Hi Folks,

This has been in the works for a while, but we are finally getting ready to introduce SSL security throughout the site. We've been making the change in stages to make sure that things are working properly. Several weeks ago we switch pokercast.twoplustwo.com and yesterday we switched www.twoplustwo.com. You now should prefix all accesses to those two sites with https:// instead of the http:// that you've been using. In case you forget things are setup to automatically make the switch for you.

I would like to ask you all to let me know (via PM) if you see any anomalies that you believe to be caused by the switch to SSL. In particular please let me know if your browser does not indicate is on a "Secure" site when you link to one of the pages on either www.twoplustwo.com or pokercast.twoplustwo.com (but not on forumserver.twoplustwo.com).

We plan to move the forums to SSL later this month.

Chuck

twoplustwo.com linking from this page is still insecure. This is from clicking the upper left logo.

same for me

Also no secure clicking from the www.twoplustwo.com link in OP. If I manually add the https then it's all good.

hmm. Ok, enough reports. I will get on this to see why the redirect isn't working properly.

Chuck

Yeah, this says it's insecure for me, and I use HTTPS Everywhere.

HTTPS Everywhere I think has to have the domain in a database. It used to not work for wikileaks.org and I sent them an email and they said they'd work on adding it, so I don't think it will work for twoplustwo until they add it.

Good on twoplustwo for implementing SSL/TLS

And good on Let's Encrypt by offering free certs

Just typing in the web browser address bar pokercast.twoplustwo.com automatically directed to the secured https URL for me just now.

Just typing in twoplustwo.com goes to http. I have to specify with https://twoplustwo.com to get the secure page.

edit: keep in mind that your cert expires on August 29, 2017. If it doesn't automatically renew and you forget to renew it, users are going to get a bunch of invalid cert warnings in their web browsers that look like this:

This has been fixed. And yes, I am aware of certificate expiration, but thanks.

We hope to have the forums converted to SSL by the end of the Labor Day weekend. Once we make the conversion you'll probably get security warnings for a while because there are links we'll have to change that we can't really test until after the change (without being very disruptive.) We'll do our best to make this as painless as possible.

You need a wildcard certificate. Idk what web hosting you use but if it uses IIS I can do/show how to in like 15 minutes.

Chuck,

Something seems to be screwy. It tells me my password expires, so I change it, and then shortly thereafter it forgets my password change and forces me to reset my password.

Can I assume you have cleared all cookies and caches related to the forums?

Chuck

I still have to change mine every 45 days. Fortunately, it accepts the same password, so it's just a minor annoyance.

Ummm...keeping the same password pretty much cancels the purpose of requiring a password change for mods and admins. I'm actually surprised that the software doesn't keep that from happening.

Of course. But having us change it every 45 days is pretty ridiculous IMO, so it's a good glitch in this case. I've seen numerous articles suggesting that forced password changes are actually worse for security, and they back up what common sense had already told me. I'd be hard-pressed to imagine how forcing me to change my 20 character 141 bit strength password will improve security, so as long as I'm being forced to change every 45 days, please don't make me actually change it.

Edit to add: I had always assumed the 45 day change was a glitch, but rereading your post, it sounds like it was intentional. If so:

https://www.wired.com/2016/03/want-s...-change-often/

Compromise: if mods use passwords that are 20+ characters long, with lower, upper, special chars and numbers (and maybe no identifiable dictionary words), they don't have to change their password because they're likely using a password manager like any sane person in the year 2017

I mean, obviously I'll go along with whatever security measures Chuck and the red gang want us to, but I always find it annoying as hell when I'm forced to change my very secure and unique password, especially given that forced password changes are in general more likely to be detrimental than beneficial.

But I'm no security expert, so perhaps there's a benefit I'm not aware of.

https://www.ncsc.gov.uk/guidance/pas...-your-approach
http://www.cbc.ca/radio/asithappens/...razy-1.4240255

I got bit by this tonight myself, so I feel your pain. If I was certain that you and all other mods and admins used strong passwords and a keeper I would be more likely to change the expiration time.

I plan to switch the forums (at least temporarily) to SSL on Sunday morning.

FYI. You have a cert mismatch on the root domain. https://twoplustwo.com throws a cert mismatch error because it presents a cert with CN=admin.twoplustwo.com.

Note: http://twoplustwo.com redirects to https://www.twoplustwo.com as expected.

Thanks for pointing this out. Working on it.

http://forumserver.twoplustwo.com/50.../#post52788421