DigitalEro Offline

Flash objects not appearing in Chrome

Fri, 08 Mar 2013 01:28:28

Ganonmaster

Similar to the problem as pointed out in this topic, except for the FLV, DigitalEro Buttons, dailymotion and NaughtyMachinima BBcodes. These videos and flash applets do not show up in Chrome. Internet Explorer users get a big warning telling them the page has insecure content. All of these flash objects are blocked by Chrome to prevent so called man-in-the-middle and clickjacking attacks. You can read up on Google's motivation here. Note that this is not only a matter of convenience for Chrome and IE users, but also a major security issue for those who use less secure browsers like Safari or Firefox. (Yes, even though Internet Explorer is a giant turd compared to other major browsers, it is the most secure browser; more secure than Firefox.) The solution would be to make sure all the pages of this site, including the flash objects mentioned before, are served over HTTPS. The embedding code for sites that do not support HTTPS (like NaughtyMachinima), will have to be turned into links, to prevent potential attacks and protect the users of this site.
Sun, 14 Apr 2013 21:05:20

Ganonmaster

Bump. This is still an issue. Also related to this issue, when you try loading DigitalEro over regular http, it doesn't load anything, while it should redirect to the https version. I'm also very surprised that none of the staff have responded to this thread. I made this bug report over a month ago and provided clear documentation on the problem. A simple acknowledgement of the situation would be nice.
Mon, 15 Apr 2013 10:47:04

Anonymous

For chrome we have already discussed and the solution was given to you. Subject ended, thank you :hat:
"Ganonmaster" said ...
to prevent potential attacks and protect the users of this site.
There are absolutly no risk, the flash buttons was created by myself and for the rest it's just a flash player. Dont be afraid. ;)
Mon, 15 Apr 2013 19:55:35

Ganonmaster

"Evil-Ash" said ...
"Ganonmaster" said ...
to prevent potential attacks and protect the users of this site.
There are absolutly no risk, the flash buttons was created by myself and for the rest it's just a flash player. Dont be afraid. ;)
It's not the flash objects themselves that are dangerous, it's the connection you send them over. If you send them on a connection that isn't secured by SSL, an attacker could easily inject a different file into the connection, compromising your system. That's how a man-in-the-middle attack works. Also, this site allows you to embed ANY flash object through the [flash] bbcode, so anyone could make a post with some kind of harmful content anyway. Also, unless you're the admin of NaughtyMachinima, it's unsafe to assume that flash objects like that don't contain malware.
"Evil-Ash" said ...
For chrome we have already discussed and the solution was given to you. Subject ended, thank you :hat:
Where was this solution posted? Because adding a site wide security exception to Chrome isn't a solution, it's poking holes in your browser protection. In addition, this doesn't help new users who visit this site. I've seen many newbies post in the shoutbox about "not being able to see videos". If you're unwilling to take the security precautions I mentioned earlier, it's at least good practice to let people know that there's some type of flash object on the page and a little info how to activate those. I'm sorry if I seem a little demanding, I'm only trying to help with improving the site.
Sun, 21 Apr 2013 08:52:41

JCade

I believe the solution was to click on the shield icon, and then click "Load Unsafe Script": I haven't had any issues loading flash since this was pointed out. I also have not had any security issues.
Sun, 21 Apr 2013 08:57:33

Ganonmaster

I am aware of that, but it's a temporary fix that doesn't solve the core issue. It's the same as allowing a site wide security exception like I mentioned above.
Sun, 21 Apr 2013 09:05:31

JCade

You're only loading the flash content on that particular page, and you're only loading it from the respective hosts (ie. NaughtyMachinima (and Evil Ash's website for the flash buttons)). The only thing unsecure about the workaround is that naughtymachinima's site doesn't utilize HTTPS. The only other "solutions" are for naughtymachinima to use HTTPS, or to turn off HTTPS on DEro. Would you rather us not use HTTPS for the website here? You can always ask naughtymachinima to go HTTPS, but at that point you're at the mercy of their webmasters. EDIT: Come to think of it, I cannot name any place off the top of my head that delivers flash content securely, over HTTPS.
Sun, 21 Apr 2013 09:37:39

Ganonmaster

"JCade" said ...
You're only loading the flash content on that particular page, and you're only loading it from the respective hosts (ie. NaughtyMachinima (and Evil Ash's website for the flash buttons)). The only thing unsecure about the workaround is that naughtymachinima's site doesn't utilize HTTPS.
The [flash] bbcode allows for other sources than those two sites. Who knows what kind of malware they'll be serving? When you simply load all the unsafe scripts by habit, you're setting yourself up for that one time where you're accidentally loading malicious scripts. There are easy fallbacks for things like this. Besides security concerns, it's also a problem in day to day usage. When new Chrome users come to the site, the blocked content warning is easily missed. How many times have we seen "I can't see any videos in your thread" posted in the shoutbox and elsewhere? (that's right, more than enough)
"JCade" said ...
The only other "solutions" are for naughtymachinima to use HTTPS, or to turn off HTTPS on DEro.
The third solution is to solve the usage problem. Like I mentioned earlier, you could modify the embedding code so that instead of only showing the flash object (which is hidden in Chrome) also show a URL to the source of the content. This way, people can make an educated guess if the content is safe, and users oblivious to the content warning can simply click the link that will take them to Naughtymachinima, the button site, or wherever the content may be hosted. Or instead show a message telling people what to do to unblock it. Some kind of indicator of a flash object being there, what site it's hosted at, so we know we're opening up some kind of malware. I've seen spam get posted on this site before, and my previous experience with phpBB has told me that these bots are clever enough to embed flash objects as well.
"JCade" said ...
EDIT: Come to think of it, I cannot name any place off the top of my head that delivers flash content securely, over HTTPS.
Youtube and Vine come to mind, but there are many others. There is no real issue with serving video content over HTTPS, it's just that a lot of smaller sites don't bother.
Mon, 22 Apr 2013 01:13:15

JCade

"Ganonmaster" said ...
The third solution is to solve the usage problem. Like I mentioned earlier, you could modify the embedding code so that instead of only showing the flash object (which is hidden in Chrome) also show a URL to the source of the content. This way, people can make an educated guess if the content is safe, and users oblivious to the content warning can simply click the link that will take them to Naughtymachinima, the button site, or wherever the content may be hosted. Or instead show a message telling people what to do to unblock it. Some kind of indicator of a flash object being there, what site it's hosted at, so we know we're opening up some kind of malware. I've seen spam get posted on this site before, and my previous experience with phpBB has told me that these bots are clever enough to embed flash objects as well.
Users already post direct links to naughty machinima, or wherever their videos are hosted. Not everyone does, but a stickied post would solve that. Secure forum or not, bots always eventually find a way through. I'd suggest speaking with Gnin & Evil Ash about what can be done to address your concerns, if you haven't already. It is my understanding that they handle the site backend.