Discuss Scratch
- Discussion Forums
- » Suggestions
- » Really, we need a secure server
- jvvg
- Scratcher
1000+ posts
Really, we need a secure server
Since we're entering passwords on this site, there really needs to be TLS configured. I don't like entering passwords on sites where they're sent unencrypted. TLS certificates are relatively inexpensive these days, and it's pretty easy to configure nginx to use them.
Professional web developer and lead engineer on the Scratch Wiki
Maybe the Scratch Team isn't so bad — Why the April Fools' Day forum didn't work last year
- jvvg
- Scratcher
1000+ posts
Really, we need a secure server
nXIIIWhat is that? (i.e. does it send my passwords securely to the site)?
Use Password Hasher!
Professional web developer and lead engineer on the Scratch Wiki
Maybe the Scratch Team isn't so bad — Why the April Fools' Day forum didn't work last year
- nXIII
- Scratcher
1000+ posts
Really, we need a secure server
jvvgWell, it hashes your (master) password with a string derived from the site domain so that you never send your actual password to the main site.nXIIIWhat is that? (i.e. does it send my passwords securely to the site)?
Use Password Hasher!
But you're right: we should use TLS.
Last edited by nXIII (Jan. 25, 2013 01:14:04)
- jvvg
- Scratcher
1000+ posts
Really, we need a secure server
nXIIICould you link me to more info please? I'm interested.jvvgWell, it hashes your (master) password with a string derived from the site domain so that you never send your actual password to the main site.nXIIIWhat is that? (i.e. does it send my passwords securely to the site)?
Use Password Hasher!
But you're right: we should use TLS.
I also once got a TLS certificate for like $10/year through NameCheap, so they're relatively inexpensive.
Professional web developer and lead engineer on the Scratch Wiki
Maybe the Scratch Team isn't so bad — Why the April Fools' Day forum didn't work last year
- nXIII
- Scratcher
1000+ posts
Really, we need a secure server
jvvgWell, it's mainly a Firefox extension, but I use Chrome so I wrote a Chrome extension with a redesigned UI and a port of the hasher. Here's the site. If you use Chrome I can clean up my extension and give it to you as well.nXIIICould you link me to more info please? I'm interested.jvvgWell, it hashes your (master) password with a string derived from the site domain so that you never send your actual password to the main site.nXIIIWhat is that? (i.e. does it send my passwords securely to the site)?
Use Password Hasher!
But you're right: we should use TLS.
I also once got a TLS certificate for like $10/year through NameCheap, so they're relatively inexpensive.
- veggieman001
- Scratcher
1000+ posts
Really, we need a secure server
Nothing is permanent.
Last edited by veggieman001 (July 16, 2013 23:53:03)
- nXIII
- Scratcher
1000+ posts
Really, we need a secure server
veggieman001Oh yeah…nXIIILinks don't work, remember?jvvgWell, it's mainly a Firefox extension, but I use Chrome so I wrote a Chrome extension with a redesigned UI and a port of the hasher. Here's the site. If you use Chrome I can clean up my extension and give it to you as well.nXIIICould you link me to more info please? I'm interested.jvvgWell, it hashes your (master) password with a string derived from the site domain so that you never send your actual password to the main site.nXIIIWhat is that? (i.e. does it send my passwords securely to the site)?
Use Password Hasher!
But you're right: we should use TLS.
I also once got a TLS certificate for like $10/year through NameCheap, so they're relatively inexpensive.
- Lightnin
- Scratcher
1000+ posts
Really, we need a secure server
Ah yes, I've discussed this, but there are too many other things to do at the moment. Sorry guys, not a top priority - but after we get things settled down post release, I plan to bring it up again.
- Flowermanvista
- Scratcher
1000+ posts
Really, we need a secure server
I don't know how to find data on this, but I seem to recall that HTTPS for general use wasn't all that common back then, even as late as 2013 (although I do know that for sensitive use, such as buying things online, it has been in use for a very long time).It's been resolved. This was during a time when Scratch 2.0 was in beta, and the site might not have had TLS/HTTPS. The main 1.4 site probably had TLS (I don't see any reason to not use HTTPS/TLS). So this is resolved?
As best as I can tell (using the Wayback Machine), the Scratch 1.x website did not use HTTPS.
Last edited by Flowermanvista (June 30, 2021 02:17:09)
Add a SPOOKY SKELETON to your project!
The Scratch 3 Project Save Troubleshooter - find out why your project won't save
ST, Please Add A Warning When A Size Limit Is Exceeded
My Dumb Creations - THE BEST ANIMATION | The Windows 98 Experience (made on Windows 98) | nobody cares about Me… | the2000 Reveals His New Profile Picture | Not Dumb Creations - Ten Years
Ctrl+Shift+Down for more…
Do evil kumquats keep eating your signature? Assert your dominance and eat the evil kumquats. Did you know that kumquats are only about the size of an olive?
- gdpr70f61245d597c25631fbb669
- Scratcher
100+ posts
Really, we need a secure server
No it does not. If the web server is expecting plaintext there is nothing a browser extension can do about it. Passwords are sent security via HTTPS, and sending something hashed over your client doesn't change that it is still readable in plaintext to others (and that whatever is sent to the server can be sent by someone else).What is that? (i.e. does it send my passwords securely to the site)? Use Password Hasher!
There are a number of other sketchy advertisements claiming to offer security enhancements that do not exist. I do not recommend taking their advice.
HTTPS has been available here for a while now but this topic appears to be before then.
Last edited by gdpr70f61245d597c25631fbb669 (June 30, 2021 02:52:25)
- the2000
- Scratcher
1000+ posts
Really, we need a secure server
If you go to a studio page right now (they still use the Scratch 2 website) and click “add projects”, the template link shown uses HTTP, so I'm guessing that Scratch was moved to HTTPS sometimes between 2013 and 2015 (inclusive). As best as I can tell (using the Wayback Machine), the Scratch 1.x website did not use HTTPS.
Last edited by the2000 (June 30, 2021 02:55:06)
- gdpr70f61245d597c25631fbb669
- Scratcher
100+ posts
Really, we need a secure server
“If you go to a studio page right now (they still use the Scratch 2 website) and click “add projects”, the template link shown uses HTTP, so I'm guessing that Scratch was moved to HTTPS sometimes between 2013 and 2015 (inclusive).”
Offering HTTPS and requiring HTTPS are separate actions. uploads.scratch.mit.edu still has both available. I would guess HTTPS-only started after the development of Scratch WWW if this is the case.
Offering HTTPS and requiring HTTPS are separate actions. uploads.scratch.mit.edu still has both available. I would guess HTTPS-only started after the development of Scratch WWW if this is the case.
- Discussion Forums
- » Suggestions
- » Really, we need a secure server