Moving SMF http:// (root) into https:// (sub)?

[Erikson]

Dear Kindred. Yes you are right. They link to SMF and that is the Problem. SSL can not secure this, cause the Pictures are external and used by the Script.

For example.

When i do https://mypage.com/forum/images/themes.png -> than it is secured.
When i do http://www.simplemachines.org/smf/images/package.png -> not secured, cause the Script takes it from SMF Homepage, so how should SSL validate this?

That ist the first Major Problem

I have received no PM from you with any URL. So I don't know quite what you're talking about. Additionally the links that you have been providing two images in your post above are not useful in the least they link to images on the Simple Machines. Org site not on your own site if you want to provide images of things that are happening on your site provide them external to this site. Basically you have provided no useful information to help you debug.

With best Regards!

Erikson

[Erikson]

On the Attach you can see what i mean.

Best Regards!

Erikson

[Kindred]

and THAT will ***ALWAYS*** be a problem.

If you link off your site, you have no control over the access point, http or https.  period.
There is nothing that you can do about that.


I was under the impression that you were having issues connection your OWN site, fully, to https.

[mashby]

Makes some sense, links like this:
http://www.simplemachines.org/smf/images/package.png
If you view Package Manager, that particular image is displayed under http. I also checked my own site and the same thing happens there.
Admin > Smileys...
http://www.simplemachines.org/smf/images/smileys.png
Admin > Themes...
http://www.simplemachines.org/smf/images/themes.png

Makes sense that a URL to your forum would have been not as useful as getting both the URL and an admin account. Thanks for that.

Now the question remains...where do those get generated from?

[Illori]

i believe they are all called from scripts on sm.org that smf downloads daily. only way to remove them is to remove the latest packages/themes/smileys from the templates so they do not display. which these have been removed in 2.1 already.

[LiroyvH]

Keep in mind, it doesn't compromise encryption and afaics only the administrator will face mixed-content warning on those.
The forum itself, and by that I mean the user end, shouldn't encounter those issues when it's properly configured and the img bbc is disabled.
Very small impact and nothing to worry about at all, but I can understand it's seen as annoying. It can be fixed as soon as SSL is implemented here.

[Erikson]

Thank you all for your Commenting. But i have now no Solution. So here SMF is bugi. At this Point i must say Man in the Middle are possible in the Admin Area. I will try to download the three Pics and change the Script to my own root images. Than i have the Solution i want to a new Installation. Can anyone say me, what File or Files i must change here?

Best Regards!

Erikson

[Arantor]

At this Point i must say Man in the Middle are possible in the Admin Area

Incorrect.

[mashby]

Themes/default/ManageSmileys.template.php
Look for and remove:

Code Select Expand

if (empty($modSettings['disable_smf_js']))
echo '
<script type="text/javascript" src="', $scripturl, '?action=viewsmfile;filename=latest-smileys.js"></script>';


Themes/default/Themes.template.php
Look for and remove:

Code Select Expand

if (empty($modSettings['disable_smf_js']))
echo '
<script type="text/javascript" src="', $scripturl, '?action=viewsmfile;filename=latest-themes.js"></script>';


Themes/default/Packages.template.php
Look for and remove:

Code Select Expand

if (empty($modSettings['disable_smf_js']))
echo '
<script type="text/javascript" src="', $scripturl, '?action=viewsmfile;filename=latest-packages.js"></script>';


[Erikson]

Not incorrect, please read here. Aim sorry, but this is German, please search for the English Version.

https://support.mozilla.org/de/kb/wie-kann-ich-feststellen-ob-meine-verbindung-zu-einer-website-verschluesselt-erfolgt?as=u&utm_source=inproduct

It is not secured! ... cause they are uncrypted Elements like Pictures on this Page.

At this Point i must say Man in the Middle are possible in the Admin Area

Incorrect.

Best Regards!

Erikson

[Erikson]

Thank you very much mashby. I will try this now and will report you the Solution

Themes/default/ManageSmileys.template.php
Look for and remove:

Code Select Expand

if (empty($modSettings['disable_smf_js']))
echo '
<script type="text/javascript" src="', $scripturl, '?action=viewsmfile;filename=latest-smileys.js"></script>';


Themes/default/Themes.template.php
Look for and remove:

Code Select Expand

if (empty($modSettings['disable_smf_js']))
echo '
<script type="text/javascript" src="', $scripturl, '?action=viewsmfile;filename=latest-themes.js"></script>';


Themes/default/Packages.template.php
Look for and remove:

Code Select Expand

if (empty($modSettings['disable_smf_js']))
echo '
<script type="text/javascript" src="', $scripturl, '?action=viewsmfile;filename=latest-packages.js"></script>';


Best Regards!

Erikson

[Erikson]

Dear mashby. When i change the Script, Page is secured. I got this on the Place i change. Please take a look at thee Attachment. The Link (with Picture) to Simplemachines.org uses this unsecure Problem for SSL. So, ok it's not a Frontdoor, but it is a Backdoor.

Best Regards!

Erikson

[Arantor]

Actually, you *are* incorrect.

There is no risk of MITM between your browser and your server, those third party elements would not actually compromise the overall security in for any actual requests. Were they active scripting components that would be a different story since DOM manipulation would be possible but they are images served from a known-safe domain, with no possibility of active scripting short of simplemachines.org itself being compromised, followed by images having embedded nastiness that manages to escape browser sandboxes... a chain of events so unlikely, winning multiple countries' lotteries all in the same week is more likely.

Just because the page is reported as 'not entirely secure' does not mean you are at risk of MITM. Because you're not. Nor is it a backdoor. Not even for paranoid people.


But I'm only a former member of the SMF developer team, I wouldn't know about this sort of thing at all, obviously.

You have had a former developer of SMF, plus one of the server administrators here telling you that you are not insecure. There are few higher courts of appeal you could go to on this one.

[mashby]

Not sure what kind of door it is, but the image is no longer appearing. If you want to get rid of that area, too, remove this from:
Themes/default/ManageSmileys.template.php

Code Select Expand

<div class="cat_bar">
<h3 class="catbg">', $txt['smiley_sets_latest'], '</h3>
</div>
<div class="windowbg">
<span class="topslice"><span></span></span>
<div class="content">
<div id="smileysLatest">', $txt['smiley_sets_latest_fetch'], '</div>
</div>
<span class="botslice"><span></span></span>
</div>
It's a few lines above where that other code was in that same file.

For Themes/default/Themes.template.php find and remove this stuff:

Code Select Expand

<div class="windowbg">
<span class="topslice"><span></span></span>
<div class="content">
<div id="themeLatest">
', $txt['theme_latest_fetch'], '
</div>
</div>
<span class="botslice"><span></span></span>
</div>


For Themes/default/Packages.template.php find and remove this stuff:

Code Select Expand

<div class="windowbg2">
<span class="topslice"><span></span></span>
<div class="content">
<div id="packagesLatest">', $txt['packages_latest_fetch'], '</div>
</div>
<span class="botslice clear_right"><span></span></span>
</div>


Maybe that will assuage your paranoia?

[Erikson]

Yes, here ends my Paranoia. Thank you very much for this. But now the Major Problem beginns for me now. First, i have a existing producing installed SMF. The second Step i made, think it was wrong. I bought me the SSL Certificate after installing the SMF, so i installed SMF on http. Now i try to install it with https on a Subfolder with repair_settings.php cause the normal http Installation causes much faults for SSL. I hope i can fix this with repair_settings.php and a new subfolder. But i will report you.

Not sure what kind of door it is, but the image is no longer appearing. If you want to get rid of that area, too, remove this from:
Themes/default/ManageSmileys.template.php

Code Select Expand

<div class="cat_bar">
<h3 class="catbg">', $txt['smiley_sets_latest'], '</h3>
</div>
<div class="windowbg">
<span class="topslice"><span></span></span>
<div class="content">
<div id="smileysLatest">', $txt['smiley_sets_latest_fetch'], '</div>
</div>
<span class="botslice"><span></span></span>
</div>
It's a few lines above where that other code was in that same file.

For Themes/default/Themes.template.php find and remove this stuff:

Code Select Expand

<div class="windowbg">
<span class="topslice"><span></span></span>
<div class="content">
<div id="themeLatest">
', $txt['theme_latest_fetch'], '
</div>
</div>
<span class="botslice"><span></span></span>
</div>


For Themes/default/Packages.template.php find and remove this stuff:

Code Select Expand

<div class="windowbg2">
<span class="topslice"><span></span></span>
<div class="content">
<div id="packagesLatest">', $txt['packages_latest_fetch'], '</div>
</div>
<span class="botslice clear_right"><span></span></span>
</div>


Maybe that will assuage your paranoia?

Best Regards!

Erikson

[mashby]

Looks like I missed the title DIVs. From Themes/default/Packages.template.php, remove this:

Code Select Expand

<div class="cat_bar">
<h3 class="catbg">
<span class="ie6_header floatleft"><a href="', $scripturl, '?action=helpadmin;help=latest_packages" onclick="return reqWin(this.href);" class="help"><img class="icon" src="', $settings['images_url'], '/helptopics.gif" alt="', $txt['help'], '" align="top" /></a> ', $txt['packages_latest'], '</span>
</h3>
</div>


And from Themes/default/Themes.template.php, remove this:

Code Select Expand

<div class="cat_bar">
<h3 class="catbg">
<span class="ie6_header floatleft"><a href="', $scripturl, '?action=helpadmin;help=latest_themes" onclick="return reqWin(this.href);" class="help"><img src="', $settings['images_url'], '/helptopics.gif" class="icon" alt="', $txt['help'], '" /></a> ', $txt['theme_latest'], '</span>
</h3>
</div>


[Erikson]

Thank you very much Mashby. I will do this now!

Looks like I missed the title DIVs. From Themes/default/Packages.template.php, remove this:

Code Select Expand

<div class="cat_bar">
<h3 class="catbg">
<span class="ie6_header floatleft"><a href="', $scripturl, '?action=helpadmin;help=latest_packages" onclick="return reqWin(this.href);" class="help"><img class="icon" src="', $settings['images_url'], '/helptopics.gif" alt="', $txt['help'], '" align="top" /></a> ', $txt['packages_latest'], '</span>
</h3>
</div>


And from Themes/default/Themes.template.php, remove this:

Code Select Expand

<div class="cat_bar">
<h3 class="catbg">
<span class="ie6_header floatleft"><a href="', $scripturl, '?action=helpadmin;help=latest_themes" onclick="return reqWin(this.href);" class="help"><img src="', $settings['images_url'], '/helptopics.gif" class="icon" alt="', $txt['help'], '" /></a> ', $txt['theme_latest'], '</span>
</h3>
</div>


Best Regards!

Erikson

[Kindred]

Of course, none of that is ACTUALLY necessary...

[mashby]

It might not be necessary, no, but here's my thinking on it. It's being removed from 2.1. Sweet. And this user wants it gone now. Easy enough edits (once I saw the stuff to actually remove). And less calls to this server for this user's Admin area.

[Illori]

It might not be necessary, no, but here's my thinking on it. It's being removed from 2.1. Sweet. And this user wants it gone now. Easy enough edits (once I saw the stuff to actually remove). And less calls to this server for this user's Admin area.

it does not stop the script that gets the js files from here that populate that area, it just stops the display of them.