SMF2: Non-secure passwords will trigger warnings in Chrome.

[riou]

Wouldn't that only delay the need to fix it again since Google also said they will mark all non https pages (even ones without forms) as Not Secure in the future anyway?

[oOo--STAR--oOo]

I guess its a change for the better to standardise SSL regardless of how useless information is regarded on websites.

I use Cloudflare which gives you a free SSL cert, I checked the cert out and its shared by about 2 other domains.. Not too bad.
Cloudflare offers soo many benefits to my website and security. Surprised to see the lack of people using it in the SMF community TBH. I heard people saying it causes all sorts of problems which I have never witnessed :S.

With cloudflare also, you can setup SLL without even having to put the cert on your host/server. Its like noob proof! Although not recommended by them. You can also purchase a private cert from them if you wish to.

To transform to SLL I simply used the repair_setting.php script to change http to https. Pretty straight forward.

[Linkjay]

I guess its a change for the better to standardise SSL regardless of how useless information is regarded on websites.

I use Cloudflare which gives you a free SSL cert, I checked the cert out and its shared by about 2 other domains.. Not too bad.
Cloudflare offers soo many benefits to my website and security. Surprised to see the lack of people using it in the SMF community TBH. I heard people saying it causes all sorts of problems which I have never witnessed :S.

With cloudflare also, you can setup SLL without even having to put the cert on your host/server. Its like noob proof! Although not recommended by them. You can also purchase a private cert from them if you wish to.

To transform to SLL I simply used the repair_setting.php script to change http to https. Pretty straight forward.

Ditto this completely. Use it on both websites that I administrate on and haven't had any issues at all.

AFAIK, Google will rank your site higher in search results if you have https. Basically the only downside is some hosts don't support the free methods of SSL. For example, GoDaddy only allows their custom expensive ass SSL script to be ran on their servers which is annoying. Hosts like mine will let you use any one you want, all you need to do is obtain them.

https://www.google.com/search?q=free+ssl+certificate

[steve in houston]

i bought a comodo cert from namecheap for $9/year.
quick and easy to install.

i was about to pull the trigger and change my config to https then i thought of something...
what about all the embedded images in forum posts that link to nonsecure sites?  wouldn't
that issue a browser warning about the site being non-secure?

[vbgamer45]

yes it will. You will need an image proxy to handle any external media

[steve in houston]

ahh.  thats cool i guess.

i found this as a possible solution.  ill give it a shot.

http://www.simplemachines.org/community/index.php?topic=527996.0

[Illori]

yes it will. You will need an image proxy to handle any external media

this should be part of the SMF 2.0.14 patch if no issues are found.

[steve in houston]

i installed the image proxy code and it works fine.

i also loaded up the repair_settings.php script and changed all the URL's
from http:// to just //

im able to use both secure and non-secure for now.  i had an issue
with the certificate about an hour ago so i have comodo support looking at it.
once i get that knocked out i'll redirect non-secure to secure.

[Linkjay]

i installed the image proxy code and it works fine.

i also loaded up the repair_settings.php script and changed all the URL's
from http:// to just //

im able to use both secure and non-secure for now.  i had an issue
with the certificate about an hour ago so i have comodo support looking at it.
once i get that knocked out i'll redirect non-secure to secure.

Usually new SSL scripts take a couple hours to propagate through to everyone. I recommend just waiting for a while before you try and do anything because that is most likely your "problem".

[steve in houston]

i was supposed to concatenate 2 crt's into a bundle then link to it.
i only had the single crt, so it was triggering a certificate transparency warning.

it's working great now.

[Pyrhel]

New Firefox version also marks the non-ssl pages as "not secured", but "Let's encrypt" is a great solution! I'm using it for about 6 months now and don't see any issues with it. I had a few problems when migrating, but for about 2 hours everything was completed. And since the migration, I see an improvement in the SERP! It's very annoying obligation, but I think its a great step.

[Armada]

So the migration time is the repair-settings.php file changing all the URLs in the database to https? Is that correct?

We have about a 4 Gig mysql database, and our attachment directory is 12,633,300.04 kB

I'm guessing the time to migrate to https would be huge?

Is there a way to just secure the login page, the forgot password page and the registration page?

[Kindred]

ummm...   why huge?
It took me seconds...  for 4 sites.

1- install the cert
2- change your htaccess to force https/ssl
3- run repair_settings.php and change all the URLs that use http
4- update any mods that have http in their settings (including portal blocks)

you *CAN* do a replace in the smf_messages.body table/column.....   but it's not requires, since the htaccess update will automatically handle that.

The only thing left will be avatars and external images in BBC (maybe some old youtube embeds, if you use those)
avatars and BBC images will be taken care of via proxy in 2.0.14 shortly...

[Armada]

Thanks

about 2 hours everything was completed.

That's why I was asking if the time to migrate would be huge. Pyrhel took two hours to do the migrate, and our forum database is probably a lot bigger at 4 Gigs in size (almost 5 million posts).

[Kindred]

What "migration" is involved?

That makes no sense to me.

There is no migration
there is no database change (except for the URL settings which can be done in repair_settings or in SMF admin)


so, what is there that would take more than a few minutes, at most?

[Arantor]

I'm not sure either, the image proxy in 2.0.14 should cover images, and links should go off site anyway. Internal links get covered by the htaccess rule, so nothing to do.

[ThomasMo]

Can you give some more information on this proxy feature? Especially from the aspect of legal rights. I have deactivated the image upload function of my forum due to companies like getty images that have many lawers out there nowadays sending expensive invoices to web site owners hosting copies of their images. As long as my users put them on their own server and only put them into their postings using the IMG tag, everything is fine for me. But if the forum then shows thees image with a proxy https address from my sever, I have a legal problem again.

Will it be possible to use 2.0.14 with https but without the proxy feature (even if browsers might show a warning, but this will of course not happen at the login page as there are no third party images on the login page of my forum)?

[Arantor]

Except that there is login form on every page by default in the default theme so that won't actually solve your problem.

As for the proxy, it's really no different to how it is now, the only difference is that your server is relaying it for your users because the sites with the images don't have HTTPS - it's only needed for images on HTTP and in all likelihood if they don't have HTTPS, they probably don't care enough about the rights either.

[ThomasMo]

it's only needed for images on HTTP and in all likelihood if they don't have HTTPS, they probably don't care enough about the rights either.

I understand this argument. If a user takes a copyright-protected image from somewhere, puts it onto his webspace and includes it into a forum posting, the absence of HTTPS on his server does not tell anything about the legal situation.