SMF2: Non-secure passwords will trigger warnings in Chrome.

[kitz]

Hi - I've recently received the following email from google

Non-Secure Collection of Passwords will trigger warnings in Chrome 56 for http://kitz.co.uk/
To: owner of http://kitz.co.uk/
Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as "Not Secure" unless the pages are served over HTTPS.
The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users' data. The list is not exhaustive.
http://forum.kitz.co.uk/index.php?topic=12341.0
http://forum.kitz.co.uk/index.php?topic=13597.0
http://forum.kitz.co.uk/index.php?topic=14457.45
The new warning is the first stage of a long-term plan to mark all pages served over the non-encrypted HTTP protocol as "Not Secure".
Here's how to fix this problem:
Use HTTPS pages to collect sensitive information
To prevent the "Not Secure" notification from appearing when Chrome users visit your site, move collection of password and credit card input fields to pages served using the HTTPS protocol.    Read the WebFundamentals article

Obviously this is a concern for me that must affect many other SMF forum users?  As an aside I also use the SMF SSI on the front page of the main site.

I don't have an SSL certificate because I don't collect payments and the only passwords used are for SMF forum login. 
Its a community help site and not for profit.  Because of how busy it is, the server running costs cripple me as it is (too big for any type of shared hosting).

I'm also concerned about the effects of http -> https, as the site is currently well ranked in google.co.uk and any adverse effects for searches.  But if I dont do so it's also going to have a bad effect on the site and surely raise concerns for users if they are going to be flagged with non secure messages.

I don't have a clue how I'd even go about changing SMF over to https, nvm the additional expense.    I cant be the only one in this position?

Any thoughts, help, suggestions etc would really be appreciated.

[vbgamer45]

Yeah everyone got that. I got it for my sites.


Going to suck. Now will have to pay for each website/setup ssl, remember when it expires. Make sure all content on your site is https etc

[Dzonny]

Yeah everyone got that. I got it for my sites.


Going to suck. Now will have to pay for each website/setup ssl, remember when it expires. Make sure all content on your site is https etc

Yeah, it's a PITA to handle all of those, especially when you just run a discussion forum without payments/subscriptions and stuff. But I guess we'll have to deal with this eventually.

[kitz]

Jeeeeeeeeze wept.    For forums?    What a PITA. 

Not to mention how its going to affect any searches on the old urls.   Rankings are going to take a massive hit.   
Its taken >10 yrs of blood, sweat and tears and tens of thousands of unpaid hours to keep it running. 
This is going to cripple community sites

[vbgamer45]

Wish it was built into browsers instead of people forced by every single website owner. There are over 300 million domains so that means 300 million SSL certs maybe needed....someone is making money.

[kitz]

Thanks guys for the prompt responses. 

Even though it wasnt what I wanted to hear (I was hoping it was some sort of mistake),  at least I'm not alone on this.

[nend]

Another thing is the handshakes cost. I got https in December, notice the rise in response time.

[vbgamer45]

Yeah pages will load slower. If you have ads your earnings will decrease since a lot of ads are not https based either..

[Shambles]

My cPanel generates a (free) certificate for me. It costs nothing (obviously) and the whole site 'conversion' took 30 minutes.

[Arantor]

This is why Let's Encrypt is a thing. It can be set up to auto renew for you - for free. Chrome wasn't going to do this until such a thing was already available.

[tinoest]

Let's Encrypt is a great idea, and is the reason that most people should run their websites via https almost exclusively now. There is no excuse not to have https, which is why Chrome and Firefox forcing it is great imo.

It is really quite simple to install and set up, as detailed in the following two links.

https://wiki.debian.org/LetsEncrypt
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8

Also the performance impact should be minimal if you tune your httpd server.

Lighttpd is slightly more complex than nginx and apache as not as many people use it, but its all standard stuff for a competent sysadmin.

[Arantor]

Therein lies the problem: most people here are not sysadmins. That's why they have hosts for that kind of thing.

[tinoest]

Therein lies the problem: most people here are not sysadmins. That's why they have hosts for that kind of thing.

https://community.letsencrypt.org/t/web-hosting-who-support-lets-encrypt/6920

The list of supported hosts is growing quite quickly.

[natasa (NT)]

I need dedicated IP for https, but I can stay on shared hosting, right?

[Shambles]

I'm on shared hosting and do not have a dedicated IP.

Yet, spookily, my site remains https (secure).

[tinoest]

I'm on shared hosting and do not have a dedicated IP.

Yet, spookily, my site remains https (secure).

SSL Certs are not tied to an IP Address, or have'nt had to have been since SNI was introduced. Which was after Windows XP was released and before Vista, as XP is the last OS not to support it.

[Shambles]

^ which is kinda the point I was making.

[Ben_S]

Another thing is the handshakes cost. I got https in December, notice the rise in response time.

You need to implement http/2, although unless you control the server you may struggle as your host will need to do it.

[MobileCS]

I sort of solved this issue by :

Leaving "Show a quick login on every page" enabled.

Commenting out the entire "elseif (!empty($context['show_login_bar']))" section in index.template.php file and replacing it with :

Code Select Expand


elseif (!empty($context['show_login_bar']))
{
    echo '<div class="info login-register">', sprintf($txt['welcome_guest'], $txt['guest_title']), '</div>';
}

CSS :

Code Select Expand

.login-register { font-size: 12px; line-height: 20px; }
.login-register a:link { text-decoration: underline; }

Now the browser warnings only show up on the actual login / register pages - instead of every forum page.

Also, guests still see the login / register / activation email links.

[vbgamer45]

Hmm neat tip.

[riou]

Wouldn't that only delay the need to fix it again since Google also said they will mark all non https pages (even ones without forms) as Not Secure in the future anyway?

[oOo--STAR--oOo]

I guess its a change for the better to standardise SSL regardless of how useless information is regarded on websites.

I use Cloudflare which gives you a free SSL cert, I checked the cert out and its shared by about 2 other domains.. Not too bad.
Cloudflare offers soo many benefits to my website and security. Surprised to see the lack of people using it in the SMF community TBH. I heard people saying it causes all sorts of problems which I have never witnessed :S.

With cloudflare also, you can setup SLL without even having to put the cert on your host/server. Its like noob proof! Although not recommended by them. You can also purchase a private cert from them if you wish to.

To transform to SLL I simply used the repair_setting.php script to change http to https. Pretty straight forward.

[Linkjay]

I guess its a change for the better to standardise SSL regardless of how useless information is regarded on websites.

I use Cloudflare which gives you a free SSL cert, I checked the cert out and its shared by about 2 other domains.. Not too bad.
Cloudflare offers soo many benefits to my website and security. Surprised to see the lack of people using it in the SMF community TBH. I heard people saying it causes all sorts of problems which I have never witnessed :S.

With cloudflare also, you can setup SLL without even having to put the cert on your host/server. Its like noob proof! Although not recommended by them. You can also purchase a private cert from them if you wish to.

To transform to SLL I simply used the repair_setting.php script to change http to https. Pretty straight forward.

Ditto this completely. Use it on both websites that I administrate on and haven't had any issues at all.

AFAIK, Google will rank your site higher in search results if you have https. Basically the only downside is some hosts don't support the free methods of SSL. For example, GoDaddy only allows their custom expensive ass SSL script to be ran on their servers which is annoying. Hosts like mine will let you use any one you want, all you need to do is obtain them.

https://www.google.com/search?q=free+ssl+certificate

[steve in houston]

i bought a comodo cert from namecheap for $9/year.
quick and easy to install.

i was about to pull the trigger and change my config to https then i thought of something...
what about all the embedded images in forum posts that link to nonsecure sites?  wouldn't
that issue a browser warning about the site being non-secure?

[vbgamer45]

yes it will. You will need an image proxy to handle any external media

[steve in houston]

ahh.  thats cool i guess.

i found this as a possible solution.  ill give it a shot.

http://www.simplemachines.org/community/index.php?topic=527996.0

[Illori]

yes it will. You will need an image proxy to handle any external media

this should be part of the SMF 2.0.14 patch if no issues are found.

[steve in houston]

i installed the image proxy code and it works fine.

i also loaded up the repair_settings.php script and changed all the URL's
from http:// to just //

im able to use both secure and non-secure for now.  i had an issue
with the certificate about an hour ago so i have comodo support looking at it.
once i get that knocked out i'll redirect non-secure to secure.

[Linkjay]

i installed the image proxy code and it works fine.

i also loaded up the repair_settings.php script and changed all the URL's
from http:// to just //

im able to use both secure and non-secure for now.  i had an issue
with the certificate about an hour ago so i have comodo support looking at it.
once i get that knocked out i'll redirect non-secure to secure.

Usually new SSL scripts take a couple hours to propagate through to everyone. I recommend just waiting for a while before you try and do anything because that is most likely your "problem".

[steve in houston]

i was supposed to concatenate 2 crt's into a bundle then link to it.
i only had the single crt, so it was triggering a certificate transparency warning.

it's working great now.

[Pyrhel]

New Firefox version also marks the non-ssl pages as "not secured", but "Let's encrypt" is a great solution! I'm using it for about 6 months now and don't see any issues with it. I had a few problems when migrating, but for about 2 hours everything was completed. And since the migration, I see an improvement in the SERP! It's very annoying obligation, but I think its a great step.

[Armada]

So the migration time is the repair-settings.php file changing all the URLs in the database to https? Is that correct?

We have about a 4 Gig mysql database, and our attachment directory is 12,633,300.04 kB

I'm guessing the time to migrate to https would be huge?

Is there a way to just secure the login page, the forgot password page and the registration page?

[Kindred]

ummm...   why huge?
It took me seconds...  for 4 sites.

1- install the cert
2- change your htaccess to force https/ssl
3- run repair_settings.php and change all the URLs that use http
4- update any mods that have http in their settings (including portal blocks)

you *CAN* do a replace in the smf_messages.body table/column.....   but it's not requires, since the htaccess update will automatically handle that.

The only thing left will be avatars and external images in BBC (maybe some old youtube embeds, if you use those)
avatars and BBC images will be taken care of via proxy in 2.0.14 shortly...

[Armada]

Thanks

about 2 hours everything was completed.

That's why I was asking if the time to migrate would be huge. Pyrhel took two hours to do the migrate, and our forum database is probably a lot bigger at 4 Gigs in size (almost 5 million posts).

[Kindred]

What "migration" is involved?

That makes no sense to me.

There is no migration
there is no database change (except for the URL settings which can be done in repair_settings or in SMF admin)


so, what is there that would take more than a few minutes, at most?

[Arantor]

I'm not sure either, the image proxy in 2.0.14 should cover images, and links should go off site anyway. Internal links get covered by the htaccess rule, so nothing to do.

[ThomasMo]

Can you give some more information on this proxy feature? Especially from the aspect of legal rights. I have deactivated the image upload function of my forum due to companies like getty images that have many lawers out there nowadays sending expensive invoices to web site owners hosting copies of their images. As long as my users put them on their own server and only put them into their postings using the IMG tag, everything is fine for me. But if the forum then shows thees image with a proxy https address from my sever, I have a legal problem again.

Will it be possible to use 2.0.14 with https but without the proxy feature (even if browsers might show a warning, but this will of course not happen at the login page as there are no third party images on the login page of my forum)?

[Arantor]

Except that there is login form on every page by default in the default theme so that won't actually solve your problem.

As for the proxy, it's really no different to how it is now, the only difference is that your server is relaying it for your users because the sites with the images don't have HTTPS - it's only needed for images on HTTP and in all likelihood if they don't have HTTPS, they probably don't care enough about the rights either.

[ThomasMo]

it's only needed for images on HTTP and in all likelihood if they don't have HTTPS, they probably don't care enough about the rights either.

I understand this argument. If a user takes a copyright-protected image from somewhere, puts it onto his webspace and includes it into a forum posting, the absence of HTTPS on his server does not tell anything about the legal situation.