VGuitar Forums

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: Requesting HTTPS for the forum  (Read 158 times)

0 Members and 1 Guest are viewing this topic.

Beanow

Requesting HTTPS for the forum
« on: April 06, 2017, 02:08:11 PM »

I'm new to the forum (hi!) and noticed during sign up that HTTPS is not enabled nor enforced.
In my humble opinion it would be good to get at least a free TLS certificate and run the whole forum on HTTPS.

With the member count getting closer to 20k, there are bound to be users that re-use their password here, which poses a big risk not just to their forum account but anywhere they use this password or variations thereof.

If you want to get fancy, HTTP/2.0 might make using HTTPS faster actually.
See https://www.httpvshttps.com/

shawnb

  • Global Moderator
  • Senior Member
  • *****
  • Total likes: 64
  • Rating: 55
  • Offline Offline
  • Posts: 1712
Re: Requesting HTTPS for the forum
« Reply #1 on: April 06, 2017, 02:45:20 PM »

Yes, this is something on the radar. 

Note that we run SimpleMachines Forum (SMF, simplemachines.org), and at the moment, there is a hiccup for embedded pictures that may not be https.  And our site is full of links to http: images...  The version of SMF that fully supports https (including properly handing non-https links) is coming soon:
http://www.simplemachines.org/community/index.php?topic=550197.msg3916017#msg3916017

I must admit I am learning as I go here.  It appears the free certs all have some sort of limitation (like requiring renewal monthly).  I am aware that some folks have automated workarounds to these.  I am not familiar with these techniques yet.  And, oh yeah, I've never done an SSL cutover before...  I have a bit more of a learning curve ahead of me. 

But we will get there. 

No ETA at this time, I have other maintenance/cleanup I have been getting to first, piece by piece... 
Logged
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Beanow

Re: Requesting HTTPS for the forum
« Reply #2 on: April 06, 2017, 03:16:03 PM »

Thanks for looking into it shawnb.

The automatic monthly renewal is actually a security improvement from the folks at https://letsencrypt.org/ and other providers following their lead. The idea being that faster renewal means they are more difficult to compromise. But it requires some work to get the moving parts set up.

I would definitely recommend using this, but should you want to go for a long term manual approach there are providers for that such as https://www.startssl.com/.
In case of manually renewed certificates though, be sure to mark your calendar well before for the expire date. You won't have a good time if the expiration date sneaks up on you.

For the non-HTTPS images and links, this is still less of a threat than the login form in plain text. And perhaps to some extent you may be able to work around this issue with HSTS and redirect rules.

Since you are new to it and certificates start at $0 now, you could do some testing with a backup on a different domain and get a separate certificate for that.
Then work through:
  • Optional HTTPS
  • SMF config / redirect rules enforced HTTPS
  • HSTS + SMF config / redirect rules enforced HTTPS

The HSTS step being only when you're pretty comfortable with HTTPS working well. Because this is designed to be cached and enforced by the browser for very long terms (1 year for example).

philjynx

Re: Requesting HTTPS for the forum
« Reply #3 on: May 26, 2017, 01:22:42 PM »

Yes, this is something on the radar. 

Note that we run SimpleMachines Forum (SMF, simplemachines.org), and at the moment, there is a hiccup for embedded pictures that may not be https.  And our site is full of links to http: images...  The version of SMF that fully supports https (including properly handing non-https links) is coming soon:
http://www.simplemachines.org/community/index.php?topic=550197.msg3916017#msg3916017

I must admit I am learning as I go here.  It appears the free certs all have some sort of limitation (like requiring renewal monthly).  I am aware that some folks have automated workarounds to these.  I am not familiar with these techniques yet.  And, oh yeah, I've never done an SSL cutover before...  I have a bit more of a learning curve ahead of me. 

But we will get there. 

No ETA at this time, I have other maintenance/cleanup I have been getting to first, piece by piece...

I don't know what the implications are for the links to non https that you mention, so with that in mind, I just got a certificate for my site for about 11 GBP ($14.97 USD) for three years. It was pretty painless. In case that is of interest it's a Comodo Cert acquired through a third party https://cheapsslsecurity.co.uk/ (hence the huge discount).
Logged
I am playing all the right notes. But not necessarily in the right order.

philjynx

Re: Requesting HTTPS for the forum
« Reply #4 on: May 28, 2017, 10:03:22 AM »

Thanks for looking into it shawnb.

The automatic monthly renewal is actually a security improvement from the folks at https://letsencrypt.org/ and other providers following their lead. The idea being that faster renewal means they are more difficult to compromise. But it requires some work to get the moving parts set up.

I would definitely recommend using this, but should you want to go for a long term manual approach there are providers for that such as https://www.startssl.com/.
In case of manually renewed certificates though, be sure to mark your calendar well before for the expire date. You won't have a good time if the expiration date sneaks up on you.

For the non-HTTPS images and links, this is still less of a threat than the login form in plain text. And perhaps to some extent you may be able to work around this issue with HSTS and redirect rules.

Since you are new to it and certificates start at $0 now, you could do some testing with a backup on a different domain and get a separate certificate for that.
Then work through:
  • Optional HTTPS
  • SMF config / redirect rules enforced HTTPS
  • HSTS + SMF config / redirect rules enforced HTTPS
The HSTS step being only when you're pretty comfortable with HTTPS working well. Because this is designed to be cached and enforced by the browser for very long terms (1 year for example).



Avoid StartSSL as you would the plague. I am a former customer of theirs. Never again.

See: https://ma.ttias.be/despite-revoked-cas-startcom-wosign-continue-sell-certificates/

https://serverfault.com/questions/829298/my-certificate-issued-by-startssl-is-not-accepted-by-my-clients

My particular issue was their crummy code signing certificates that have a time bomb built into them. The above links refer to site certificates (the topic of this thread).
Logged
I am playing all the right notes. But not necessarily in the right order.
Pages: [1]   Go Up