Announcement

Collapse
No announcement yet.

Forum https

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forum https

    I can only access the forums through http, with https connections being blocked. Even logins are handled through a non-secured request.
    I like haikus
    But sometimes they don't make sense
    Refrigerator

  • #2
    It's unlikely they can SSL the whole forum. Maybe the login page only but is it really needed?

    Originally posted by Aria
    On reflection though, as I am taking a bath, listening to "Rain of blessing-vajra chant" while typing on the iPad

    Comment


    • #3
      I'm meh with it being the whole forum, but logins and all password inputs on firefox since version 52 show warnings underneath the password field https://support.mozilla.org/en-US/kb...arning-firefox . Logins should always be handled through https.
      I like haikus
      But sometimes they don't make sense
      Refrigerator

      Comment


      • #4
        Give your Dad a nudge
        Gaming :: Intel Core i7 5820K, Gigabyte GA-X99-UD5, Gigabyte GTX1070, 16GB Crucial 2400MHz DDR4, Corsair H100, BlackGold BGT3620 DVB-T2, Dell U2410, Fractal Arc Midi R2, Samsung 850 Pro 128GB, Samsung 850 Pro 1TB, WD Red 4TB, Creative SoundBlaster Z, Logitech X-230, Seasonic X-650, G900, G510s, 10 Pro x64
        Work :: Dell Precision M6800, Intel Core i7 4800MQ 2.7GHz, 16GB RAM, Samsung 850 Pro 128GB, Crucial MX100 256GB, AMD FirePro M6100, 17" 1920x1080, 10 Pro x64

        Comment


        • #5
          Originally posted by M4T VW View Post
          It's unlikely they can SSL the whole forum. Maybe the login page only but is it really needed?
          Why? I would have thought it would be easier to SSL the whole forum rather than just the login page.

          Originally posted by Blue4 View Post
          I'm meh with it being the whole forum, but logins and all password inputs on firefox since version 52 show warnings underneath the password field https://support.mozilla.org/en-US/kb...arning-firefox . Logins should always be handled through https.
          Just putting logins behind SSL doesn't prevent login attacks since you'd still be sending session cookies over non-SSL connections for every other page request.

          Originally posted by Blue4 View Post
          I'm meh with it being the whole forum, but logins and all password inputs on firefox since version 52 show warnings underneath the password field https://support.mozilla.org/en-US/kb...arning-firefox . Logins should always be handled through https.
          Honestly, for a forum like this it doesn't really make any difference. Everything is public by default aside your password and your password should be unique anyway so little is gained from capturing it. I mean in principle I do agree with you but in practice it can cause more functional problems (eg the UX breaking if anyone posts images from non-SSL sources) than the risks it mitigates.
          Last edited by cold fusion; 24-05-17, 13:43.

          Comment


          • #6
            Originally posted by cold fusion View Post
            Why? I would have thought it would be easier to SSL the whole forum rather than just the login page.
            For complete SSL so that a padlock shows in the corner, everything must be served by https including images and any flash etc. It's easier to SSL the whole forum, say everything under the forums.aria.co.uk subdomain in SSL but then it will pick up about all images etc and give a mixed content result. Some work may be needed for the login page to make sure everything complies on there but it's a basic page so not much content.

            I have just had to do this on a wordpress website and a xenforo forum. Normally i wouldn't know what i was talking about but i did it just last week

            Originally posted by Aria
            On reflection though, as I am taking a bath, listening to "Rain of blessing-vajra chant" while typing on the iPad

            Comment


            • #7
              Originally posted by M4T VW View Post
              For complete SSL so that a padlock shows in the corner, everything must be served by https including images and any flash etc. It's easier to SSL the whole forum, say everything under the forums.aria.co.uk subdomain in SSL but then it will pick up about all images etc and give a mixed content result. Some work may be needed for the login page to make sure everything complies on there but it's a basic page so not much content.

              I have just had to do this on a wordpress website and a xenforo forum. Normally i wouldn't know what i was talking about but i did it just last week
              Yeah I get the mixed content problem (I raised that point myself funny enough). For some reason I read your first comment to mean issues with the forum software preventing such a change, rather than client side fallout once it has been changed. Sorry bud

              Comment


              • #8
                Originally posted by NickCPC View Post
                Give your Dad a nudge
                godaddy, first year for new customers do a reasonable level ssl cert for about a fiver

                LetsEncrypt will sort the padlock issue, but as people are so used to sharing pictures and using signature gifs on non-sll, a forum will nearly always get a mixed content error, there are ways around that - but meh
                Please see thread, here for how post reports are dealt with.
                Forum Guidelines here

                Comment


                • #9
                  Originally posted by DoubleTop View Post
                  godaddy, first year for new customers do a reasonable level ssl cert for about a fiver

                  LetsEncrypt will sort the padlock issue, but as people are so used to sharing pictures and using signature gifs on non-sll, a forum will nearly always get a mixed content error, there are ways around that - but meh
                  Do tell! I have no idea how to fix it when people post images etc that are non SSL

                  Edit, i hate these new smilies!

                  Originally posted by Aria
                  On reflection though, as I am taking a bath, listening to "Rain of blessing-vajra chant" while typing on the iPad

                  Comment


                  • #10
                    I'd be interested to know about the workaround as well. The only methods I can think of offhand is to only allow image embedding via uploading or to rewrite the image URLs with a proxy script.

                    Comment


                    • #11
                      https://www.vbulletin.org/forum/showthread.php?t=288060
                      Please see thread, here for how post reports are dealt with.
                      Forum Guidelines here

                      Comment


                      • #12
                        "Suspended or Unlicensed Members Cannot View Code."

                        I appreciate you can't share code but are you able to give a better description of what it does? The description on that link is extremely sparse without the code blocks.

                        Comment


                        • #13
                          Originally posted by cold fusion View Post
                          "Suspended or Unlicensed Members Cannot View Code."

                          I appreciate you can't share code but are you able to give a better description of what it does? The description on that link is extremely sparse without the code blocks.
                          The code is 3 small snippets, doesn't really help but agree there is not much description. I would guess it grabs the picture and hosts it locally to serve by https. I hope there is something for Xenforo also but good to know it can be done!

                          Originally posted by Aria
                          On reflection though, as I am taking a bath, listening to "Rain of blessing-vajra chant" while typing on the iPad

                          Comment


                          • #14
                            Originally posted by M4T VW View Post
                            The code is 3 small snippets, doesn't really help but agree there is not much description. I would guess it grabs the picture and hosts it locally to serve by https. I hope there is something for Xenforo also but good to know it can be done!
                            I quick google of Xenforo suggests it's PHP, is that right? If so, it might not be too difficult to write your own proxy plugin. PHP isn't my strongest language but I can offer some assistance if you need it. There's a few gotchyas you'll need to be careful off though as something like this is easily exploitable.

                            Comment


                            • #15
                              I thought of this thread when dealing with an issue, for security I had added the following to the site

                              Code:
                              <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
                              https://developers.google.com/web/fu..._mixed_content
                              https://developer.mozilla.org/en-US/...-mixed-content

                              Interestingly, the site had allowed an image URL (internal upload) to be added with a full page with http (missing the s) so apparently that made the cms broken and the world core was going to explode because an image wasn't visible ......

                              it's been a strange day
                              Please see thread, here for how post reports are dealt with.
                              Forum Guidelines here

                              Comment

                              Working...
                              X