd: 123

[BurnIt!]

While you are at it, could we also get IPv6?

Check again now.

[radcapricorn]

Keep it 2000s, EgoSoft! Keep it free of that modern animating sliding resource hog mumbo-jumbo!

[Turmfalke2]

Thank you.

Code: Select all

$ dig -t AAAA @ns1.domaindiscount24.net forum.egosoft.com

; <<>> DiG 9.11.2-P1 <<>> -t AAAA @ns1.domaindiscount24.net forum.egosoft.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1722
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;forum.egosoft.com.             IN      AAAA

;; ANSWER SECTION:
forum.egosoft.com.      28800   IN      AAAA    2a01:488:67:1000:523:f8d2:0:1

;; AUTHORITY SECTION:
egosoft.com.            28800   IN      NS      ns1.domaindiscount24.net.
egosoft.com.            28800   IN      NS      ns2.domaindiscount24.net.
egosoft.com.            28800   IN      NS      ns3.domaindiscount24.net.

;; ADDITIONAL SECTION:
ns1.domaindiscount24.net. 28800 IN      A       94.23.153.36
ns1.domaindiscount24.net. 28800 IN      AAAA    2001:41d0:c:388:94:23:153:36
ns2.domaindiscount24.net. 28800 IN      A       188.165.164.171
ns2.domaindiscount24.net. 28800 IN      AAAA    2001:41d0:d:7ea:188:165:164:171
ns3.domaindiscount24.net. 28800 IN      A       198.27.76.32
ns3.domaindiscount24.net. 28800 IN      AAAA    2607:5300:60:5e1c:198:27:76:32

;; Query time: 38 msec
;; SERVER: 94.23.153.36#53(94.23.153.36)
;; WHEN: Fri Sep 21 21:37:25 CEST 2018
;; MSG SIZE  rcvd: 280

E: May I make more suggestions or should I wait for the forum upgrade?

[CBJ]

Nobody is stopping you from making suggestions. Whether anything can or will be done about them in the time available is another matter.

[Hank001]

HOLY @$!#!

Milestone: I'll live long enough to see the site upgraded!
Way to go Egosoft!
"Mobile Friendly" too!
I'm plumb choked up...
(Happy tears)

Edit: @CBJ
I promise not to use reCAPTCHA so you're safe... For now.

<Split and merged from an unrelated OT thread. Alan Phipps>

[Hank001]

Hurray Egosoft!

As a mobile user the consideration there is appreciated.
(Maybe now I won't be locked out when my mobile carrier bounces my IP adress around like a @$!# ping pong ball!)

[thrangar]

Yeah!...for the new search function!

[Turmfalke2]

In that case..

Right now both egosoft.com and the forums default to http. Since you are already using Let's Encrypt there is little reason not to redirect all http traffic to https. Currently most of the links within the forum are https, but some like the FAQ aren't. If you are using certbot with webroot-path you want to exclude .well-known/acme-challenge so the auto renew still works.

E:

Encrypted payments on this website

If you enter into a contract which requires you to send us your payment information (e.g. account number for direct debits), we will require this data to process your payment.

Payment transactions using common means of payment (Visa/MasterCard, direct debit) are only made via encrypted SSL or TLS connections. You can recognize an encrypted connection in your browser's address line when it changes from "http://" to "https://".

In the case of encrypted communication, any payment details you submit to us cannot be read by third parties.

You probably want to remove the SSL part here. SSL has been broken & deprecated since 2015. The payment card industry security standards council demands that no payment information are processed through SSL or early TLS versions after June 26, 2018. In the best case this is misleading, in the worst it can be pretty costly mistake. Please ensure you are only using TLS 1.2 or higher.

[CBJ]

Right now both egosoft.com and the forums default to http. Since you are already using Let's Encrypt there is little reason not to redirect all http traffic to https. Currently most of the links within the forum are https, but some like the FAQ aren't. If you are using certbot with webroot-path you want to exclude .well-known/acme-challenge so the auto renew still works.

The forum has been set to default to https for quite some time. Are you sure you're not just using an old bookmark?

Encrypted payments on this website

This is most likely just an outdated message, but we can check. Thanks for highlighting it.

[Turmfalke2]

The forum has been set to default to https for quite some time. Are you sure you're not just using an old bookmark?

Even if I were to use an old bookmark I would expect a 301 instead of a 200.

Code: Select all

$ curl -I http://forum.egosoft.com
HTTP/1.1 200 OK
Date: Sat, 22 Sep 2018 10:56:52 GMT
Server: Apache/2.4.10 (Debian)
[cookie data removed]
Cache-Control: no-cache, pre-check=0, post-check=0
Expires: 0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

compared to amazon.com

Code: Select all

 $ curl -I http://amazon.com
HTTP/1.1 301 Moved Permanently
Server: Server
Date: Sat, 22 Sep 2018 10:57:56 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://amazon.com/

[edit by BurnIt!] cookie data removed

[BurnIt!]

First: please make sure you do NOT post your cookie information anywhere. I have edited the data out of your post.


We do not have a permanent redirect to https active at this time, that is correct, this was set up intentionally but may change in the future.

For now http access is still allowed but HTTP Strict Transport Security is enabled.

The message regarding the encryption is indeed not entirely accurate as we do in fact not employ SSL, but TLS (1.2).

[Turmfalke2]

Wait what..? That wasn't my cookie, at least not one that contains data worth protecting.

I didn't provide any cookies in my http request, so it is just your page generating a new cookie without being given any login information or such. The better question would be, why would it even try to set a cookie in that situation? There is nothing worth saving.

While we are it, you might also want to rework your cookie policy.

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Cookie Policy.

"By using our website you consent" is a direct violation of gdpr. ( http://www.privacy-regulation.eu/en/recital-32-GDPR.htm & http://www.privacy-regulation.eu/en/art ... s-GDPR.htm (11))

[A5PECT]

Welp, time to pay our last respects to the old forum.

<Split and merged from an unrelated thread. Alan Phipps>

[Miniding]

@ Turmfalke2: You seem to be well informed about GDPR!!!
Of course as a European company, Ego should be Following the rule too.

But we are on a forum, not on any Bank website… In fact, the only personal information Ego's got from us is our mail address, isn"t it?

I Don't mind what info can be taken from Ego's cookies… What can be so important? What I say here, I totally assume!!!



Edit : Thanks for the clarifying edit of my post "I Don't know who"

[Fanchen]

@Miniding
There are more things than just the mail address. For example, according to the GDPR, IP addresses are personal data. Accessing any website also transmits information like your browser and operating system versions. Websites might analyse at what times you access them (though I suspect Egosoft doesn't. )

Cookies can store your session data, and that information might allow others to access your account until you log off. Most people don't want others to read their messages or write posts under their name.

[Tamina]

Can't login anymore, I get an error message, the session times out in seconds. I guess this is related to the forum update?

@Fanchen
Despite this being a problem of Egosoft and not ours, do you know this by fact?
(Except for the IPs: I know Google has to anonymize IPs of German residents.)

[Fanchen]

@Tamina
What exactly are you referring to, the browser/OS versions? That is done by the User Agent string which you can check on website like this one. And yes, given that websites can identify you (for example by your IP address or, even easier, because you are logged in) they could check at what time you are using their service.

[Tamina]

I hope this is still somewhat ontopic and my last post on this matter.
To clarify the question: If the information you listed fall into the declaration of "personal information" in the GDPR by fact.
(Despite that they could be potentially used to cross-track a single person with enough given other information.)

[StoneLegionYT]

Keep in mind just using basic google analytics you need to have a Privacy Policy.