Does SMF 2.0.2 support SSL/HTTPS?

Started by FreeMag, June 27, 2012, 12:31:38 PM

Previous topic - Next topic

Kindred

while we appreciate donations, and they help to keep our services running, no one on the team gets paid -- so donating money to "development" doesn't actually have any effect on the speed of said development.

And no... we never give dates, even SWAG dates for releases.

As noted, you can currently switch to SSL/HTTPS with no issues, except on pages where an external image (like an avatar or an included images in a post) will "warn" the browser that the whole page is not fully secure.

However, for the form submission pages (which is what Google is going to demand), the  SSL will work fine.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

mj.

Thanks for your response Kindred.  I understand.  The most difficult part of this for me is I'm sick and tired of being sick and tired of security and privacy not being taken seriously.  Most forum software is a leaky boat and SMF is not an exception to that.  This site itself isn't even secure.  I'm not trying to start a fuss but I believe priorities are misplaced. Function over form is the way.  I don't know, I'd like to help but you've basically told me I can't do a darned thing regardless.  How can things get better?  Do you have any ideas?

Kindred

well, first and foremost - SMF still has one of the best reords, in terms of security.
As of 2.0.12, there are no known security issues in SMF.
So, saying that "security and privacy (are) not being taken seriously." is really rather untrue.

Making your forum https or not is not actually much of a security issue.
The only place that it might actually matter is the login or registration forms... and those can currently be made fully https already.
As a matter of fact, the  only updates needed are to handle offsite images (which, as stated are alreayd being worked on backporting the 2.1 proxy to a future 2.0.x release)


How can things get better?
Better in what way? As I indicated, above, things are not actually "bad" right now, when it comes to this area.
Yes, the 2.1 release process is slow -   we are all volunteers, and we have varying amounts of time to spend on this project. That has been true since Day 1...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Paracelsus

Quote from: Kindred on December 05, 2016, 06:54:00 AM
ummmmmm... https works just fine on 2.0.x with no mods at all. I have it implemented on 5 sites now.

The only exception is the external images/avatars

Hi, care to explain the steps to do it? (like very basic because I know nothing about SSL/https) ;D

We're on a Centos7 environment with nginx + php-fpm + mariadb.

EDIT: Or is it better to wait for that backporting?

Kindred

add  a cert to your server

add the following lines to your .htaccess file


RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


You can try using repair_settings.php now -- some people have complained that they don't think it works on https...   if you think so, then do the folowing

access your forum
change the root forum URL
change the avatars directory URL
change the attachments directories URL(s)
change the theme directories URL(s)
check any mods that define the site/mod URLs

I don't know the process to update PrettyURLs, if you are using that mod...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

mj.

I guess we may just need to agree to disagree, Kindred.  You've done more work here than me, and obviously we think about this a little differently.  It seems contradictory to me in 2016 with a zillion security breaches under the belt that what some folks more knowledgeable of the code than I say what's 'easy' isn't a backport in some fashion, or even implemented at this site.  I spent a year and a half working in IT security a decade back or so, so I do believe I have a bit of experience in this area.  I've been signing NDA's and spending weeks per year doing 'training' in how to properly handle other folks private information for at least 10 years.  IMO if things aren't TLS https at any site I consider it insecure at this point.  I didn't mean to demean the software itself, but I will take the time to give you bullet points on why I think it's not **better** security than other forum software at the very least if you would like.  Maybe you could see my point of view better if I did that, I dunno.

Kindred

You seem to be missing the point. Https works just fine for all submission that include any data. The only place where it is lacking is the cross site references that call for an image that is on another site which is not https. Which means your issues about security are essentially nonissues since everything you mentioned is covered under the current SMF release
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

nend

Here is the hack, it doesn't do avatars so don't allow external avatars for now. Also like Kindred mentioned this is being worked on a future 2.0 release, so when that version comes out, you'll have to undo these changes or you'll more than likely break your forum.

File Sources/Subs.php
Find
'content' => '<img src="$1" alt="" class="bbc_img" />',
'validate' => create_function('&$tag, &$data, $disabled', '
$data = strtr($data, array(\'<br />\' => \'\'));
if (strpos($data, \'http://\') !== 0 && strpos($data, \'https://\') !== 0)
$data = \'http://\' . $data;
'),

Replace
'content' => '<img src="$1" alt="" class="bbc_img" />',
'validate' => function (&$tag, &$data, $disabled)
{
global $image_proxy_enabled, $image_proxy_secret, $boardurl;

$data = strtr($data, array('<br>' => ''));
if (strpos($data, 'http://') !== 0 && strpos($data, 'https://') !== 0)
$data = 'http://' . $data;

if (substr($data, 0, 8) != 'https://' && $image_proxy_enabled)
$data = $boardurl . '/proxy.php?request=' . urlencode($data) . '&hash=' . md5($data . $image_proxy_secret);
},


Find
'content' => '<img src="$1" alt="{alt}"{width}{height} class="bbc_img resized" />',
'validate' => create_function('&$tag, &$data, $disabled', '
$data = strtr($data, array(\'<br />\' => \'\'));
if (strpos($data, \'http://\') !== 0 && strpos($data, \'https://\') !== 0)
$data = \'http://\' . $data;
'),

Replace
'content' => '<img src="$1" alt="{alt}"{width}{height} class="bbc_img resized" />',
'validate' => function (&$tag, &$data, $disabled)
{
global $image_proxy_enabled, $image_proxy_secret, $boardurl;

$data = strtr($data, array('<br>' => ''));
if (strpos($data, 'http://') !== 0 && strpos($data, 'https://') !== 0)
$data = 'http://' . $data;

if (substr($data, 0, 8) != 'https://' && $image_proxy_enabled)
$data = $boardurl . '/proxy.php?request=' . urlencode($data) . '&hash=' . md5($data . $image_proxy_secret);
},


Add this to Settings.php, being sure to replace 'aSecretKeyHere' with a unique key.

########## Image Proxy ##########
# This is done entirely in Settings.php to avoid loading the DB while serving the images
$image_proxy_enabled = 1;
$image_proxy_secret = 'aSecretKeyHere';
$image_proxy_maxsize = 5192;


Download Sources/Class-CurlFetchWeb.php and proxy.php from the 2.1 GitHub repo and upload them to the respectable folders.
https://github.com/SimpleMachines/SMF2.1

mj.

Kindred, I'm quite cognizant of what you think the single security weakness is.  I disagree.  I see folks here having a cow about iframes support but y'all think 4 character passwords of the same character are an okeydokey option?  Maybe some other members of the community have some opinions.  I believe SSL efforts outta the box would also help mitigate some other possible weaknesses other than that which I won't bullet point so the world can see them.  I have been a software developer for 25 years, the most valuable experience I've gained from that is learning how NOT to fall in all the holes that the evil people in this world can exploit. I'm not the smartest guy in the world or the best coder but I have a ton of experience in that area.   My comments here are not intended to malign the software, but improve it.  I don't have a lot more to say, but I will offer to communicate privately to give you those bullet points.  It'll likely take me 2 hours, but I will do so if you are interested in that.  All I'm saying is I will give a little bit for free if you can try to see my point of view here.  I think that's what open source (or near so) is about.  I think it's a possible future big problem, and I'm offering to help.

Colin

Agreed, SSL support out of the box is the goal. We are working on it :). Thanks MJ.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Kindred

Well MJ, I happen to disagree with your contention... However I am always open to hearing about possible security improvements even if we disagree on the severity of them; Plus as I said, SMF does support https out of the box for all critical form submissions... But if you have NE security information that you want to share we will definitely listen. And as we've said several times now, default HTTPS implementation is planned but there are more critical issues that need to get dealt with before we get to that.

Also, to clarify I never thought you were trying to malign the software.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

mj.

Kindred, we've already hit the gold standard for internet communication, several internet exchanges without any Godwins, so I think we can disagree and still talk productively.  I don't mean to malign your point of view either, it resembles mine from 10 years ago, so I believe I understand why you feel this way for a couple reasons. A while back the tinfoil hat guys were right and my thinking made a major paradigm shift on security and I just feel like it's been too darned long for SMF to adapt.  Just because you're paranoid doesn't mean they're not all out to get you.  I think the thing that matters we fundamentally agree on.  Good secure community open source software, yes?  I have a few RL problems ahead of this, but I will put together more detailed thoughts for you on potential security issues soon.  I'll share them with you via a secure method of your choice, one on one or with key devs, again, your choice.  I want to be clear that I'm not here yanking your chain on a whim, this has been on my mind for years, and I hold these types of concerns as long as I reasonably can, but when I can't hold them any longer I speak up.

Illori

if you  believe you have found a security issue, please fill out our security form.

http://www.simplemachines.org/about/smf/security.php

Kindred

MJ... as a note, I have been in software and websites as a professional for over 20 years now....   so, I do have a background in security protocols, etc, as well. :P

As I said, I look forward to your points...   We are always willing to accept input (especially constructive input) even if we eventually decide that the report is not an issue. :)  So speaking up is welcome.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

badon

Quote from: Kindred on December 09, 2016, 07:14:22 PM
Https works just fine for all submission that include any data. The only place where it is lacking is the cross site references that call for an image that is on another site which is not https.

I solve this problem by forbidding hotlinking outside of the forum. I can't enforce that automatically without a mod I don't have, and this problem is still borking things for people:

Your attachment has failed security checks and cannot be uploaded

Hotlinking screws up CloudFlare too, so they end up being blocked, but the internet hasn't realized this yet. In general, hotlinking is kind of awkward for the internet, with lots of broken hotlinks. In my opinion, they should be eliminated as much as is practical. Maybe a future version of SMF can forbid hotlinking of images at least. That would be helpful. Save the internet.

Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

QWAtomic

Quote from: Kindred on December 09, 2016, 08:13:38 AM
The only place that it might actually matter is the login or registration forms... and those can currently be made fully https already.

Can you explain the process to enable this? We've started to get warnings from Google about our registration/login forms not being HTTPS. We would like to make these secure but without forcing HTTPS on the whole site.

Kindred

well, the easiest way is just to make the whole site https.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Jailer

Https has gotten much easier with the advent of letsencrypt. If you're on a managed hosting site get with your host and see if they support certbot/letsencrypt.

It really is simple to obtain and maintain your cert with certbot.

Linkjay

I have been using Cloudflare's SSL on my forums (using Hostinger as my host) and I have had no problems at all. All I really had to do was add https:// to the start of a lot of my paths. The repair_settings.php script helped a lot with this.
I play games in my free time and volunteer my knowledge and support to the gaming communities of the internet.

You can contact me by these methods:
Use my Contact Script • PM me here • Add me on Steam

Advertisement: