Museum of the Game® & International Arcade Museum® Forums

We are usually way ahead of industry standard in implementing new security processes here. However, one area we've been way behind on is in dealing with encrypted browser communications and third party embedded content.

For a variety of specific reasons, some of these browser related upgrades have been slow coming. Although we haven't had any serious issues, it's happening now as we don't want to put it off any long and we can't put it off any longer. This includes converting the forums from http to https (SSL), and dealing with the way the forums deal with other systems (ie: third party image hosting, Tapatalk, etc.).

On 9/5/16 I ran an undisclosed test in which I moved the forums to https and enabled SSL. At first it seemed to work, and no one seemed to notice. However, it created issues with third party links. I also tried setting up the forums so that it would support either http or https. This creates a whole other set of issues, and had effects on things I never imagined (like iTrader). I started getting more and more PMs of issues. The experiment lasted less than a day.

I took another stab at it this week, updated a bunch of the scripts, and again, did a quiet test in moving the site from http to https (no http allowed at all).

It's basically working, but there are some unforseen issues that keep popping up. One of them was that it killed the YouTube BBCode plugin on the site. It was just reported to me (thanks FrizzleFied and Tbombaci) and I just fixed it. I check the vimeo plugin also (which isn't highly used)...it was broken and I fixed it too.

If anyone else finds anything broken, please let me know.

Besides the security benefits, Google penalizes sites (SEO) for using http, very slightly now but probably more in the future.

Http vs https affects other things too. Many of our users like Tapatalk, and Tapatalk has been warning systems since 11/15/16 that they had to go HTTPS by 1/1/17 due to Apple API demands (Apple at the last minute postponed the deadline for "App Transport Security" but it's coming). Google has announced the same HTTPS API demand but without a date yet. Without our upgrade, Tapatalk would have become incompatible with the site.

As far as third party image hosting, for specific reasons we may have to block future third party image hosting at some point in the near future. If we do, we will try and provide a solution here.

In the meantime, for different reasons, if you are using any third party hosting solution, please use an https image link whenever possible instead of http.

A single hosted image linked with http upsets browsers when visiting a page. The major browsers respond differently to mixed content pages (https pages with http elements), but none are kind to mixed pages.

IE looses the lock icon.

Chrome gives an information circle and when you click on it tells the user "Your connection to this site is not fully secure. Attackers may be able to see the images you are looking at on this site and trick you by modifying them."

Firefox gives a yellow warning sign and when you click on it it reads "Connection is not secure / parts of this page are not secure..."

The main www.arcade-museum.com supports https but does not default to it or enforce it at this time, largely due to the same 'mixed content' problem. It's the current plan to convert fully to https later in the month.
Back
Top Bottom