FANDOM


  • It seems Wikia has a TLS certificate for *.wikia.com. Great!

    However, it seems to redirect HTTPS requests to HTTP. For example, if you visit https://www.wikia.com/Wikia, you end up on http://www.wikia.com/Wikia instead. Why?! This is the exact opposite of what should happen.

    I’m currently posting this over hotel WiFi, over HTTP (since you don’t give me a choice) and am thus risking my session cookies.

    Please consider moving Wikia to HTTPS. This can happen in two steps:

    1. Stop redirecting HTTPS to HTTP. This gives people the option to browser Wikia over HTTPS instead of HTTP while still allowing HTTP. 2. At a later stage, when you’re ready, start redirecting HTTP requests to HTTPS (and implement HSTS, etc.).

    Right now I would be happy with step 1.

      Loading editor
    • We are working towards HTTPS support, but it is not a simple matter unfortunately. There's lots of moving parts of take care of on the way.

        Loading editor
    • Thanks for your quick response, Kirkburn!

      Is there an ETA / roadmap or a page with more details on these plans?

      Why can the HTTPS → HTTP redirect just not be removed?

      In situations like this (crappy public hotel wifi) I’d prefer a secure site with some (blocked) mixed content over a fully functional HTTP site.

        Loading editor
    • I can't provide an ETA, unfortunately.

      The redirect is needed because some aspects of the site may break in HTTPS at the moment. While we quite understand the desire, we know we'll also end up with some rather confused visitors.

        Loading editor
    • A good first step would be to disable the HTTPS → HTTP redirect. Regular users would still end up on the HTTP version of the site through their bookmarks, search results, etc. But those who prefer HTTPS can try it out, and start fixing mixed content (if any) to help prepare the wiki for an eventual HTTPS-by-default mode.

        Loading editor
    • Most likely the CMS is insecure and can't easily be made secure, but there may be other issues.

      It would be nice if Wikia could at least throw up a test wiki with what they have working for https, so we could see progress.

      Until Wikia demonstrates a more sincere commitment to at least https, it is hard to take their statements about concern for security seriously. Even TLS 1.0 isn't considered that secure anymore.

        Loading editor
    • Now, since Chrome and other browsers will flag Wikia as insecure when anyone logs in!

        Loading editor
    • 96.230.241.182 wrote:
      Now, since Chrome and other browsers will flag Wikia as insecure when anyone logs in!

      NEVER MIND!

      The login page is actually delivered over HTTPS now.

      BUT....Sadly, the rest of wIkia remains insecure. :(

        Loading editor
    • There are some special challenges involved for us with secure certificates and domains (in particular). We are still working to have content transmitted securely in the near future. In the meantime, as you said, the part that really needs to be securely encrypted (your login) is indeed delivered by HTTPS.

        Loading editor
    • But cookies are not transmitted over a secure channel, so someone can still steal your session and impersonate you.

        Loading editor
    • FishTank wrote: … In the meantime, as you said, the part that really needs to be securely encrypted (your login) is indeed delivered by HTTPS.

      Whilst it's nice that the login process is secured these days, it's rather bad that other security-critical pages like Special:ChangePassword still aren't…

        Loading editor
    • Excellent point. I'll remind the appropriate team of that.

        Loading editor
    • Kirkburn wrote: I can't provide an ETA, unfortunately.

      Just pointing out this was said a whole two years ago...
      Has there been a test site yet?

      OneTwoThreeFall wrote:

      FishTank wrote: … In the meantime, as you said, the part that really needs to be securely encrypted (your login) is indeed delivered by HTTPS.

      This would only be an improvement if we would only be concerned about the security of the password choices of the users and not their accounts:

      If you would want to illegitimately use an account, it makes little difference whether you know its login details, or are able to read unencrypted traffic between the server and the browser and hijack the session. Having access to the client's local area network (including merely being able to somehow circumvent its encryption e.g. KRACK) or any other exposed point between the server and the browser makes it possible to eavesdrop on all traffic that is not encrypted between the two.

      On top of that, I can't come up with another site that to this day, can't be normally used with "Block all unencrypted requests" toggled on from HTTPS Everywhere

        Loading editor
    • This is a really old thread, you should read this blog for updates on implementing HTTPS into Wikia.

        Loading editor
    • A FANDOM user
        Loading editor
Give Kudos to this message
You've given this message Kudos!
See who gave Kudos to this message