Page 3 of 9

Posted: Fri, 21. Sep 18, 18:55
by Turmfalke2
While you are at it, could we also get IPv6?

Code: Select all

$ dig -t AAAA @ns1.domaindiscount24.net forum.egosoft.com

; <<>> DiG 9.11.2-P1 <<>> -t AAAA @ns1.domaindiscount24.net forum.egosoft.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13457
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;forum.egosoft.com.             IN      AAAA

;; AUTHORITY SECTION:
egosoft.com.            28800   IN      SOA     ns1.domaindiscount24.net. tech.key-systems.net. 2018090403 10800 3600 604800 28800

;; Query time: 39 msec
;; SERVER: 94.23.153.36#53(94.23.153.36)
;; WHEN: Fri Sep 21 18:49:30 CEST 2018
;; MSG SIZE  rcvd: 123

Posted: Fri, 21. Sep 18, 19:30
by BurnIt!
Turmfalke2 wrote:While you are at it, could we also get IPv6?
Check again now.

Posted: Fri, 21. Sep 18, 20:25
by radcapricorn
Keep it 2000s, EgoSoft! Keep it free of that modern animating sliding resource hog mumbo-jumbo!

Posted: Fri, 21. Sep 18, 21:39
by Turmfalke2
Thank you.

Code: Select all

$ dig -t AAAA @ns1.domaindiscount24.net forum.egosoft.com

; <<>> DiG 9.11.2-P1 <<>> -t AAAA @ns1.domaindiscount24.net forum.egosoft.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1722
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;forum.egosoft.com.             IN      AAAA

;; ANSWER SECTION:
forum.egosoft.com.      28800   IN      AAAA    2a01:488:67:1000:523:f8d2:0:1

;; AUTHORITY SECTION:
egosoft.com.            28800   IN      NS      ns1.domaindiscount24.net.
egosoft.com.            28800   IN      NS      ns2.domaindiscount24.net.
egosoft.com.            28800   IN      NS      ns3.domaindiscount24.net.

;; ADDITIONAL SECTION:
ns1.domaindiscount24.net. 28800 IN      A       94.23.153.36
ns1.domaindiscount24.net. 28800 IN      AAAA    2001:41d0:c:388:94:23:153:36
ns2.domaindiscount24.net. 28800 IN      A       188.165.164.171
ns2.domaindiscount24.net. 28800 IN      AAAA    2001:41d0:d:7ea:188:165:164:171
ns3.domaindiscount24.net. 28800 IN      A       198.27.76.32
ns3.domaindiscount24.net. 28800 IN      AAAA    2607:5300:60:5e1c:198:27:76:32

;; Query time: 38 msec
;; SERVER: 94.23.153.36#53(94.23.153.36)
;; WHEN: Fri Sep 21 21:37:25 CEST 2018
;; MSG SIZE  rcvd: 280
E: May I make more suggestions or should I wait for the forum upgrade?

Posted: Fri, 21. Sep 18, 22:51
by CBJ
Nobody is stopping you from making suggestions. Whether anything can or will be done about them in the time available is another matter. :)

Posted: Fri, 21. Sep 18, 23:46
by Hank001
HOLY @$!#!

Milestone: I'll live long enough to see the site upgraded!
Way to go Egosoft!
"Mobile Friendly" too!
I'm plumb choked up... :cry:
(Happy tears)

Edit: @CBJ
I promise not to use reCAPTCHA so you're safe... For now. :D

<Split and merged from an unrelated OT thread. Alan Phipps>

Posted: Fri, 21. Sep 18, 23:58
by Hank001
Hurray Egosoft!

As a mobile user the consideration there is appreciated. :thumb_up:
(Maybe now I won't be locked out when my mobile carrier bounces my IP adress around like a @$!# ping pong ball!) :D

Posted: Sat, 22. Sep 18, 02:11
by thrangar
Yeah!...for the new search function!

Posted: Sat, 22. Sep 18, 09:27
by Turmfalke2
In that case..

Right now both egosoft.com and the forums default to http. Since you are already using Let's Encrypt there is little reason not to redirect all http traffic to https. Currently most of the links within the forum are https, but some like the FAQ aren't. If you are using certbot with webroot-path you want to exclude .well-known/acme-challenge so the auto renew still works.

E:
https://www.egosoft.com/games/x4/info_en.php wrote: Encrypted payments on this website

If you enter into a contract which requires you to send us your payment information (e.g. account number for direct debits), we will require this data to process your payment.

Payment transactions using common means of payment (Visa/MasterCard, direct debit) are only made via encrypted SSL or TLS connections. You can recognize an encrypted connection in your browser's address line when it changes from "http://" to "https://".

In the case of encrypted communication, any payment details you submit to us cannot be read by third parties.

You probably want to remove the SSL part here. SSL has been broken & deprecated since 2015. The payment card industry security standards council demands that no payment information are processed through SSL or early TLS versions after June 26, 2018. In the best case this is misleading, in the worst it can be pretty costly mistake. Please ensure you are only using TLS 1.2 or higher.

Posted: Sat, 22. Sep 18, 10:56
by CBJ
Turmfalke2 wrote:Right now both egosoft.com and the forums default to http. Since you are already using Let's Encrypt there is little reason not to redirect all http traffic to https. Currently most of the links within the forum are https, but some like the FAQ aren't. If you are using certbot with webroot-path you want to exclude .well-known/acme-challenge so the auto renew still works.
The forum has been set to default to https for quite some time. Are you sure you're not just using an old bookmark?
https://www.egosoft.com/games/x4/info_en.php wrote:Encrypted payments on this website
This is most likely just an outdated message, but we can check. Thanks for highlighting it.

Posted: Sat, 22. Sep 18, 12:59
by Turmfalke2
CBJ wrote: The forum has been set to default to https for quite some time. Are you sure you're not just using an old bookmark?
Even if I were to use an old bookmark I would expect a 301 instead of a 200.

Code: Select all

$ curl -I http://forum.egosoft.com
HTTP/1.1 200 OK
Date: Sat, 22 Sep 2018 10:56:52 GMT
Server: Apache/2.4.10 (Debian)
[cookie data removed]
Cache-Control: no-cache, pre-check=0, post-check=0
Expires: 0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
compared to amazon.com

Code: Select all

 $ curl -I http://amazon.com
HTTP/1.1 301 Moved Permanently
Server: Server
Date: Sat, 22 Sep 2018 10:57:56 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://amazon.com/
[edit by BurnIt!] cookie data removed

Posted: Sat, 22. Sep 18, 14:42
by BurnIt!
First: please make sure you do NOT post your cookie information anywhere. I have edited the data out of your post.


We do not have a permanent redirect to https active at this time, that is correct, this was set up intentionally but may change in the future.

For now http access is still allowed but HTTP Strict Transport Security is enabled.

The message regarding the encryption is indeed not entirely accurate as we do in fact not employ SSL, but TLS (1.2).

Posted: Sat, 22. Sep 18, 15:44
by Turmfalke2
Wait what..? That wasn't my cookie, at least not one that contains data worth protecting.

I didn't provide any cookies in my http request, so it is just your page generating a new cookie without being given any login information or such. The better question would be, why would it even try to set a cookie in that situation? There is nothing worth saving.

While we are it, you might also want to rework your cookie policy.
www.egosoft.com wrote: This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Cookie Policy.

"By using our website you consent" is a direct violation of gdpr. ( http://www.privacy-regulation.eu/en/recital-32-GDPR.htm & http://www.privacy-regulation.eu/en/art ... s-GDPR.htm (11))

Posted: Sat, 22. Sep 18, 18:00
by A5PECT
Welp, time to pay our last respects to the old forum.

<Split and merged from an unrelated thread. Alan Phipps>

Posted: Sat, 22. Sep 18, 21:24
by Miniding
@ Turmfalke2: You seem to be well informed about GDPR!!! :lol:
Of course as a European company, Ego should be Following the rule too.

But we are on a forum, not on any Bank website… In fact, the only personal information Ego's got from us is our mail address, isn"t it?

I Don't mind what info can be taken from Ego's cookies… What can be so important? What I say here, I totally assume!!!

:D :D

Edit : Thanks for the clarifying edit of my post "I Don't know who" :D :D