Authentication on this Website

Packet databases and other quizbowl sites, apps, or software should be discussed here.
Post Reply
ArnavS
Lulu
Posts: 44
Joined: Fri Feb 19, 2016 12:57 pm

Authentication on this Website

Post by ArnavS »

These forums still use unsecured, vanilla HTTP as opposed to encrypted HTTPS. This is bad for security reasons, but also because browsers are making it increasingly difficult to authenticate without encryption. See, e.g., the attached screenshot from Firefox.

I think all that needs to be done is for the site to acquire an SSL certificate (from a certificate authority like Google), and use it. I understand the forums use a point-and-click template called phpBB, and it looks like there instructions on moving phpBB sites to HTTPS.
Attachments
Screen Shot 2019-04-09 at 12.27.42 PM.png
(47.11 KiB) Not downloaded yet
"We're not going to pay you to come to our tournaments" --- Paul Kasiński

WWP South, 2010-2014
NYU, 2014-2018
University of British Columbia, 2018-Present

User avatar
Wartortullian
Rikku
Posts: 333
Joined: Mon Dec 19, 2016 10:02 pm
Location: Boulder, CO
Contact:

Re: Authentication on this Website

Post by Wartortullian »

I agree with Arnav's post, but Let's Encrypt is probably sufficient. I doubt there's any need to use a paid CA.
Matt Mitchell
Yale 20xx
Colorado 2020
Treasure Valley 2016
QBNotify creator, Colorado Quiz Bowl founder, PACE member

jonah
Auron
Posts: 2329
Joined: Thu Jul 20, 2006 5:51 pm
Location: Chicago

Re: Authentication on this Website

Post by jonah »

I've been asking for this since August 2017 and have been told (several times, last in September 2018) that it's on the radar. All the relevant people are volunteers, so I don't feel comfortable pinging too often.
Jonah Greenthal
National Academic Quiz Tournaments

ArnavS
Lulu
Posts: 44
Joined: Fri Feb 19, 2016 12:57 pm

Re: Authentication on this Website

Post by ArnavS »

Is there a way that we could volunteer to make it happen? All that the admins would need to do is delegate access to somebody for (say) a day or two. Or, we could write a small step-by-step instruction set that we could execute.

Alternately, we could chip in to fund time for one of the maintainers to make this happen. But I think it would be really useful, since people are probably reusing passwords here that they use for other (more important) services.
"We're not going to pay you to come to our tournaments" --- Paul Kasiński

WWP South, 2010-2014
NYU, 2014-2018
University of British Columbia, 2018-Present

User avatar
Mike Bentley
Auron
Posts: 5945
Joined: Fri Mar 31, 2006 11:03 pm
Location: Bellevue, WA
Contact:

Re: Authentication on this Website

Post by Mike Bentley »

ArnavS wrote:
Wed Apr 10, 2019 2:16 pm
Is there a way that we could volunteer to make it happen? All that the admins would need to do is delegate access to somebody for (say) a day or two. Or, we could write a small step-by-step instruction set that we could execute.

Alternately, we could chip in to fund time for one of the maintainers to make this happen. But I think it would be really useful, since people are probably reusing passwords here that they use for other (more important) services.
Probably. Send an e-mail to Dan Goff ([email protected]) and see if you can work out the details.
Mike Bentley
VP of Editing, Partnership for Academic Competition Excellence
Adviser, Quizbowl Team at University of Washington
University of Maryland, Class of 2008

ArnavS
Lulu
Posts: 44
Joined: Fri Feb 19, 2016 12:57 pm

Re: Authentication on this Website

Post by ArnavS »

He's done some work on this the LetsEncrypt front (good call @Matt, I didn't know there were free CAs like this) and will be taking another look this weekend. They will also be reviewing the archives to make sure nothing is impacted.
"We're not going to pay you to come to our tournaments" --- Paul Kasiński

WWP South, 2010-2014
NYU, 2014-2018
University of British Columbia, 2018-Present

User avatar
Stained Diviner
Auron
Posts: 4740
Joined: Sun Jun 13, 2004 6:08 am
Location: Chicagoland
Contact:

Re: Authentication on this Website

Post by Stained Diviner »

Any update on this?

How often should we ask why nothing is being done about this? Should we ask again in three months, or would it be more appropriate to wait a year?
David Reinstein
PACE VP of Outreach, Head Writer and Editor for Scobol Solo and Masonics (Illinois), TD for New Trier Scobol Solo and New Trier Varsity, Writer for NAQT (2011-2017), IHSSBCA Board Member, IHSSBCA Chair (2004-2014), PACE Member, PACE President (2016-2018), New Trier Coach (1994-2011)

User avatar
The Goffman Prophecies
Quizbowl Detective Extraordinaire
Posts: 1648
Joined: Wed Mar 03, 2004 10:25 pm
Location: Wichita, KS

Re: Authentication on this Website

Post by The Goffman Prophecies »

Surprise!

HTTPS is enabled on the entire site. For the moment, forced redirection is only happening when you access the forums. There's some issues with the CSS on the other pages (the tournament database and packet repository) that need to be resolved before this redirection happens sitewide.
Dan Goff
HSQB sysadmin

Virginia Tech '13
South Carolina '15
and a couple other places
Not Thomas Dale HS

STAAATS

User avatar
Stained Diviner
Auron
Posts: 4740
Joined: Sun Jun 13, 2004 6:08 am
Location: Chicagoland
Contact:

Re: Authentication on this Website

Post by Stained Diviner »

Thank you!
David Reinstein
PACE VP of Outreach, Head Writer and Editor for Scobol Solo and Masonics (Illinois), TD for New Trier Scobol Solo and New Trier Varsity, Writer for NAQT (2011-2017), IHSSBCA Board Member, IHSSBCA Chair (2004-2014), PACE Member, PACE President (2016-2018), New Trier Coach (1994-2011)

ScoBo
Wakka
Posts: 240
Joined: Wed Jan 10, 2007 5:05 pm
Location: Kansas City area
Contact:

Re: Authentication on this Website

Post by ScoBo »

I'm a goff (in case you couldn't tell) wrote:
Sun Jul 21, 2019 10:10 pm
There's some issues with the CSS on the other pages (the tournament database and packet repository) that need to be resolved before this redirection happens sitewide.
I think I have these fixed now, but let us know if you run into any problems while accessing the database or quizbowlpackets.com over https. One thing I'm aware of is I'm seeing https://hsquizbowl.org still redirecting to unsecure hsquizbowl.org/db, and it seems that is on Dan's side and not something I can fix myself.
Jeffrey Hill • Missouri Quizbowl Alliance president • UMR/Missouri S&T 2009 • Liberty (MO) 2005
Post your tournaments, SQBS reports, and question sets to the Quizbowl Resource Center Database!

User avatar
The Goffman Prophecies
Quizbowl Detective Extraordinaire
Posts: 1648
Joined: Wed Mar 03, 2004 10:25 pm
Location: Wichita, KS

Re: Authentication on this Website

Post by The Goffman Prophecies »

ScoBo wrote:
Mon Jul 22, 2019 10:23 pm
I'm a goff (in case you couldn't tell) wrote:
Sun Jul 21, 2019 10:10 pm
There's some issues with the CSS on the other pages (the tournament database and packet repository) that need to be resolved before this redirection happens sitewide.
I think I have these fixed now, but let us know if you run into any problems while accessing the database or quizbowlpackets.com over https. One thing I'm aware of is I'm seeing https://hsquizbowl.org still redirecting to unsecure hsquizbowl.org/db, and it seems that is on Dan's side and not something I can fix myself.
Yup, it was a quick configuration change I had to make. It's fixed now.
Dan Goff
HSQB sysadmin

Virginia Tech '13
South Carolina '15
and a couple other places
Not Thomas Dale HS

STAAATS

Post Reply