Author Topic: Requesting HTTPS for the forum  (Read 479 times)

0 Members and 1 Guest are viewing this topic.

Offline Beanow

Requesting HTTPS for the forum
« on: April 06, 2017, 02:08:11 PM »
I'm new to the forum (hi!) and noticed during sign up that HTTPS is not enabled nor enforced.
In my humble opinion it would be good to get at least a free TLS certificate and run the whole forum on HTTPS.

With the member count getting closer to 20k, there are bound to be users that re-use their password here, which poses a big risk not just to their forum account but anywhere they use this password or variations thereof.

If you want to get fancy, HTTP/2.0 might make using HTTPS faster actually.
See https://www.httpvshttps.com/

Offline shawnb

Re: Requesting HTTPS for the forum
« Reply #1 on: April 06, 2017, 02:45:20 PM »
Yes, this is something on the radar. 

Note that we run SimpleMachines Forum (SMF, simplemachines.org), and at the moment, there is a hiccup for embedded pictures that may not be https.  And our site is full of links to http: images...  The version of SMF that fully supports https (including properly handing non-https links) is coming soon:
http://www.simplemachines.org/community/index.php?topic=550197.msg3916017#msg3916017

I must admit I am learning as I go here.  It appears the free certs all have some sort of limitation (like requiring renewal monthly).  I am aware that some folks have automated workarounds to these.  I am not familiar with these techniques yet.  And, oh yeah, I've never done an SSL cutover before...  I have a bit more of a learning curve ahead of me. 

But we will get there. 

No ETA at this time, I have other maintenance/cleanup I have been getting to first, piece by piece... 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline Beanow

Re: Requesting HTTPS for the forum
« Reply #2 on: April 06, 2017, 03:16:03 PM »
Thanks for looking into it shawnb.

The automatic monthly renewal is actually a security improvement from the folks at https://letsencrypt.org/ and other providers following their lead. The idea being that faster renewal means they are more difficult to compromise. But it requires some work to get the moving parts set up.

I would definitely recommend using this, but should you want to go for a long term manual approach there are providers for that such as https://www.startssl.com/.
In case of manually renewed certificates though, be sure to mark your calendar well before for the expire date. You won't have a good time if the expiration date sneaks up on you.

For the non-HTTPS images and links, this is still less of a threat than the login form in plain text. And perhaps to some extent you may be able to work around this issue with HSTS and redirect rules.

Since you are new to it and certificates start at $0 now, you could do some testing with a backup on a different domain and get a separate certificate for that.
Then work through:
  • Optional HTTPS
  • SMF config / redirect rules enforced HTTPS
  • HSTS + SMF config / redirect rules enforced HTTPS

The HSTS step being only when you're pretty comfortable with HTTPS working well. Because this is designed to be cached and enforced by the browser for very long terms (1 year for example).

Offline philjynx

Re: Requesting HTTPS for the forum
« Reply #3 on: May 26, 2017, 01:22:42 PM »
Yes, this is something on the radar. 

Note that we run SimpleMachines Forum (SMF, simplemachines.org), and at the moment, there is a hiccup for embedded pictures that may not be https.  And our site is full of links to http: images...  The version of SMF that fully supports https (including properly handing non-https links) is coming soon:
http://www.simplemachines.org/community/index.php?topic=550197.msg3916017#msg3916017

I must admit I am learning as I go here.  It appears the free certs all have some sort of limitation (like requiring renewal monthly).  I am aware that some folks have automated workarounds to these.  I am not familiar with these techniques yet.  And, oh yeah, I've never done an SSL cutover before...  I have a bit more of a learning curve ahead of me. 

But we will get there. 

No ETA at this time, I have other maintenance/cleanup I have been getting to first, piece by piece...

I don't know what the implications are for the links to non https that you mention, so with that in mind, I just got a certificate for my site for about 11 GBP ($14.97 USD) for three years. It was pretty painless. In case that is of interest it's a Comodo Cert acquired through a third party https://cheapsslsecurity.co.uk/ (hence the huge discount).
I am playing all the right notes. But not necessarily in the right order.

Offline philjynx

Re: Requesting HTTPS for the forum
« Reply #4 on: May 28, 2017, 10:03:22 AM »
Thanks for looking into it shawnb.

The automatic monthly renewal is actually a security improvement from the folks at https://letsencrypt.org/ and other providers following their lead. The idea being that faster renewal means they are more difficult to compromise. But it requires some work to get the moving parts set up.

I would definitely recommend using this, but should you want to go for a long term manual approach there are providers for that such as https://www.startssl.com/.
In case of manually renewed certificates though, be sure to mark your calendar well before for the expire date. You won't have a good time if the expiration date sneaks up on you.

For the non-HTTPS images and links, this is still less of a threat than the login form in plain text. And perhaps to some extent you may be able to work around this issue with HSTS and redirect rules.

Since you are new to it and certificates start at $0 now, you could do some testing with a backup on a different domain and get a separate certificate for that.
Then work through:
  • Optional HTTPS
  • SMF config / redirect rules enforced HTTPS
  • HSTS + SMF config / redirect rules enforced HTTPS
The HSTS step being only when you're pretty comfortable with HTTPS working well. Because this is designed to be cached and enforced by the browser for very long terms (1 year for example).



Avoid StartSSL as you would the plague. I am a former customer of theirs. Never again.

See: https://ma.ttias.be/despite-revoked-cas-startcom-wosign-continue-sell-certificates/

https://serverfault.com/questions/829298/my-certificate-issued-by-startssl-is-not-accepted-by-my-clients

My particular issue was their crummy code signing certificates that have a time bomb built into them. The above links refer to site certificates (the topic of this thread).
I am playing all the right notes. But not necessarily in the right order.

Offline Beanow

Re: Requesting HTTPS for the forum
« Reply #5 on: June 29, 2017, 12:19:38 PM »
Ah I haven't used StartCom stuff after WoSign bought it. Good to know!

Offline shawnb

Re: Requesting HTTPS for the forum
« Reply #6 on: June 29, 2017, 02:01:49 PM »
I don't know what the implications are for the links to non https that you mention...

What happens when you mix http & https content depends on the browser.  At the very least, you get that 'some content is not secure' warning.  More often these days, links show up as broken.  Some browsers refuse to serve mixed content as a security feature. 

To address this, SMF is implementing an "image proxy" feature.  This temporarily downloads any http content locally to the temp directory, so it can serve it up as https content.  Thus end users will never see mixed content, so they don't get the warnings & broken links. 

VGuitarForums has a **lot** of links to external content, due to sharing reviews, product info, performances, etc.  We need that proxy. 

As noted before, I'm a noob at this, & I still need to address my own learning curve as well.  When time permits...
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline philjynx

Re: Requesting HTTPS for the forum
« Reply #7 on: July 02, 2017, 09:33:01 AM »
What happens when you mix http & https content depends on the browser.  At the very least, you get that 'some content is not secure' warning.  More often these days, links show up as broken.  Some browsers refuse to serve mixed content as a security feature. 

To address this, SMF is implementing an "image proxy" feature.  This temporarily downloads any http content locally to the temp directory, so it can serve it up as https content.  Thus end users will never see mixed content, so they don't get the warnings & broken links. 

VGuitarForums has a **lot** of links to external content, due to sharing reviews, product info, performances, etc.  We need that proxy. 

As noted before, I'm a noob at this, & I still need to address my own learning curve as well.  When time permits...

Somehow I forgot to tell you this, I got my ssl cert for my site £11.49  for a three year certificate. Not a mickey mouse one, a worldwide recognised one. Namely Comodo.

Here is where I got mine, it was very, very quick too:
https://cheapsslsecurity.co.uk/comodo/positivessl.html

Hope that helps. By the way, do you have access to your server logs? I get endless entertainment looking at the attempts to hack my site. I suppose I ought to get a life instead... :)
I am playing all the right notes. But not necessarily in the right order.

Offline philjynx

Re: Requesting HTTPS for the forum
« Reply #8 on: July 02, 2017, 09:45:15 AM »

To address this, SMF is implementing an "image proxy" feature.  This temporarily downloads any http content locally to the temp directory, so it can serve it up as https content.  Thus end users will never see mixed content, so they don't get the warnings & broken links. 



Sorry to do a Columbo on you, but, there's just one more thing...

As images can contain malicious code, isn't there a possibility that by doing the above (if a dodgy pic came your way) you would be circumventing the purpose of https? Namely to assure users that the content they are viewing emanates from the site they believe they are connected to? And possibly taking legal responsibility for the consequences?

I don't know how ssl site certificates are governed but I do know that if I were to use my code signing certificate to sign someone else's executables, I'd run the risk of having my certificate revoked and blacklisted.

Anyhow, sorry to sound like a miserable git, just trying to help.
I am playing all the right notes. But not necessarily in the right order.

Offline shawnb

Re: Requesting HTTPS for the forum
« Reply #9 on: July 02, 2017, 01:51:02 PM »
Wow, there's a lot to unpack there...   As site internals are not the purpose of the VGF forum, most of these questions are best addressed at the SMF site itself.  Not here.  Link:
https://www.simplemachines.org/community/index.php

So folks here are aware...

Malignant links/images:  Security threat to the host (vguitarforums) is minimal.  Copying/uploading content locally was an issue in the past, where code snuck into uploaded files/images could be executed on the server (this was true for any upload).  Those holes were plugged years ago.  Very difficult to "execute" a photo on the server these days, it used to be easy...  Nonetheless, for added safety, SMF performs basic checks on proxied images for validity.

Certificates don't "sign someone else's executables".  They don't work that way.  They help ensure you are talking to the host you think you are talking to, & help with encryption between user & host.  OTOH, we could have a long debate about copyright infringement, but again, wrong forum.  And if this were an issue, all cross-site embedded images/content would be forbidden.  Everywhere.  Think about that.

As an FYI, I've had many roles in IT, including being director for a tech firm in SV, where among other responsibilities I ran the web team for several years (www.xilinx.com).  I do know more than a bit about this stuff.  Difference is I used to assign these tasks, not do them...  I'm sure my old team would chuckle how quaint some of this is...
« Last Edit: July 02, 2017, 02:45:05 PM by shawnb »
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline philjynx

Re: Requesting HTTPS for the forum
« Reply #10 on: July 02, 2017, 03:34:02 PM »
...
Certificates don't "sign someone else's executables".
...

I did make the distinction between ssl certificates and code signing certificates, well aware that they are two different things.

I'll shut up now!
I am playing all the right notes. But not necessarily in the right order.

Offline lurkalot

Re: Requesting HTTPS for the forum
« Reply #11 on: July 08, 2017, 12:37:08 PM »
Hi all. Just been having a good read about the https dilemma.  Doesn't your Cpanel have Let’s Encrypt installed? It works and it's free on a lot of hosts nowadays.

I changed two of my sites last night to https, and other than a few unsecure links in my portal blocks everything went pretty smoothly tbh.  Then I'm running SMF 2.0.14 and have the image proxy turned on.

Hope you get this sorted.  Off to have a read on the forums, guitars and gear, I just love it.  ;)

Offline shawnb

Re: Requesting HTTPS for the forum
« Reply #12 on: July 08, 2017, 02:53:40 PM »
I've been able to convert test sites to SSL.  Much easier than I thought.  That's not the holdup. 

I'd prefer to wait for 2.0.15, as there is a bug in the image proxy in 2.0.14.  No rush. 

Our host does not use LetsEncrypt.  And they charge to install any 3rd party cert...  So they get you either way...
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline lurkalot

Re: Requesting HTTPS for the forum
« Reply #13 on: July 08, 2017, 04:20:11 PM »

I've been able to convert test sites to SSL.  Much easier than I thought.   That's not the holdup. 

I'd prefer to wait for 2.0.15, as there is a bug in the image proxy in 2.0.14.  No rush.


Actually, I saw your post over at simplemachines.org on this subject.  ;)

Agreed, it is easy, especially if there's not too many mods installed.  I had to modify a couple of mine to use https, and then I also have Tinyportal installed, the code I was using in those blocks also needed a few edits to make everything secure.  As for SMF, I hope 2.0.15 is a lot less buggy than 2.0.14 is.


Our host does not use LetsEncrypt.  And they charge to install any 3rd party cert...  So they get you either way...


My host was the same, and I had two packages with them for over eight years.  I moved to new host about a month ago, I'm not prepared to be ripped off for a SSL cert which is now a standard requirement.

Offline lurkalot

Re: Requesting HTTPS for the forum
« Reply #14 on: July 21, 2017, 02:15:08 PM »
I think you're using the same host as I was actually.

I've so far converted three of my sites to https, all gone smoothly.  I have just one more site todo, but that on'e still running 2.0.13 atm, plus it's bridged with Coppermine gallery.  I'll probably upgrade that to 2.0.14, then straight to 2.0.15 when it comes out, or should I say a few days after it comes out.   ;)