Requesting HTTPS for the forum

Started by Beanow, April 06, 2017, 01:08:11 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Beanow

I'm new to the forum (hi!) and noticed during sign up that HTTPS is not enabled nor enforced.
In my humble opinion it would be good to get at least a free TLS certificate and run the whole forum on HTTPS.

With the member count getting closer to 20k, there are bound to be users that re-use their password here, which poses a big risk not just to their forum account but anywhere they use this password or variations thereof.

If you want to get fancy, HTTP/2.0 might make using HTTPS faster actually.
See https://www.httpvshttps.com/

shawnb

Yes, this is something on the radar. 

Note that we run SimpleMachines Forum (SMF, simplemachines.org), and at the moment, there is a hiccup for embedded pictures that may not be https.  And our site is full of links to http: images...  The version of SMF that fully supports https (including properly handing non-https links) is coming soon:
http://www.simplemachines.org/community/index.php?topic=550197.msg3916017#msg3916017

I must admit I am learning as I go here.  It appears the free certs all have some sort of limitation (like requiring renewal monthly).  I am aware that some folks have automated workarounds to these.  I am not familiar with these techniques yet.  And, oh yeah, I've never done an SSL cutover before...  I have a bit more of a learning curve ahead of me. 

But we will get there. 

No ETA at this time, I have other maintenance/cleanup I have been getting to first, piece by piece... 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Beanow

Thanks for looking into it shawnb.

The automatic monthly renewal is actually a security improvement from the folks at https://letsencrypt.org/ and other providers following their lead. The idea being that faster renewal means they are more difficult to compromise. But it requires some work to get the moving parts set up.

I would definitely recommend using this, but should you want to go for a long term manual approach there are providers for that such as https://www.startssl.com/.
In case of manually renewed certificates though, be sure to mark your calendar well before for the expire date. You won't have a good time if the expiration date sneaks up on you.

For the non-HTTPS images and links, this is still less of a threat than the login form in plain text. And perhaps to some extent you may be able to work around this issue with HSTS and redirect rules.

Since you are new to it and certificates start at $0 now, you could do some testing with a backup on a different domain and get a separate certificate for that.
Then work through:

  • Optional HTTPS
  • SMF config / redirect rules enforced HTTPS
  • HSTS + SMF config / redirect rules enforced HTTPS

The HSTS step being only when you're pretty comfortable with HTTPS working well. Because this is designed to be cached and enforced by the browser for very long terms (1 year for example).

Beanow

Ah I haven't used StartCom stuff after WoSign bought it. Good to know!

shawnb

Quote from:  philjynx on May 26, 2017, 12:22:42 PM
I don't know what the implications are for the links to non https that you mention...

What happens when you mix http & https content depends on the browser.  At the very least, you get that 'some content is not secure' warning.  More often these days, links show up as broken.  Some browsers refuse to serve mixed content as a security feature. 

To address this, SMF is implementing an "image proxy" feature.  This temporarily downloads any http content locally to the temp directory, so it can serve it up as https content.  Thus end users will never see mixed content, so they don't get the warnings & broken links. 

VGuitarForums has a **lot** of links to external content, due to sharing reviews, product info, performances, etc.  We need that proxy. 

As noted before, I'm a noob at this, & I still need to address my own learning curve as well.  When time permits...
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

shawnb

#5
Wow, there's a lot to unpack there...   As site internals are not the purpose of the VGF forum, most of these questions are best addressed at the SMF site itself.  Not here.  Link:
https://www.simplemachines.org/community/index.php

So folks here are aware...

Malignant links/images:  Security threat to the host (vguitarforums) is minimal.  Copying/uploading content locally was an issue in the past, where code snuck into uploaded files/images could be executed on the server (this was true for any upload).  Those holes were plugged years ago.  Very difficult to "execute" a photo on the server these days, it used to be easy...  Nonetheless, for added safety, SMF performs basic checks on proxied images for validity.

Certificates don't "sign someone else's executables".  They don't work that way.  They help ensure you are talking to the host you think you are talking to, & help with encryption between user & host.  OTOH, we could have a long debate about copyright infringement, but again, wrong forum.  And if this were an issue, all cross-site embedded images/content would be forbidden.  Everywhere.  Think about that.

As an FYI, I've had many roles in IT, including being director for a tech firm in SV, where among other responsibilities I ran the web team for several years (www.xilinx.com).  I do know more than a bit about this stuff.  Difference is I used to assign these tasks, not do them...  I'm sure my old team would chuckle how quaint some of this is...
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

lurkalot

Hi all. Just been having a good read about the https dilemma.  Doesn't your Cpanel have Let's Encrypt installed? It works and it's free on a lot of hosts nowadays.

I changed two of my sites last night to https, and other than a few unsecure links in my portal blocks everything went pretty smoothly tbh.  Then I'm running SMF 2.0.14 and have the image proxy turned on.

Hope you get this sorted.  Off to have a read on the forums, guitars and gear, I just love it.  ;)

shawnb

I've been able to convert test sites to SSL.  Much easier than I thought.  That's not the holdup. 

I'd prefer to wait for 2.0.15, as there is a bug in the image proxy in 2.0.14.  No rush. 

Our host does not use LetsEncrypt.  And they charge to install any 3rd party cert...  So they get you either way...
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

lurkalot

Quote from: shawnb on July 08, 2017, 01:53:40 PM

I've been able to convert test sites to SSL.  Much easier than I thought.   That's not the holdup. 

I'd prefer to wait for 2.0.15, as there is a bug in the image proxy in 2.0.14.  No rush.


Actually, I saw your post over at simplemachines.org on this subject.  ;)

Agreed, it is easy, especially if there's not too many mods installed.  I had to modify a couple of mine to use https, and then I also have Tinyportal installed, the code I was using in those blocks also needed a few edits to make everything secure.  As for SMF, I hope 2.0.15 is a lot less buggy than 2.0.14 is.

Quote from: shawnb on July 08, 2017, 01:53:40 PM

Our host does not use LetsEncrypt.  And they charge to install any 3rd party cert...  So they get you either way...


My host was the same, and I had two packages with them for over eight years.  I moved to new host about a month ago, I'm not prepared to be ripped off for a SSL cert which is now a standard requirement.

lurkalot

I think you're using the same host as I was actually.

I've so far converted three of my sites to https, all gone smoothly.  I have just one more site todo, but that on'e still running 2.0.13 atm, plus it's bridged with Coppermine gallery.  I'll probably upgrade that to 2.0.14, then straight to 2.0.15 when it comes out, or should I say a few days after it comes out.   ;)

shawnb

Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp