Securing the Web

Adding SSL/HTTPS support to Apache.Digital Gamecraft logo

You may have noticed (or not) that this blog has recently acquired a little padlock icon to indicate that it is “secure”.  You can now access the blog using “https://”; in fact, using “http://” (without the ‘s’) just redirects to the secure page anyway.

Marketing Purpose

This change has been on the task list for a very long time, but it finally became really important when, last July, Google changed Chrome to display “Not secure” next to any web site that did not have a certificate.  Given that Chrome now represents about 60% of browser usage across all platforms, that is not an audience we would ignore.

Fortunately, at the moment, the little indicator in Chrome, and other small reminders in various browsers, are not too damaging, but this is likely just the beginning of more and more dire warnings.  Realistically, there is essentially nothing passed from this blog outside of Digital Gamecraft itself that needs to be encrypted, per se, but readers do not necessarily know that, and they should not be asked to know that, either.

From a marketing standpoint, anything that causes a “customer” (in this case, reader) to have to make a decision (e.g., “Is this site safe?“) reduces the likelihood that individual will continue, which means that it reduces the audience.  Not desirable.

Technical Purpose

In the past (i.e., when this task was first added to the web improvements list), adding support for secure, encrypted communication via SSL/TLS/HTTPS was a complicated and confusing process.  Frankly, this is why it never quite bubbled up to the top of the list and, thus, never got implemented until recently.

Without getting too technical (because I could not, even if I wanted to), SSL stands for Secure Socket Layer, which is a protocol for encrypting communications, and TLS stands for Transport Layer Security, which is a newer version of the same thing.  TLS actually supersedes SSL, but the latter is still used generally to represent both SSL and TLS.  HTTPS is the protocol used to do the actual communication.

The idea is that everything transmitted over the internet (such as this blog post), if not encrypted (i.e., using HTTP), is readable at every server and router along the way.  Encrypting the data makes this (nearly) impossible, so TLS (or SSL) is used, and HTTPS tells the receiving computer that the message needs to be decrypted.  The process of encrypting and decrypting data relies on certificates that need to be obtained from a certificate authority (CA), which is where things were most complicated.

In the “old days” (just a few years ago), you would have to contact a CA to get a certificate, and this process often required providing lots of information to prove who you were before (always) paying an annual fee for a certificate.  There are different types of certificates with various levels of verification and you can still spend upwards of $500/year on a certificate, or even $150/year or so for certificates no better than certificates you can get for free.

Implementation

You read me correctly: FREE.  Over the past few years, the cost of low-end certificates (enough to be considered “secure”) has dropped to the point of now being free and automated.  In particular, Let’s Encrypt is a certificate authority “run for the public’s benefit” that provides free certificates.

Additionally, the automation provided by Let’s Encrypt and EFF’s Certbot makes this fairly simple to do.  After the fact, knowing how easy this was, I am somewhat embarrassed that I did not do it sooner.  So, here is how I did it…

I started at the Let’s Encrypt site, read a little bit, and then was directed to the Certbot site, which (on the main page) just asks for your web server and system type.  Caveat: We run our own servers here, so I have full shell access to the system; I do not know how much more difficult it may be trying to do this through a web interface.

Because we are using Apache running on Ubuntu (Xenial) to serve this site, I ended up on this Certbot page.  First, I updated my system, just to start with the latest components, and then I just followed the (5) steps in the Install section.  If you have ever installed Linux software from a command line, the process should seem quite familiar.

Next, I typed in the first command under Get Started:

sudo certbot --apache

I answered the few questions (asked only once) about, as I recall, contact information and whether I wanted to be added to the EFF mailing list (emphatically not).  The meat of the program produces a list of domains served by the Apache installation and allows you to select which ones you want to serve as HTTPS.  After that, it asks whether you want to redirect all HTTP traffic to HTTPS (recommended), which seems to be working flawlessly.

In our case, we have quite a few domain and host names all serving one of a relatively small number of sites.  I initially did just one site (https://sophsoft.com), which worked a charm, but I ended up recreating that certificate and including all of the other host names that serve up the same pages (e.g., www.sophsoft.com and sophsoft.info).  I then repeated the process separately for each discrete site.  Voila!  Done.

Actually, the installation process, when finished, gives you a link to SSL Labs testing page so you can verify the security of your page.  All of our pages were given Overall Rating: A.

As noted in the Automating renewal section, the certificates are only good for 90 days (gift horse and all that), but it looks like there is a cron job that can be installed to automatically renew.  I admit that, until I started writing this paragraph, I thought that it had been installed already, but it looks like I will need to do that myself.

Final Adjustments

We did still have one or two pages (OK, the whole blog 🙁 ) that initially served up encrypted pages but still showed a broken padlock, indicating lack of security.  This can be caused by residual HTTP references in a page, which result in only portions of a page being secure.  Often, image links are still insecure, so they need to be fixed.

In our case, the blog needed the canonical address to be updated to HTTPS in the settings, the custom theme had a reference to an image file accessed insecurely, and many of my actual blog posts made explicit HTTP image references.  It really only took a few minutes to find and fix the issues, but there was a little sleuthing involved.

Conclusion

Sooner or later, and I imagine sooner, web pages that are served up without encryption will be the outliers and will have an increasingly diminished reputation.  I would be quite surprised if Google’s search ranking algorithms did not already favor HTTPS pages.  Given that the cost has now dropped to nothing and automation makes the process pretty easy, it seems like an obvious improvement for any business that values its web presence.

SophSoft.com Relaunch

Our game development consulting site is back online.

SophSoft game development and consulting servicesEarlier this week, we relaunched our SophSoft web site, which lists some of our quality game development services and professional game contracting experience.

The site is sophsoft.com.

Historically, this site has been the main web site for SophSoft, Incorporated, our parent company.  We have had and used the domain name since November 14, 1995, and the official corporate name was, in fact, taken from the domain name.

The site has been down for a while, though.  Honestly, we found ourselves in a bit of a weird and unfortunate situation.  When our business partner and artist, Rick Tumanis, died back in 2011, it was a huge loss.  Not only did we need to regroup from the sadness, but we also no longer had our Art Director to draw upon.  This meant both that the services we offered would need to change and that the person in charge of web design and appearance was, shall we say, unavailable.

After more than two and half years, with the site having been pulled when we replaced a web server quite a while ago, I finally made the move and built the new (albeit small) site and published it for those who have been looking for our game development services.  I kept a few items from Rick on there, but realigned the focus.  At some point, I will add pages specific to our various contracting projects, but for now, the site is back.

If you need game development assistance, either with technical programming challenges or with higher level management and design, or want to have an entire game created by a professional team with decades of experience, be sure to check out SophSoft.

“Nothing Short of a Masterpiece.”

2014: Full Speed Ahead

The new year has gotten off to a snow start, though.

For us here at SophSoft, Incorporated and Digital Gamecraft, 2014 is starting a little bit later than originally scheduled.  We took our usual couple of weeks off at the turn of the year, but the weather decided to insert itself into our plans.  On the first full day of our break, we were hit by a serious ice storm, and although we were very lucky to be mostly unaffected by the power outages, our immediate neighbors were without electricity until New Years Eve.  Fortunately, they were back online just in time to watch the Michigan State University Spartans win the Rose Bowl!

On the first day “back” from the break, we received more than 18 inches of snow, which essentially shut down all of East Lansing and surrounding communities for a couple of days.  Although we could still get development work done, the first priority was digging out, and that took many hours of physical effort, so it was not easy to just jump right back onto the project schedule.  On top of that, we received several pieces of personal news, both bad and good, so it was an emotional week, too.   (Personally, I managed to get sick in the midst of all of this, from which illness I am still recovering.)

Nevertheless, despite the slow ramp up, we are now approaching full speed ahead with game development in 2014.  We added some newer development systems to assist with our desktop and mobile development, so now we have a state-of-the-art environment for creating games for Windows (up to 8.1), Mac OS X (through Mavericks), Linux (Ubuntu), iOS, Android, Windows Phone, HTML 5, Silverlight, Flash, Xbox 360, OUYA, and more.  If anybody needs to contract some programming talent, you can contact me here.

The 2014 Winter Olympic Games in Sochi (Russia) are just three weeks away, and we expect to have unprecedented coverage, both through our @DGOlympics twitter feed, where we will again provide results for all events (as we did for the London Summer Olympics in 2012), as well as through a new (broader) game site that we plan to announce shortly.  If you have any interest in the Olympic Games, please follow us at @DGOlympics and spread the word.

On the Solitaire front, our top priority is finishing the substantial rebuild of Pretty Good Solitaire Mac Edition and the other Goodsol Solitaire Engine games.  While we have, unquestionably, the best technical platform (and the most games) for the Mac, we are revisiting the interface to make it even more fun to play.  Of course, we are also planning to add many more new games in our relentless march toward 1000. 🙂

We have a new iOS upgrade for Demolish! Pairs (and later, Demolish! Pairs FTP) in the works.  We are adding (at least) one new play mode, by popular request, and several other new features.  (The exact list of features will be determined based on scheduling considerations.)  Of course, you can buy Demolish! Pairs on the App Store now and get the upgrade for free when it is released.

There are currently three more major projects in design and development, but I will announce each of those here at an appropriate (later 🙂 ) time.  Additionally, there are always a number of maintenance projects which, at this point, include changes to our iOS games mandated by Apple to be “optimized for iOS 7”, modifications to most of our Windows games to properly handle touch interface changes made in Windows 8.1, and of course, everything can use a fresh coat of virtual paint for 2014.

Rather than spend any more time typing about this, I should get back to actual development work, as 2014 is looking to be our most exciting year yet!

Acknowledgements: 3 Great Tools

Here are some invaluable tools we used for DemolishPairs.com.

With the release of Demolish! Pairs and a number of other projects in the works, it has been a busy time here at Digital Gamecraft.  We finally got around to finishing the DemolishPairs.com web site (for now :)).  Now, I want to acknowledge three of the tools that proved particularly important to that task.

The first tool, and one of the most important in my arsenal, is Beyond Compare by Scooter Software.  I have mentioned before (and will probably continue to do so) that this is a product that I use almost daily and it is extraordinarily useful.  It performs both excellent file comparisons/”diffs”, showing (in this case) what changes we have made in HTML or code, and fantastic synchronization of files, so we can tell at a glance which files are updated and then copy changes to the servers (usually after verifying the diffs).  After using this tool, Dreamweaver is lacking and Expression Web is downright painful, so we exit either tool to publish with Beyond Compare instead.

The next tool is 3D Box Shot Pro, by Jellypie Software, which does a lot more than merely box shots.  For our iOS app, it generated wonderful 3D images of the screenshots on iPad and iPhone devices, which you can (finally) see on the Demolish! Pairs web page; they really make the page look much better.  I especially want to thank Andrew Gibson for actually generating these images (and more) and opening my eyes to the benefits of this software.  Here is more information and a short video showing how to make a 3D iPhone (or iPad) model with 3D Box Shot Pro.

The final tool is CSE HTML Validator by AI Internet Solutions.  This software validates your web site by checking your HTML (and CSS, etc.) files for issues that either will or could cause problems, and helps to make your site better all-around.  (It is like PC-lint for web sites: essential.)  Having used all of the validations in Expression Web successfully, I foolishly assumed that everything was fine with the site, but Dexter Bell (developer of FileBoss) pointed out that I had made a fundamental error with my HTML/CSS.  The tools from Adobe and Microsoft let it slide, but HTML Validator flagged it right away.  You can get an idea how thorough the product is with an online validation (but if you check mine, you may see that the iTunes link Apple provided me is invalid 🙁 ).

If you are developing a web site, I strongly encourage you to check out all three of these tools to help make your job easier, better looking, and more robust.

DemolishPairs.com

The spiders already have it, so it is announced.

Demolish! PairsToday, we unofficially launch our brand new web site, DemolishPairs.com, in support of our upcoming release, Demolish! Pairs.

Demolish! Pairs is an arcade/puzzle game, initially for iPad, iPhone, and iPod touch, where players remove pairs of bricks (or other blocks) and attempt to entirely clear the grid for each level.  Players compete in either Arcade Mode or Zen Mode, depending whether they want a challenge against the clock or a more relaxing experience.

So just how new is the web site?  It is so new…  Only a couple of pages were published when Google stopped by and added it to their database (#1 for “Demolish Pairs”), caching the main page in the process.  Because of that unexpectedly accelerated schedule, the number of pages that are actually ready will depend on how quickly you visit the site. 🙂

iPhone screen shot of Demolish! Pairs

Demolish! Pairs on the original iPhone [8 x 5, 4 colors, ‘Brick’ block set, ‘Darkness’ background, toolbar hidden]

What I can say with some confidence is that there will be a call for beta testers within a few days.  In the meantime, if you have any comments about or suggestions for DemolishPairs.com, they will be greatly received at webmaster@digitalgamecraft.com.