Posted November 24, 2015
DampSquib
Soup Dragon.
DampSquib Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2010
From United Kingdom
Elvis is Dead
Find me in STEAM OT
Elvis is Dead Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Dec 2012
From Other
HypersomniacLive
The Reluctant Voter
HypersomniacLive Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Sep 2011
From Vatican City
DampSquib
Soup Dragon.
DampSquib Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2010
From United Kingdom
Matruchus
Don't ignore Tux
Matruchus Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2011
From Slovenia
Posted November 24, 2015
The account button now functions as it should but the account notificiations for chat and other things doesn't work anymore and in my case the notifications don't show when I click on any tab be it community or gog.com frontpage.
Post edited November 24, 2015 by Matruchus
HypersomniacLive
The Reluctant Voter
HypersomniacLive Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Sep 2011
From Vatican City
Posted November 24, 2015
DampSquib: https - it's intermittent, navigate to another page and it's sign-up & log-in time.
Firefox 42.0
I'm also on Firefox 42.0 and https. Odd how accounts behave differently, even when the parameters are the same. Firefox 42.0
As I said yesterday, I'm back to this behaviour.
Additionally, when I try to log off from a forum page, I'm redirected to the front page but I'm not logged off. I have to log off once more from the front page.
If I go from a forum page to the front one and try to log off directly from there, it works as should.
Post edited November 24, 2015 by HypersomniacLive
v3
Registered: Oct 2014
From Serbia
Posted November 27, 2015
Any info on the progress?
Account button is still exchanged with Sign Up/Log In and in addition, when initiating the chat from tooltip it asks me to log in again, but when I do it just asks again, so I end up entering the address manually.
I've read other members had some of these problems occuring before briefly, but I haven't encountered any of them until the day I reported it with this thread, and I don't recall any immediate browser updates so something must have changed in the forum software.
Account button is still exchanged with Sign Up/Log In and in addition, when initiating the chat from tooltip it asks me to log in again, but when I do it just asks again, so I end up entering the address manually.
I've read other members had some of these problems occuring before briefly, but I haven't encountered any of them until the day I reported it with this thread, and I don't recall any immediate browser updates so something must have changed in the forum software.
Johny.GOG
☕️
Johny.GOG Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat GOG.com Team
Registered: Dec 2014
From Poland
Posted November 27, 2015
v3: Account button is still exchanged with Sign Up/Log In and in addition, when initiating the chat from tooltip it asks me to log in again, but when I do it just asks again, so I end up entering the address manually.
Ahhh! So that's another consequence of this bug. System thinks that you are logged out. For now you can go to main page (even in new tab) and go back to forum (or just refresh it). I've tracked down what's happening - direct cause of not being logged in - but we don't know cause of the cause yet. ;) So - we'll fix it, but I can't say when exactly.
skeletonbow
Galaxy 3 when?
skeletonbow Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Dec 2009
From Canada
Posted November 27, 2015
high rated
This is speculative, but I believe the issues with the website either sporadically logging people out or not seeming to know whether they're logged in or not - such as saying you're logged out but then showing you games on the homepage that you have wishlisted - are due to a multitude of inconsistencies providing some parts of the website over http and some over https. While https was added not long ago presumably on everything, they never changed the site to redirect all http queries to https, and many links in the website code still point to http:// even when the page you're viewing is https://.
This kind of mixed-mode operation is notorious for causing obscure wonky website behaviour where modern browsers wont trust cookies over http on an https site or other behaviours, all of which can be further complicated by whether people are using security addons such as NoScript or others.
I think some things GOG could do to make their entire website-property-emporium extremely simpler and more robust are:
- to completey ditch raw http access to the entire *.gog.com domain, and have the webserver automatically redirect all queries to http to https.
- to ensure all cookies are transferred over https at all times
- to review all html/css/js/php/whatever for all references to http or https on *.gog.com and replace them with the protocol neutral variant of simply: "//forum/general/whatever" so that the web browser substitutes the proper protocol depending on how it's accessing the website.
And once they've fleshed all of that out and stabilized it to the point they fully trust their https deployment they should further go ahead and:
- Enable HSTS in their webserver configs in order to enforce HTTPS across the entire domain.
- Update the webserver SSL/TLS configuration to best current practices for security and backward compatibility as documented by Mozilla and other industry players recommendations: <span class="bold">https://wiki.mozilla.org/Security/Server_Side_TLS</span>
- Thoroughly test their TLS deployment with tools like Qualys SSL Pulse:
GOG's current SSL/TLS security rating from SSL Pulse is a mix of grade A on the main servers and B on Akamai CDN:
https://www.ssllabs.com/ssltest/analyze.html?d=gog.com&hideResults=on&latest
https://www.ssllabs.com/ssltest/analyze.html?d=www.gog.com&s=193.59.178.42&hideResults=on
https://www.ssllabs.com/ssltest/analyze.html?d=www.gog.com&s=23.192.247.45&hideResults=on
The latter of which has missing intermediate certificates in the certificate chain, poor signature algorithm (SHA1, which will soon be ostracized by all web browsers), insecure RSA cipher support and broken forward secrecy support. Inconsistent with the rest of the GOG servers and probably should be brought up to current standards and that bad certificate replaced and the CA's intermediates put on the webserver.
If it isn't already, SSL Pulse testing should be integrated into GOG's webserver QA procedures to ensure correct operaton and best practices going forward.
This kind of mixed-mode operation is notorious for causing obscure wonky website behaviour where modern browsers wont trust cookies over http on an https site or other behaviours, all of which can be further complicated by whether people are using security addons such as NoScript or others.
I think some things GOG could do to make their entire website-property-emporium extremely simpler and more robust are:
- to completey ditch raw http access to the entire *.gog.com domain, and have the webserver automatically redirect all queries to http to https.
- to ensure all cookies are transferred over https at all times
- to review all html/css/js/php/whatever for all references to http or https on *.gog.com and replace them with the protocol neutral variant of simply: "//forum/general/whatever" so that the web browser substitutes the proper protocol depending on how it's accessing the website.
And once they've fleshed all of that out and stabilized it to the point they fully trust their https deployment they should further go ahead and:
- Enable HSTS in their webserver configs in order to enforce HTTPS across the entire domain.
- Update the webserver SSL/TLS configuration to best current practices for security and backward compatibility as documented by Mozilla and other industry players recommendations: <span class="bold">https://wiki.mozilla.org/Security/Server_Side_TLS</span>
- Thoroughly test their TLS deployment with tools like Qualys SSL Pulse:
GOG's current SSL/TLS security rating from SSL Pulse is a mix of grade A on the main servers and B on Akamai CDN:
https://www.ssllabs.com/ssltest/analyze.html?d=gog.com&hideResults=on&latest
https://www.ssllabs.com/ssltest/analyze.html?d=www.gog.com&s=193.59.178.42&hideResults=on
https://www.ssllabs.com/ssltest/analyze.html?d=www.gog.com&s=23.192.247.45&hideResults=on
The latter of which has missing intermediate certificates in the certificate chain, poor signature algorithm (SHA1, which will soon be ostracized by all web browsers), insecure RSA cipher support and broken forward secrecy support. Inconsistent with the rest of the GOG servers and probably should be brought up to current standards and that bad certificate replaced and the CA's intermediates put on the webserver.
If it isn't already, SSL Pulse testing should be integrated into GOG's webserver QA procedures to ensure correct operaton and best practices going forward.
Post edited November 27, 2015 by skeletonbow
toxicTom
Big Daddy
toxicTom Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Feb 2009
From Germany
LEMON CURRY?
Møøse operator
LEMON CURRY? Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2013
From Denmark
Posted December 03, 2015
skeletonbow: ... a multitude of inconsistencies providing some parts of the website over http and some over https. While https was added not long ago presumably on everything, they never changed the site to redirect all http queries to https, and many links in the website code still point to http:// even when the page you're viewing is https://.
This has been bugging me for a long time. I've lost count of the number of times I've had to correct forum links when posting. Yes, please (+1).
skeletonbow
Galaxy 3 when?
skeletonbow Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Dec 2009
From Canada
Posted December 03, 2015
skeletonbow: ... a multitude of inconsistencies providing some parts of the website over http and some over https. While https was added not long ago presumably on everything, they never changed the site to redirect all http queries to https, and many links in the website code still point to http:// even when the page you're viewing is https://.
Lemon_Curry: This has been bugging me for a long time. I've lost count of the number of times I've had to correct forum links when posting. skeletonbow: I think some things GOG could do to make their entire website-property-emporium extremely simpler and more robust are:
[...]
Lemon_Curry: Yes, please (+1). [...]
One thing is certain though, any new websites being deployed in 2015 should be HTTPS-only and using current recommended standards, and existing sites should be migrating to HTTPS-only or already doing it as we move towards an always-encrypted Internet. Only putting one foot in the water is broken though.
LEMON CURRY?
Møøse operator
LEMON CURRY? Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2013
From Denmark
Johny.GOG
☕️
Johny.GOG Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat GOG.com Team
Registered: Dec 2014
From Poland
Posted December 09, 2015
Issue with account menu missing on forum pages is fixed. For more info see this post:
http://www.gog.com/forum/general/the_what_did_just_break_thread/post1099
http://www.gog.com/forum/general/the_what_did_just_break_thread/post1099
Post edited December 09, 2015 by Johny.
v3
Registered: Oct 2014
From Serbia
Posted December 09, 2015
Johny.: Issue with account menu missing on forum pages is fixed. For more info see this post:
http://www.gog.com/forum/general/the_what_did_just_break_thread/post1099
Hurray Johny!!! It's working better than ever so thanks a bunch for putting your expertise to good use! http://www.gog.com/forum/general/the_what_did_just_break_thread/post1099
Since you're a blue, a species unto itself, hope you don't mind me marking skeletonbow's adept suggestions as a solution, regardless of whether they were instrumental in addressing this particular problem on your end.
Post edited December 09, 2015 by v3