Does SMF 2.0.2 support SSL/HTTPS?

Started by FreeMag, June 27, 2012, 12:31:38 PM

Previous topic - Next topic

Arantor

How exactly did you configure SMF to use SSL?

badon

Quote from: Arantor on January 25, 2013, 02:37:07 PM
I didn't say it wasn't a good idea, but unless you actually need it you could consider avoiding it.

There *is* a performance hit attached, and there isn't necessarily the security benefit that you might think you're getting. If you actually have a signed certificate, that's something, but it's possible to hijack and MITM attack it anyway.

Better advice is to always use HTTPS unless there is some exotic reason not to. The very slight increase in server resource usage from HTTPS cryptography operations have never been a deal breaker for any modern system, as far as I am aware. Unsigned HTTPS certificates are preferable to no HTTPS. The weaknesses in HTTPS are largely resolved by these 2 Firefox addons, including for unsigned certificates:

* Perspectives :: Add-ons for Firefox
* Web of Trust - WOT :: Add-ons for Firefox

Perspectives is the most important because it will detect MITM attacks, and inform you when an unsigned certificate is OK to use. Perspectives will automatically bypass HTTPS warnings for unsigned certificates when Perspectives detects that it has been in use for along time and is not part of an MITM attack.

WOT will alert you to other attack vectors that do not directly involve HTTPS, like a phishing attempt at a lookalike site like www.paypa1.com.

In general, I think it's safe to say that sites that require login, but do not use HTTPS, are the backward hillbillies of the internet. This site is an excellent example. You can read some explanations about why forum sites not using HTTPS are ridiculously stupid here:

* #1082 (Enable HTTPS/SSL/TLS at forums.pcbsd.org) – PC-BSD

When in doubt, always use HTTPS. One way to ensure you are always using the HTTPS version of a site automatically is to install these 2 Firefox addons:

* HTTPS Everywhere | Electronic Frontier Foundation
* https-finder - A Firefox extension that detects valid HTTPS pages as you browse. One-click rule creation for HTTPS Everywhere - Google Project Hosting

I've copied down a few other eclectic recommendations here:

* https://www.coincompendium.com/w/index.php/Help:Contents#Helpful_tools

Arantor

You mean like on forums where users can and will post images that aren't on secure connections that will throw up warnings because you then have the forum trying to include insecure content on a secure page? There's a *lot* of that about here.

Unsigned certificates are better than no certificates - but every browser out there will throw up a massive horrible 'DO NOT TRUST THIS SITE' warning. From a user experience perspective that's far worse even if the end result is better.

As for your suggestion of the Perspectives plugin, that strikes me as not so clever. It's like Vista's UAC: it teaches users to accept things that are a bit suspicious as 'probably OK'.

I've campaigned for a while to have SSL here but it's not anywhere as simple as you make it out to be.

badon

Always the pessimist, Arantor. None of those things you mentioned are more important than having HTTPS.

Firstly, browsers distinguish between active mixed content, and static mixed content. For example, a static image does not present a threat to the security of an HTTPS connection, but active JavaScript script does. So, JavaScript is blocked, but images are not.

Secondly, you misunderstand how Perspectives works. It does not produce more popups demanding the user's attention. In fact, it's the opposite - Perspectives almost never shows any messages unless something is wrong. In the case of unsigned certificates, Perspectives will bypass the browser's warnings when the Perspectives notaries agree that a site is not being MITM'd. The trustworthiness of a certificate is so ridiculously easy for Perspectives to determine that there much fewer things that are "a bit suspicious". In almost all cases, either you're being MITM'd, or you aren't. Black or white, yes or no.

If the certificate you get is different from what all the Perspectives notaries get, then you're being MITM'd. If it's the same, then you're not being MITM'd. The only gray area you might see is when Perspectives sees new certificates, and it doesn't have enough time or experience to determine whether it's the correct certificate or not. Go get it and use it. You'll be glad you did, it's good stuff.

There are a few cases where malicious certificates were properly signed. Perspectives will tell you that the certificate changed, so you can be aware of it in case it is important (like if it should not have changed). Browsers won't do anything, and they won't even notify you. You have to have Perspectives for that.

Perspectives will even show you the certificate history of a site, so you can see for yourself whether it looks like an attack has been attempted recently. Typically attacks will try the easier methods of attack before they try the more difficult methods. If you see in the certificate history that Perspectives has detected attacks recently, you will know that it's important to pay attention. If there have been no attacks, then you won't be bothered. Perspectives makes it easy to decide when you should be worried, and when you should not be worried. The best part is that, despite all the complicated things it does, Perspectives is very simple and easy to use. Everyone should have it.

I wish you luck in continuing your campaign to get HTTPS here at the SMF community forum.

Arantor

#24
QuoteAlways the pessimist, Arantor. None of those things you mentioned are more important than having HTTPS.

Always the pragmatist, actually.

Ordinarily I'd agree with you but having dealt with users confronted with a huge warning that says 'this site is potentially insecure' completely negates any security measures if USERS ARE FRIGHTENED TO USE IT.

QuoteFirstly, browsers distinguish between active mixed content, and static mixed content. For example, a static image does not present a threat to the security of an HTTPS connection, but active JavaScript script does. So, JavaScript is blocked, but images are not.

Funny, most browsers still throw up warnings anyway.

QuoteSecondly, you misunderstand how Perspectives works. It does not produce more popups demanding the user's attention. In fact, it's the opposite - Perspectives almost never shows any messages unless something is wrong. In the case of unsigned certificates, Perspectives will bypass the browser's warnings when the Perspectives notaries agree that a site is not being MITM'd.

No, I didn't. You misunderstood my comment about it.

Vista's UAC produces many popups, yes. Users overwhelmingly did one of two things in response: either were mentally goaded into blindly pressing yes to everything, or turned it off entirely. You see where this is going yet?

Doing the same with mismatches from the off doesn't leave the user any more secure. On the contrary, it makes them feel *more* secure, until they get to something that doesn't work, and then they'll just press OK anyway. Which, incidentally, was what Vista's UAC was all about.

QuoteI wish you luck in continuing your campaign to get HTTPS here at the SMF community forum.

I wish you luck in being less patronising. Especially since to solve the problem we'd have to get all the users to install Perspectives... yeah, that's not going to work out, is it?

Also, it would have to mean configuring all the ads to be served via HTTPS too...

Kindred

fixed the misspelled quote that broke the layout, Arantor.

As for HTTPS.....  the only thing that really should be HTTPS is the login.
The content itself doesn't require it... and has tons of issues to consider (offsite images and adverts are just the two most obvious ones)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

#26
This is what I mean about being less patronising ;) The whole 'I know best and everything works as it does in my world' attitude as supported by what Kindred is saying.

Going HTTPS for the login doesn't solve one of the more interesting side effects, when it comes to MITMing the session data, which you do need end to end SSL for (assuming you've established there isn't already an MITM before you start). Nor does it protect you if the cookie isn't sent securely anyway. Of course, you'd still want to encrypt registration as well as login for protecting the password and you'd want to encrypt parts of the profile page for the same reason. And the admin panel. And probably the moderation panel. And likely any time moderation is being done. If you're doing THAT, you might as well go SSL everywhere anyway.

Offsite images and adverts are the two main issues in general for end to end encryption, especially when you consider that sm.org would require two separate certificates; one wildcard one for *.simplemachines.org and one for media.simplemachinesweb.com.

XenForo actually include an image proxy specifically to serve all user-posted images over SSL when the originating host isn't SSL.

(Thanks Kindred)

EDIT: for clarity.

Kindred

Hey, I am not being patronizing... and I admit when I'm wrong...   and to that point, I guess I didn't/don't fully understand the MITMing  stuff...   :P

The simplemachinesweb one is easy, even if it's annoying... we would just get two certs...

and yes...   discussion is actually being had on that whole image proxy thing...   it's a real PITA though.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

I thought I'd made it clearer, guess not ;) badon and I have sparred in the past and each time he comes off as extremely patronising because in his world everything is so simple and black and white, and rarely does any of that translate to real world implementation. I'm only seeming as pessimistic as I am because I know just how fragile the house of cards *really* is. How broken SSL is, even at the specification level. DNSSEC isn't a complete solution either.

MITM is not a difficult concept to understand - only to protect against. Man In The Middle: you send a request to a server, only someone intercepts it, passes off to the server and authenticates as you - while you don't know any different.

SSL mitigates this by way of presenting a certificate for inspection and in theory an MITM can't successfully present another site's certificate to you and still be correct since the origin is part of the certificate and the MITM shouldn't be able to present itself as being the origin (since it's *not* the origin). At its simplest, you -> MITM -> server, server is at IP address A, MITM at IP address B, the certificate will only be valid from IP address A - but the MITM shouldn't be able to readily fake the fact it's really not at IP address A, which is where the whole thing of SSL should deal with it - and why the whole notary system in Perspectives would help.

My contention has nothing to do with the technical thing Perspectives is doing. It's the whole thing of users. Users go to the most ridiculous lengths to avoid security precautions if the precautions are perceived as stopping them doing what they want/need to do. A few years ago, I remember a manager getting an email from IT, telling him to tell everyone not to open emails from <a particular company> because they were probably viruses. Less than two hours later, said manager was asking IT for anti-virus help after his computer got said virus because he'd opened said emails.

Putting warnings in front of users and giving them an option to proceed is not a smart move because it teaches them to ignore warnings, just as the first generation of UAC taught people.

Image proxying is not difficult, it's only whether you make it a temporary local cache too (which XF does)

Dragooon

Quick question, images need not be fetched from the same cert as the main site right?

Arantor

Correct. They just need to be over an SSL connection to work. But most images that people link are not currently over SSL connections, hence the need to proxy them through a route that would be known to be SSL (if the site used SSL; if it didn't, none of it is an issue anyway)

Unless the site is flagged as shifting malware then all bets might as well be off because the browser will tell the user so and prevent them from seeing the page (with a big 'if you're REALLY sure...' button >_<)

Dragooon

Quote from: Arantor on June 12, 2014, 11:58:46 AM
Correct. They just need to be over an SSL connection to work. But most images that people link are not currently over SSL connections, hence the need to proxy them through a route that would be known to be SSL (if the site used SSL; if it didn't, none of it is an issue anyway)
Since you have a license to XF, does it have protection against abusing image proxying?

Arantor

Define 'abusing' :D

Well... firstly, it's not enabled by default, which is a huge deal breaker, of course.

Secondly, the local image cache is also purged after 7 days by default.

The third - and probably most relevant for what you're asking - is that it does actually have some protections against it. You can specify a secret key which will be encoded into the proxy URL, which means if you see URLs being used elsewhere, you can forcibly expire all those links. There's only so much you can actually do in terms of handling such links, though.

Dragooon

By abusing I mean, shenanigans like loading a 100MB JPEG through the proxy

Arantor

Yes it does. Defaults to 5MB maximum.

Dragooon


Rain Forest

Mozilla's Firefox will be banning any http-traffic in the future (read their blog: Deprecating Non-Secure HTTP - Firefox)

Does this have consequences for SMf and members?

badon

Thank you for sharing that information Rain Forest. Now I won't seem like a lone raving lunatic when I get upset when someone broadcasts my private information via HTTP, or worse, via email. All of us who are frustrated by the "no-can-do" attitude some people have toward security can sleep better tonight knowing that we may have lost the battle, but we're going to win the war. Now, everyone will be forced to take HTTPS seriously.

Kindred

well, pretty much, it appears to mean that firefox has determined to stop supporting the little sites and only support those who spring for a cert.

idiots.   Almost as stupid as Google.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

vbgamer45

That is extremely a dumb move. Even more so for people on shared hosting since SSL requires a dedicated ip....
Honestly not everything needs to be secure. If you are that paranoid about you would secure on your own end.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Advertisement: