Jump to content

Photo

BitsofthePast website is down


23 replies to this topic

#1 Dropcheck ONLINE  

Dropcheck

    Dragonstomper

  • 970 posts
  • Location:Stigler, OK

Posted Wed Feb 1, 2017 9:09 AM

FYI:

 

     Somehow I managed to nuke the website while doing maintenance today.  I'm now in the process of reinstalling from a back up.  It may take some time to get everything back up and working though.

 

     For those who have ordered either the ECI2PBI or XF551 I had printed out the invoices a day or so ago.  So don't worry.  I also have the Paypal info to fall back on if needed. 

 

     I'll post an update when the site is functioning again, until then it's anybody's guess what you'll see when you access the site.  Might be entertaining.  :(



#2 Stephen OFFLINE  

Stephen

    Quadrunner

  • 5,980 posts
  • A8 Gear Head
  • Location:Akron, Ohio

Posted Wed Feb 1, 2017 10:28 AM

Good luck getting it back running, hope it doesn't give you too much trouble.



#3 _The Doctor__ OFFLINE  

_The Doctor__

    Stargunner

  • 1,837 posts
  • Location:10-0-11-00:02

Posted Wed Feb 1, 2017 10:39 AM

oh noes, I've done that before... it taught me something I still have trouble with today.... keeping duplicate of last rendition... Sure hope a backup is hiding somewhere... very hopeful it won't be too hard to repair......with little loss of hair!


Edited by _The Doctor__, Wed Feb 1, 2017 10:41 AM.


#4 Dropcheck ONLINE  

Dropcheck

    Dragonstomper

  • Topic Starter
  • 970 posts
  • Location:Stigler, OK

Posted Wed Feb 1, 2017 1:00 PM

Update:

 

     Okay it looks like the major rework is done.  Could still be a few missteps.  If you notice anything weird pm me and I'll check it out.  :?



#5 sup8pdct OFFLINE  

sup8pdct

    Dragonstomper

  • 820 posts
  • Location:australia

Posted Wed Feb 1, 2017 1:48 PM

Did your keyboard move on you again? :) :-D

 

James



#6 Dropcheck ONLINE  

Dropcheck

    Dragonstomper

  • Topic Starter
  • 970 posts
  • Location:Stigler, OK

Posted Wed Feb 1, 2017 5:07 PM

Did your keyboard move on you again? :) :-D

 

James

 

:)  No...... I committed the unpardonable sin of trying to add additional features to the domain.  In the process I decided to clean up odds and ends from previous failed efforts. 

 

     Who needs that orphaned database?  Zap!  Who needs that other orphaned database?  Zap!  Oh.... what's this.... an uninstall script to totally remove that failed wordpress install?  Okay..... now we're cooking.  Why am I still seeing both versions?  It should have updated by now.  Maybe I didn't press hard enough on the mouse button.  There...... now.   What?????  WTF????!!!!! :skull:  :mad:

 

 

    Sometimes it's best to leave well enough alone.....   :(   Four hours later I was finally back up and running.  The website isn't as up to date as I'd like.  Some posts are missing.  But I've decided I've had enough messing with it today. :twisted: :)

 

    But maybe you're right the keyboard/mouse did move on me.  ;)


Edited by Dropcheck, Wed Feb 1, 2017 5:08 PM.


#7 _The Doctor__ OFFLINE  

_The Doctor__

    Stargunner

  • 1,837 posts
  • Location:10-0-11-00:02

Posted Wed Feb 1, 2017 7:08 PM

Glad you have your sense of humor back!



#8 Timothy Kline OFFLINE  

Timothy Kline

    Moonsweeper

  • 294 posts
  • Location:Perry, Michigan USA

Posted Wed Feb 1, 2017 7:14 PM

 

:)  No...... I committed the unpardonable sin of trying to add additional features to the domain.  In the process I decided to clean up odds and ends from previous failed efforts. 

 

     Who needs that orphaned database?  Zap!  Who needs that other orphaned database?  Zap!  Oh.... what's this.... an uninstall script to totally remove that failed wordpress install?  Okay..... now we're cooking.  Why am I still seeing both versions?  It should have updated by now.  Maybe I didn't press hard enough on the mouse button.  There...... now.   What?????  WTF????!!!!! :skull:  :mad:

 

There's a certain sick comfort in my seeing that I am not the only one to do this same thing, except in my case I've done it twice in my life: one with one of my own sites, and the other time when I inadvertently took out one of my client's online stores. That last one was a doozy, because I found out that the daily backup I thought had been going on didn't exist because I never set it back up when I switched from a virtual host over to my own dedicated hosting server. That was the worst 72 hours of my 20+ years as a webmaster and hosting provider as I had to rebuild their store almost from scratch. Ugh!

 

Not to suggest your sudden panic level as you realized what happened didn't nearly lead to your head exploding, too.

 

Happy to hear you got yourself back up and going again, Dropcheck! Site management is not for the weak-of-heart. :-o

 

--Tim



#9 Stephen OFFLINE  

Stephen

    Quadrunner

  • 5,980 posts
  • A8 Gear Head
  • Location:Akron, Ohio

Posted Wed Feb 1, 2017 7:30 PM

Wow Tim - that's the worst.  Nothing teaches you a good backup strategy like your first real unrecoverable data loss.



#10 David_P OFFLINE  

David_P

    Dragonstomper

  • 751 posts
  • Location:Canada

Posted Wed Feb 1, 2017 10:39 PM

You mean like when your main system's main drive, with all those photos you were planning to back up sometime soon stops and refuses to start in any machine?

 

...hence why I now have everything on the computer automatically backed up to the NAS as well, which is automatically backed up to the cloud...



#11 1050 OFFLINE  

1050

    Dragonstomper

  • 715 posts

Posted Wed Feb 8, 2017 9:23 PM

Can't check out.
Says there is a problem with PayPal account.
Then can't select to pay by credit card either.

Hope three gets it because I'm all in at that
point.

#12 _The Doctor__ OFFLINE  

_The Doctor__

    Stargunner

  • 1,837 posts
  • Location:10-0-11-00:02

Posted Thu Mar 16, 2017 2:36 AM

firefox update breaks the site for me again.... can't see the product price boxes floating... and of course certificate expired warnings and refusals..... they are keeping us so safe we can't do anything! way to go Mozilla!

 

fire fox locks the site out completely if you click on anything.... my lord we gotta blow the browsers up!


Edited by _The Doctor__, Thu Mar 16, 2017 2:54 AM.


#13 Mclaneinc OFFLINE  

Mclaneinc

    River Patroller

  • 4,571 posts
  • Location:Northolt, UK

Posted Thu Mar 16, 2017 4:03 AM

Yup, borked here too for same reasons....IE says

 

   

The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.   We recommend that you close this webpage and do not continue to this website.

 

 

---------------------------------------------

 

I'd remove the buying section for the moment as seeing  that as a would be customer might scare the bejesus out of you and give the impression its a scammers site..

 

Regulars will of course know its a problem with the site and you are a great guy and no scammer but its not complimentary when IE says that :)

 

Best of luck

 

Paul..


Edited by Mclaneinc, Thu Mar 16, 2017 4:06 AM.


#14 Madi OFFLINE  

Madi

    Moonsweeper

  • 301 posts

Posted Thu Mar 16, 2017 8:01 AM

Yup, borked here too for same reasons....IE says

 

   

The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.   We recommend that you close this webpage and do not continue to this website.

 

 

Best of luck

 

Paul..

 

bitsofthepast.png

 

madi



#15 Dropcheck ONLINE  

Dropcheck

    Dragonstomper

  • Topic Starter
  • 970 posts
  • Location:Stigler, OK

Posted Thu Mar 16, 2017 8:02 AM

Yup, borked here too for same reasons....IE says

 

   

The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.   We recommend that you close this webpage and do not continue to this website.

 

 

---------------------------------------------

 

I'd remove the buying section for the moment as seeing  that as a would be customer might scare the bejesus out of you and give the impression its a scammers site..

 

Regulars will of course know its a problem with the site and you are a great guy and no scammer but its not complimentary when IE says that :)

 

Best of luck

 

Paul..

 

Some information on the concern and my thoughts...... Such as they are.  :)

 

The SSL certificate issue is becoming more and more a scam perpetrated by forces wanting to monetize the world wild web.   I know this sounds like one of those conspiracy fire-breathing screamers.  But there is no protection that the 'certificate' offers a visitor against fraud or deception.  That is up to the website owner's own integrity.  The CA authority is not going to get involved in squabbles between customer and seller, nor are they going to manually investigate the veracity of the website.  The level of  'certificate' that turns your address bar green and gives you a locked graphic is simply an automated WHOIS lookup with encryption in transition.    It does nothing for the security at the beginning point or ending point of the communication session.  :(

 

The CA authority that had been providing me with a free year long SSL DV level certification was informed by Google and Firefox that their browsers would no longer accept their SSL certificates in October, with an effective date of Jan this year.  When I did a search for other CA authorities that offered free SSL DV certificates, I ran across numerous indications that those browser providers were pressuring and rejecting other CA authorities free SSL certificates or demanding changes in their offering which effectively kill the free part of the equation.  Right now the longest I can get a free SSL certificate is 90 days.  Hardly worth it.  :thumbsdown:

 

 Now if I am willing to pay $80+ per year for an SSL DV level certificate I can lease one for a year.  But again that provides nothing but an automated WHOIS lookup with encryption during the session.  If I was really processing payment information, then the need for secure communication is justified.  But I am not.  

 

 Some hosting sites do provide a free SSL DV certificate as part of the hosting plan, but that requires moving to their servers and taking a chance on their service level.  And for how long?  When I first started with GoDaddy, six/seven years ago they offered free SSL DV level certificates as part of the hosting plan.  They stopped doing that a little over a year ago, deciding to charge now for what had been included in their web commerce hosting plans.  :(

 

If I was really doing something nefarious on my site, I could understand the caution.  But the warning is a broad brush with no attempt to really check if the website is even valid, much less actually check for wrong doing.   The certificate I have is for bitsofthepast.com.  My hosting provider can list the site as that or www.bitsofthepast.com.  They are the same, but not as far as the browsers are concerned.  The browsers are not smart enough to know there is no difference and they yell like the kid yelling fire in the theater when there is not even an ember, much less any smoke.  :?

 

It is fear mongering, to try and force hapless small website owners into shelling out tens and hundreds of dollars to 3rd parties to project a security that doesn't really exist or in most small ecommerce sites is needed.  Most small ecommerce website owners like me don't do their own payment processing.  Once we have the billing and shipping address to verify with the payment processor and figure the order cost with shipping we throw that info to a 3rd party payment processor, like Paypal to finalize the actual payment.   That's where the real encryption security is and should be. 

 

If you in fact cannot create an exception in your browser for websites you know to be benign, then that is a red flag for the browser.  It's in control of your browsing, not you.   ;) 

 

As far as the price box issue, I fear that is a problem with the age of the software plugin that allows that on the website.  It's creaking along at four years old now.  Old age for the internet.  I am working on updating the site.  I just don't want to drop a grenade into the works and lose my database.  I could just turn off the plugin though.  :)



#16 Madi OFFLINE  

Madi

    Moonsweeper

  • 301 posts

Posted Thu Mar 16, 2017 8:14 AM

Still, for a normal user, such security certificate worming (on an empty page with red triangle Alert) is most likely will discourage him from entering the site.

This may directly/indirectly affects sales.

 

madi



#17 Dropcheck ONLINE  

Dropcheck

    Dragonstomper

  • Topic Starter
  • 970 posts
  • Location:Stigler, OK

Posted Thu Mar 16, 2017 8:18 AM

Still, for a normal user, such security certificate worming (on an empty page with red triangle Alert) is most likely will discourage him from entering the site.

This may directly/indirectly affects sales.

 

madi

 

That is the hammer the browser is using.  To force compliance to an arbitrary demand.  :(

 

I'm not saying it's not effective.  :)



#18 Mclaneinc OFFLINE  

Mclaneinc

    River Patroller

  • 4,571 posts
  • Location:Northolt, UK

Posted Thu Mar 16, 2017 9:19 AM

Hi Dropcheck,

 

Re the whole web commerce thing, indeed, the con is on as they say, its a license to print money and making low turnover sites struggle to stay on a level playing field, I myself don't do any of this stuff but I'm pretty sure the merits of having said certificate are pretty much superficial in the way of things and just gloss of an illusion of credibility but all I'm saying is that would be new buyers and we want those in spades, seeing suggestions of scams on MS's cash cow system browser will put off people. Oddly I was at he bank today and they were doing a huge Fraud Awareness scheme and customers were being lectured in 'how to be safe' so I asked who they were hoping to target with this advice and was told, the young and new to online purchases etc and I happily told the lady that they were missing the real issue, the main target being the elderly being forced in to online banking etc who have almost ZERO clue about any of it let alone, fire walls, anti virus, phishing scam etc etc, they get picked off in all types of fraud daily and the banks let them down.

 

The point being that the banks who rake it in roll out the same sort of 'peace of mind' BS a bit like the certificates in question and yet neither actually safeguards anyone truthfully...

 

 

 

Paul.


Edited by Mclaneinc, Thu Mar 16, 2017 9:22 AM.


#19 _The Doctor__ OFFLINE  

_The Doctor__

    Stargunner

  • 1,837 posts
  • Location:10-0-11-00:02

Posted Thu Mar 16, 2017 1:43 PM

damn it I am getting told by longtime friends that their private self certificates are being rejected now as wtf the web locked down?

 

why can't we just run encryption without the damn certificate intermediary?

 

 

Is it possible to set up your own ssl server and have ocsp check your own server?  not someone elses? and then your own CA...... I remember vaguely that open SSL did such a thing

 

https://www.openca.org/

 

https://www.openssl.org/

 

between these two things you may finally lick these problems...


Edited by _The Doctor__, Thu Mar 16, 2017 2:24 PM.


#20 _The Doctor__ OFFLINE  

_The Doctor__

    Stargunner

  • 1,837 posts
  • Location:10-0-11-00:02

Posted Thu Mar 16, 2017 2:35 PM

http://www.ibm.com/d...rity/index.html

 

is  an old explanation of what was needed years ago to satisfy a project not sure it still holds true but you can get some ideas at least...  to help get an idea when looking at the current crop of crap...



#21 kheller2 OFFLINE  

kheller2

    Dragonstomper

  • 847 posts
  • Location:PA, USA

Posted Thu Mar 16, 2017 4:46 PM

The CN on the certificate is for bitsofthepast.com, not www.bitsofthepast.com.  To have both, you typically need a SAN cert that lists out all the Subject Alternative Names (like www).

A sad way to quickly fix this is to not redirect your Top Level Domain to www.  Or, redirect www to your TLD.  Or just procure the cert with the right CN to begin with.

  

And yes, certs just "verify" that who you are connecting to is who they say they are.  Little green URL bars, and other fancy icons are typically granted/generated based upon one's ability to pass certain security measures related only to the SSL connection itself... do you get an A+ from Qualsys/SSL Labs, for example because you aren't using SSLv3, TLS1.0 with a beast exploit, SHA1, blah blah.

 

Btw, you pass just fine on the CVE lists:

Heartbleed (CVE-2014-0160)                not vulnerable (OK), timed out

 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507),             Downgrade attack prevention supported (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK) (tested with 6/9 ciphers)
 DROWN (2016-0800, CVE-2016-0703)          not vulnerable on this port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ip...5F852C8BBE829B8could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK) (tested w/ 2/4 ciphers only!), common primes not checked. See below for any DH ciphers + bit size
 BEAST (CVE-2011-3389)                     TLS1: DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
                                                 AES128-SHA DHE-RSA-AES128-SHA AES256-SHA
                                                 DHE-RSA-AES256-SHA CAMELLIA128-SHA DHE-RSA-CAMELLIA128-SHA
                                                 CAMELLIA256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA
                                                 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
 
And yes, there is a push to remove the "free" providers as it were, be it because of a security concern or what not. Some folks might be upset if a trusted free SSL provider granted me a cert for www.atariage.com.  So there are some concerns at the moment in some circles about who to trust for validation of said certs.
 
But I digress.


#22 gozar ONLINE  

gozar

    Dragonstomper

  • 713 posts

Posted Thu Mar 16, 2017 6:19 PM

 

The CA authority that had been providing me with a free year long SSL DV level certification was informed by Google and Firefox that their browsers would no longer accept their SSL certificates in October, with an effective date of Jan this year.  When I did a search for other CA authorities that offered free SSL DV certificates, I ran across numerous indications that those browser providers were pressuring and rejecting other CA authorities free SSL certificates or demanding changes in their offering which effectively kill the free part of the equation.  Right now the longest I can get a free SSL certificate is 90 days.  Hardly worth it.  :thumbsdown:

 

StartSSL was banned for good reason. They were back dating certificates and issuing certificates for companies they shouldn't have been.

 

For free, there are two options:

 

1) Cloudflare - You put Cloudflare in front of your website, and they offer SSL and IPv6. Problem is that traffic from Cloudflare to your site is unencrypted, but all traffic from Cloudflare to visitors is. For your website, this would probably be fine. Paypal's SSL takes over when the real information gets transferred.

 

2) Let's Encrypt - Sounds like you've looked at this. The 90 day expiration isn't a big deal since Let's Encrypt is designed to automatically update the certificates for you. That works if you have shell access and can run a cron job.



#23 gozar ONLINE  

gozar

    Dragonstomper

  • 713 posts

Posted Thu Mar 16, 2017 6:44 PM

And this conversation was what I needed to add ssl to my Atari Blog: https://gtia.com.



#24 _The Doctor__ OFFLINE  

_The Doctor__

    Stargunner

  • 1,837 posts
  • Location:10-0-11-00:02

Posted Mon Mar 20, 2017 3:58 PM

Don't forget aliexpress has lots of parts way cheaper than epay! er eslay er em paybay er scambay er em uh yeah you know what it is....






0 user(s) are browsing this forum

0 members, 0 guests, 0 anonymous users