Hi,
i've a short question:
Does SMF 2.0.2 support SSL/TLS, without big changes in the source code?
It should do, there should be an option in the admin panel for this.
Okay,
I just found this Option (Configuration -> Server Settings... -> Cookies and Sessions )
QuoteForce cookies to be secure
(This only applies if you are using HTTPS - don't use otherwise!)
Will this encrypt all connection to/from my forum (activities in the forum -> postings, threads, ect) or only the login?
SMF 2 should encrypt all activities from the users .
No matter if they log-in, read/open a post, create a post.
No, that's just for cookies.
I seem to recall the SSL option is somewhere else, you can use the front page of the admin panel to search for HTTPS and SSL.
Have you found a solution to this, I am also trying to find out how to implement SSL/https but could not find anything in the add min panel?
I'm amazed that in the year 2012, there's still a bit of software out there that has a user account login while barfing all the data out into the world for everyone to see. PM's, restricted forums, etc are all viewable by everyone. The sensible thing to do is to make HTTPS the default for everything. Then, when it doesn't work for some people, they won't be merrily unaware that they're barfing in public.
I am absolutely horrified that this has happened to me. What did I say that was supposed to be private, but is now in somebody's database? This discussion needs to be resurrected until it is fixed, so people will at least know that they're "logging in" to a crowded room with microphones, cameras, glass walls, and [Snipped by Colin out of courtesy for our younger audience.]
Sticky/pin/announce/wail/etc?
Couple issues with https normally requires a dedicated ip won't work with most shared hosting, plus the cost of SSL certificate, slows down the forum/performance since everything is encrypted. Probably not needed for the vast majority of forums,
But would be nice if SMF has some SSL support built in for instances when it would be required.
oh, please... none of the forums I have been on use SSL... not SMF, not phpBB, not VB...
nor does Wordpress or Joomla, by default...
(actually WordPress requires a very buggy add-on to do https)
So, I'd hardly say that this is a hot ticket issue.
Also, as vbgamer points out - SSL is difficult on a shared server, if not outright impossible on some... and the certs require payment (which many site owners can't or won't do)
Finally... even if you use SSL, the data is still stored in clear-text in the database..... the only thing encrypted in the SMF database is the password.
P.S. Instead of resurrecting old threads to complain, you could try using the search to find some threads with answers... http://www.simplemachines.org/community/index.php?topic=489673.0
If a site owner should happen to have SSL available anyway (say, for a store), it would be wonderful for SMF to be able to use SSL for password entry and change, user information entry/edit/display, and anything else reasonably considered sensitive. It would be nice to be able to put the entire forum under SSL, as some sites require that when members are discussing very sensitive information (obviously, guest access needs to be shut off). SMF has lost some users because it doesn't offer SSL usage. Granted, some people think SSL gives them more security than it really does (e.g., makes it hack-proof, protects the database against snooping, etc. NOT!).
SSL is common on shared servers (including private SSL certificates). Private certs do cost some money, and usually require a dedicated IP address (additional $$). If you don't mind having a funky URL that doesn't have your domain name, many servers offer "shared" certs for free. And if you already have spent the money for SSL for other applications, why not be able to use it for SMF?
well, there is a mod for SSL login... although it has not been updated for 2.0 final
You can have SSL set up. I have it on my server and SM is using it. I used someone to set this up for me, and can;t remember how it was done, but it is possible....
Actually for the most part setting up SSL is actually very very easy. There's just no magic tick box for it.
Pretty much you can start by replacing all the theme URL and primary board URL settings to point to https instead of http and that will fix the bulk of it before you start. Then it's a fairly quick find/replace in the posts to replace links between posts with https instead of http - to do it entirely across the site.
Then just tick the SSL cookies box.
What do you mean by "find/replace in the posts" and "links between posts"?
Any posts that link to other posts on the same forum are going to need changing because they'll all have http not https in them. It's a quick enough SQL statement to do that find/replace.
I think I could probably solve that by forcing SSL on the server, to avoid needing to alter the database. Thanks for the help!
Except you would still need to modify the database anyway, because all you'd end up doing is forcing every single link in posts/PMs only to have to make two hits to the site - instead of just fixing them once and for all.
I am about to install an ssl to my forum.. as I read you dont think this a good idea? will it slow the forum so much?
I didn't say it wasn't a good idea, but unless you actually need it you could consider avoiding it.
There *is* a performance hit attached, and there isn't necessarily the security benefit that you might think you're getting. If you actually have a signed certificate, that's something, but it's possible to hijack and MITM attack it anyway.
Quote from: ademanuele on December 11, 2012, 03:55:19 AM
You can have SSL set up. I have it on my server and SM is using it. I used someone to set this up for me, and can;t remember how it was done, but it is possible....
Just an update, I took the same route you did, and had someone set up SSL for me. There were some quirks to get around, like configuring SMF's base URL to be https://whatever.whatever/whatever with the HTTPS part. Also, since non-https linsk are all over the internet, we forced HTTPS in Apache's configuration, so everyone will always be using SSL. Then, we disabled post text and PM text in notification emails, which is a "leak" that gets around SSL if even one person gets a notification: [TIP/TRICK] Hide PM Text in Email Notifications (http://www.simplemachines.org/community/index.php?topic=508577.0).
Now, our Tor, VPN, and proxy users don't have to worry as much about MITM attacks, and people can have a greater degree of privacy in their PM's and pseudonymous posts, which matches their expectations better. It's still possible for system admins on our servers and internal network to snoop, but dragnet-style snooping by uninvited parties is largely eliminated.
Did I mention how much I love SMF? We've been using it as a blog platform, a bug tracking platform, and a bunch of other things that involve conversations that people normally don't think of a forum as the best way to do it. From my point of view, there are 3 kinds of sites of the internet:
1. Forums.
2. Wikis.
3. Everything else.
Having a major, actively developed, popular, security conscious, and BSD-licensed forum software available is a gift from heaven. Thank you SMF!
My forum is SMF 2.0.7 and my server uses SSL encryption. At first look everything looks good but SMF parse some of the internal URLs without SSL (i.e in recent post section)
Does anybody tired to fix this because as I see it it's big security flaw?
How exactly did you configure SMF to use SSL?
Quote from: Arantor on January 25, 2013, 02:37:07 PM
I didn't say it wasn't a good idea, but unless you actually need it you could consider avoiding it.
There *is* a performance hit attached, and there isn't necessarily the security benefit that you might think you're getting. If you actually have a signed certificate, that's something, but it's possible to hijack and MITM attack it anyway.
Better advice is to
always use HTTPS unless there is some exotic reason not to. The very slight increase in server resource usage from HTTPS cryptography operations have never been a deal breaker for any modern system, as far as I am aware. Unsigned HTTPS certificates are preferable to no HTTPS. The weaknesses in HTTPS are largely resolved by these 2 Firefox addons, including for unsigned certificates:
* Perspectives :: Add-ons for Firefox (https://addons.mozilla.org/en-US/firefox/addon/perspectives/)
* Web of Trust - WOT :: Add-ons for Firefox (https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/)
Perspectives is the most important because it will detect MITM attacks, and inform you when an unsigned certificate is OK to use. Perspectives will automatically bypass HTTPS warnings for unsigned certificates when Perspectives detects that it has been in use for along time and is not part of an MITM attack.
WOT will alert you to other attack vectors that do not directly involve HTTPS, like a phishing attempt at a lookalike site like www.paypa1.com.
In general, I think it's safe to say that sites that require login, but do not use HTTPS, are the backward hillbillies of the internet. This site is an excellent example. You can read some explanations about why forum sites not using HTTPS are ridiculously stupid here:
* #1082 (Enable HTTPS/SSL/TLS at forums.pcbsd.org) – PC-BSD (https://trac.pcbsd.org/ticket/1082#comment:4)
When in doubt,
always use HTTPS. One way to ensure you are always using the HTTPS version of a site automatically is to install these 2 Firefox addons:
* HTTPS Everywhere | Electronic Frontier Foundation (https://www.eff.org/https-everywhere)
* https-finder - A Firefox extension that detects valid HTTPS pages as you browse. One-click rule creation for HTTPS Everywhere - Google Project Hosting (https://code.google.com/p/https-finder/)
I've copied down a few other eclectic recommendations here:
* https://www.coincompendium.com/w/index.php/Help:Contents#Helpful_tools
You mean like on forums where users can and will post images that aren't on secure connections that will throw up warnings because you then have the forum trying to include insecure content on a secure page? There's a *lot* of that about here.
Unsigned certificates are better than no certificates - but every browser out there will throw up a massive horrible 'DO NOT TRUST THIS SITE' warning. From a user experience perspective that's far worse even if the end result is better.
As for your suggestion of the Perspectives plugin, that strikes me as not so clever. It's like Vista's UAC: it teaches users to accept things that are a bit suspicious as 'probably OK'.
I've campaigned for a while to have SSL here but it's not anywhere as simple as you make it out to be.
Always the pessimist, Arantor. None of those things you mentioned are more important than having HTTPS.
Firstly, browsers distinguish between active mixed content, and static mixed content. For example, a static image does not present a threat to the security of an HTTPS connection, but active JavaScript script does. So, JavaScript is blocked, but images are not.
Secondly, you misunderstand how Perspectives works. It does not produce more popups demanding the user's attention. In fact, it's the opposite - Perspectives almost never shows any messages unless something is wrong. In the case of unsigned certificates, Perspectives will bypass the browser's warnings when the Perspectives notaries agree that a site is not being MITM'd. The trustworthiness of a certificate is so ridiculously easy for Perspectives to determine that there much fewer things that are "a bit suspicious". In almost all cases, either you're being MITM'd, or you aren't. Black or white, yes or no.
If the certificate you get is different from what all the Perspectives notaries get, then you're being MITM'd. If it's the same, then you're not being MITM'd. The only gray area you might see is when Perspectives sees new certificates, and it doesn't have enough time or experience to determine whether it's the correct certificate or not. Go get it and use it. You'll be glad you did, it's good stuff.
There are a few cases where malicious certificates were properly signed. Perspectives will tell you that the certificate changed, so you can be aware of it in case it is important (like if it should not have changed). Browsers won't do anything, and they won't even notify you. You have to have Perspectives for that.
Perspectives will even show you the certificate history of a site, so you can see for yourself whether it looks like an attack has been attempted recently. Typically attacks will try the easier methods of attack before they try the more difficult methods. If you see in the certificate history that Perspectives has detected attacks recently, you will know that it's important to pay attention. If there have been no attacks, then you won't be bothered. Perspectives makes it easy to decide when you should be worried, and when you should not be worried. The best part is that, despite all the complicated things it does, Perspectives is very simple and easy to use. Everyone should have it.
I wish you luck in continuing your campaign to get HTTPS here at the SMF community forum.
QuoteAlways the pessimist, Arantor. None of those things you mentioned are more important than having HTTPS.
Always the pragmatist, actually.
Ordinarily I'd agree with you but having dealt with users confronted with a huge warning that says 'this site is potentially insecure' completely negates any security measures if USERS ARE FRIGHTENED TO USE IT.
QuoteFirstly, browsers distinguish between active mixed content, and static mixed content. For example, a static image does not present a threat to the security of an HTTPS connection, but active JavaScript script does. So, JavaScript is blocked, but images are not.
Funny, most browsers still throw up warnings anyway.
QuoteSecondly, you misunderstand how Perspectives works. It does not produce more popups demanding the user's attention. In fact, it's the opposite - Perspectives almost never shows any messages unless something is wrong. In the case of unsigned certificates, Perspectives will bypass the browser's warnings when the Perspectives notaries agree that a site is not being MITM'd.
No, I didn't. You misunderstood my comment about it.
Vista's UAC produces many popups, yes. Users overwhelmingly did one of two things in response: either were mentally goaded into blindly pressing yes to everything, or turned it off entirely. You see where this is going yet?
Doing the same with mismatches from the off doesn't leave the user any more secure. On the contrary, it makes them feel *more* secure, until they get to something that doesn't work, and then they'll just press OK anyway. Which, incidentally, was what Vista's UAC was all about.
QuoteI wish you luck in continuing your campaign to get HTTPS here at the SMF community forum.
I wish you luck in being less patronising. Especially since to solve the problem we'd have to get all the users to install Perspectives... yeah, that's not going to work out, is it?
Also, it would have to mean configuring all the ads to be served via HTTPS too...
fixed the misspelled quote that broke the layout, Arantor.
As for HTTPS..... the only thing that really should be HTTPS is the login.
The content itself doesn't require it... and has tons of issues to consider (offsite images and adverts are just the two most obvious ones)
This is what I mean about being less patronising ;) The whole 'I know best and everything works as it does in my world' attitude as supported by what Kindred is saying.
Going HTTPS for the login doesn't solve one of the more interesting side effects, when it comes to MITMing the session data, which you do need end to end SSL for (assuming you've established there isn't already an MITM before you start). Nor does it protect you if the cookie isn't sent securely anyway. Of course, you'd still want to encrypt registration as well as login for protecting the password and you'd want to encrypt parts of the profile page for the same reason. And the admin panel. And probably the moderation panel. And likely any time moderation is being done. If you're doing THAT, you might as well go SSL everywhere anyway.
Offsite images and adverts are the two main issues in general for end to end encryption, especially when you consider that sm.org would require two separate certificates; one wildcard one for *.simplemachines.org and one for media.simplemachinesweb.com.
XenForo actually include an image proxy specifically to serve all user-posted images over SSL when the originating host isn't SSL.
(Thanks Kindred)
EDIT: for clarity.
Hey, I am not being patronizing... and I admit when I'm wrong... and to that point, I guess I didn't/don't fully understand the MITMing stuff... :P
The simplemachinesweb one is easy, even if it's annoying... we would just get two certs...
and yes... discussion is actually being had on that whole image proxy thing... it's a real PITA though.
I thought I'd made it clearer, guess not ;) badon and I have sparred in the past and each time he comes off as extremely patronising because in his world everything is so simple and black and white, and rarely does any of that translate to real world implementation. I'm only seeming as pessimistic as I am because I know just how fragile the house of cards *really* is. How broken SSL is, even at the specification level. DNSSEC isn't a complete solution either.
MITM is not a difficult concept to understand - only to protect against. Man In The Middle: you send a request to a server, only someone intercepts it, passes off to the server and authenticates as you - while you don't know any different.
SSL mitigates this by way of presenting a certificate for inspection and in theory an MITM can't successfully present another site's certificate to you and still be correct since the origin is part of the certificate and the MITM shouldn't be able to present itself as being the origin (since it's *not* the origin). At its simplest, you -> MITM -> server, server is at IP address A, MITM at IP address B, the certificate will only be valid from IP address A - but the MITM shouldn't be able to readily fake the fact it's really not at IP address A, which is where the whole thing of SSL should deal with it - and why the whole notary system in Perspectives would help.
My contention has nothing to do with the technical thing Perspectives is doing. It's the whole thing of users. Users go to the most ridiculous lengths to avoid security precautions if the precautions are perceived as stopping them doing what they want/need to do. A few years ago, I remember a manager getting an email from IT, telling him to tell everyone not to open emails from <a particular company> because they were probably viruses. Less than two hours later, said manager was asking IT for anti-virus help after his computer got said virus because he'd opened said emails.
Putting warnings in front of users and giving them an option to proceed is not a smart move because it teaches them to ignore warnings, just as the first generation of UAC taught people.
Image proxying is not difficult, it's only whether you make it a temporary local cache too (which XF does)
Quick question, images need not be fetched from the same cert as the main site right?
Correct. They just need to be over an SSL connection to work. But most images that people link are not currently over SSL connections, hence the need to proxy them through a route that would be known to be SSL (if the site used SSL; if it didn't, none of it is an issue anyway)
Unless the site is flagged as shifting malware then all bets might as well be off because the browser will tell the user so and prevent them from seeing the page (with a big 'if you're REALLY sure...' button >_<)
Quote from: Arantor on June 12, 2014, 11:58:46 AM
Correct. They just need to be over an SSL connection to work. But most images that people link are not currently over SSL connections, hence the need to proxy them through a route that would be known to be SSL (if the site used SSL; if it didn't, none of it is an issue anyway)
Since you have a license to XF, does it have protection against abusing image proxying?
Define 'abusing' :D
Well... firstly, it's not enabled by default, which is a huge deal breaker, of course.
Secondly, the local image cache is also purged after 7 days by default.
The third - and probably most relevant for what you're asking - is that it does actually have some protections against it. You can specify a secret key which will be encoded into the proxy URL, which means if you see URLs being used elsewhere, you can forcibly expire all those links. There's only so much you can actually do in terms of handling such links, though.
By abusing I mean, shenanigans like loading a 100MB JPEG through the proxy
Yes it does. Defaults to 5MB maximum.
Ah okay, thanks :)
Mozilla's Firefox will be banning any http-traffic in the future (read their blog: Deprecating Non-Secure HTTP - Firefox (https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http))
Does this have consequences for SMf and members?
Thank you for sharing that information Rain Forest. Now I won't seem like a lone raving lunatic when I get upset when someone broadcasts my private information via HTTP, or worse, via email. All of us who are frustrated by the "no-can-do" attitude some people have toward security can sleep better tonight knowing that we may have lost the battle, but we're going to win the war. Now, everyone will be forced to take HTTPS seriously.
well, pretty much, it appears to mean that firefox has determined to stop supporting the little sites and only support those who spring for a cert.
idiots. Almost as stupid as Google.
That is extremely a dumb move. Even more so for people on shared hosting since SSL requires a dedicated ip....
Honestly not everything needs to be secure. If you are that paranoid about you would secure on your own end.
Well, Chrome has already took some steps into this direction too :(
I've been looking at the comments on that article, the vast majority centers their opinion on "certs aren't that expensive anymore"... which is insane! not everyone lives in the US and/or western Europe! come on!
Other responses includes using third party services like startssl or "Let's Encrypt" which doesn't really helps the millions and millions of shared hostings accounts all over the freaking world!
Surely webhosting companies will simply not bother to make any changes unless strictly necessary.
what will happen if "Let's Encrypt" goes down? centralizing your security doesn't seems like a great idea, this now means that if any attacker manages to bring down Let's Encrypt, millions of other websites will be affected too, sounds pretty tempting right?
How about localhost? another common response is: " it's trivial to generate self-signed certificate and import it" well, yeah, for you it is, what about people who wants to start their first webpage? do they now have to be masters of the CL in other to run a single painfully badly written HTML page?
"But you can still use HTTP!"
To an extend yes... if you want the full package (running https) then you will have to pay money to get it, sounds a lot like those pesky facebook games where you can "play for free" but are constantly annoyed by the game maker to spend money to get "the real good stuff". In essence, it all comes down to a new type of "segregation", those with money can still happily live in da interwebz ever after! those that do not, well you can go back to regular snail mail, play monopoly and all those other stuff that you did before you were online.
So, whats going to be the next step? forcing users to have CA on their selves? that surely sounds quite handy for some government organizations though.
I'm pretty sure Mozilla did this because there are other competitors going into similar paths (otherwise it pretty much is a commercial suicide given the current share market Firefox has) so, sadly, it seems this is here to stay.
Just seems like going to cause chaos. I have hundreds of domains personally. And my company has thousands. If I will have to get a cert even a self signed one for each going to be a huge pain to maintain everything. Then when you have update each one.
If the process was easier maybe but right now it takes a lot time to setup and configure correctly. Most sites don't even have a good SSL setup due to open ssl holes etc https://www.ssllabs.com/ssltest/
I agree about all the issues everyone has raised about Firefox's decision. I think the way they currently handle things is clunky and very annoying too. However, I am optimistic about the future, and I think this is still a step in the right direction. I agree that today's way of doing things will not work out well if Firefox's future plans were fully implemented today, but those fears are premature in my opinion. Just to give you an idea of how painless this could be, try the Perspectives add-on for Firefox:
https://www.google.com/search?q=firefox+perspectives
It will automatically bypass warnings about a self-signed certificate if it is known that the same certificate has been in used for a long time. That is only one of the many ways it improves on the way things are normally done today. Other things that need to be improved, as has already been mentioned, is that certificates need to be able to work for shared hosting websites. That is a solvable problem. All of the issues raised here are solvable problems. Even vbgamer45's complaint about the inconvenience of maintaining certificates is a solvable problem. Such things can be automated in a new era where HTTPS is the only way things should be done.
Instead of complaining about why such ideas won't work NOW, I suggest being part of the solution by participating in the efforts to make it work in the FUTURE. The "no-can-do" attitude is wrong. It CAN be done, and none of the "no-can-do" reasons given so far are technically infeasible to fix.
Sorry badon but your "suggestion" just doesn't make any sense as it requires everyone to install that add-on which is simple non-realistic.
And nope, this concerns aren't premature, google's chrome already took steps into this direction.
You said everything raised here is solvable but doesn't provide any solution. Please DO provide examples on how this can be easily solved.
You are also forgetting that going to full https doesn't even solve all the security issues that has been raised over the years, like China issuing inappropriate or questionable certificates or the fact that firefox itself quite happily accepts pretty questionable CA certificates but discourages the only truly free and open source, which is quite ironic!
Sorry badon but this is beyond been "painless" and this issue cannot be solved by merely installing an add-on. It goes deeper than you might think and will have tons of repercussions.
Please drop the "install this addon" approach as it is quite irrelevant to this whole issue.
I mentioned the Perspectives add-on to demonstrate that the problems with HTTPS are fixable, and Perspectives does indeed solve some of them. Look at the way Tor handles encryption. It solves the HTTPS problem, the DNS problem, the NAT hole punching problem, and many more. It has flaws of its own, of course, but my point is that none of the problems with HTTPS are unfixable. There are already solutions to most of them.
Granted, bringing it all together into something that works to solve all of those problems simultaneously might be a bigger problem than merely upgrading HTTPS. For example, if Tor or some derivative became a standard protocol for the internet, that would essentially constitute a redesign or replacement of HTTP and HTTPS, not just an upgrade to them.
And yet, this goes beyond solving https issues...
Many small businesses/personal webpages simply do not have the economical resources to go full https.
Some static HTML pages has absolutely no need to go full https.
Web hosting companies will most likely either ignore this or will have to increase their prices in order to offer support for https, yes, even if they are already using apache's SNI.
There are many, many issues besides https implementation so it really, really is as simply as you might think it is.
It is, as I have already said, an incredibly stupid decision...
Not everyone can afford or support certs, and most sites don't NEED https. None of my sites do....
Given Snowden and what we've learned is that everything which will be part of the 'internet of things' needs encryption at the heart of everything and not an afterthought.
I rarely agree with Firefox on anything, but the sooner the better we move forward towards full encryption without backdoors for governments and big business.
I agree completely with karlbenson. In fact, the only reason encryption isn't everywhere already is because the government of the USA has tremendous spying resources, and they have always discouraged encryption at the first opportunity. I'll give you an example of how this influence is used in one publicly known case. The USA invented cellular telephone systems in the 1960's. Little villages in Africa had cell phones by the 1970's and 1980's. Cell phones did not become commonly available to everyone in the USA until the 1990's. Why the delay? Because the FCC of the USA used their regulatory powers to block unused frequency allocation to the telecommunication industry.
The conventional conspiracy theory is that the delay was because it favored the landline telephone companies, which is pretty plausible. However, this isn't the whole story. At the time the USA's spying resources relied on hordes of human listeners in centralized office, using centralized taps on the wired telephone network. Wireless telephones circumvented those taps, and potentially required someone to be physically near the transmitting cellphone to intercept the call. It was more difficult, but not impossible. When the government's spying capability for wireless phone systems improved, the FCC magically granted permission to use bandwidth for telephone calls, and a decade after Africa, they became commonly available to Americans.
But there was a catch...
Although scrambled, digital, and even sophisticated encrypted radio communication technology was available worldwide by the 1980's, the cellular telephone industry was granted bandwidth by the FCC on the condition that they only use specific kinds of modulation - all of them analog, and all of them easily spied upon by anyone with a cheap receiver! At that time, the cutting edge RF spy technology (taken from submarine passive sonar systems) was capable of capturing all transmissions simultaneously on all frequencies, so it was no longer necessary for someone to be physically present at the location of a specifically targeted transmitter. The entire RF spectrum could all be recorded, and then analyzed later, perhaps with improved technology at a much later date.
It is no coincidence that the USA government was angered by the release of publicly available PGP encryption at the same time that spy-friendly cellular telephone systems were being widely adopted in the 1990's. Those contemporaneous events occurred at a time when the USA government was doing everything it could to stop or delay any and all kinds of secure communications. Anyone here who pushes the idea that things should stay the same is simply another disposable soldier in the USA's army, out to free the world from encryption because it's too expensive, too difficult, and nobody anywhere should ever use it ever, never, ever, because only terrorists would do that. It's all about democracy, you see, because if nobody else can read your communications, that's not democratic.
No can do?
Tin foil hats, anyone?
Quote from: vbgamer45 on May 01, 2015, 09:44:43 AM
That is extremely a dumb move. Even more so for people on shared hosting since SSL requires a dedicated ip....
Honestly not everything needs to be secure. If you are that paranoid about you would secure on your own end.
it is not required to have a unique ip if you have nsi
QuoteThere is a relatively new technology called Server Name Indication (SNI) that allows SSL certificates to be associated with a virtual host rather than with the server's IP address. Here is a digicert article that explains it very well.
Your host may not have SNI support installed yet. It requires newer versions of both Apache and OpenSSL. Web hosting software such as cPanel may also have to be upgraded before they can allow customers to utilize these features.
SNI also requires client side support. The most recent version of each major browser now supports SNI. However, fairly recent old versions may not. Here is another digicert article about browser support for SNI. Because some browsers don't support SNI, hosting companies may be reluctant to offer it and instead require that you purchase an IP address with better browser support. (http://webmasters.stackexchange.com/a/61649)
Doesn't work for windows servers.
The key issue is SSL takes time to setup correctly and maintenance time each year to swap it out when it expires. You have to remember the dates it expires then reupdate the keys it takes about hour to do per site.
There needs to be a better way right now it would drive me insane to do it for all my domains. It needs to be a one click/automated process. Or better yet the browser should do encryption instead since most people do not setup SSL correctly to begin with and use poor choices of encryption ciphers.
Also with current SSL flaws they recommend disabling SSL compression that leads to even more bandwidth usage http://resources.infosecinstitute.com/beast-vs-crime-attack/
Thats the whole point, sure for every question raised theres an answer:
- Shared host wont be happy: there is SNI
- I will have to pay for a CA: there is lets encrypt.
And so on but the reality is that most of this "answers" doesn't really exists yet (Lets encrypt), are pretty new (SNI) or simply doesn't work at all (cloudflare).
It really looks like things were planned upside down, the mozilla guys should have focus on getting "lets encript" ready and functional before announcing http deprecation... I mean... who announces "I'm going to the prom on an ferrari f50" without even having the car yet (or any resources to get it)? seems pretty illogical.
The only way I can think Mozilla doing this is to "beat Chrome" in doing it first, which seems soo freakishly childish I cannot even believe I'm suggesting it but it seems thats the case here.
It looks like this is yet another chapter in the constant and extremely childish battle between Chrome and Mozilla, prematurely call for http deprecation is extremely stupid... and for what? just to be able to say "I call it first"?
Since the article was published a FAQ pdf is floating around somewhere, it kinda "softens" the article by saying "And any such changes will be made only after consultation with the web community" which seems pretty redundant.
The faq also offers "alternatives" to getting a paid CA and even suggest using Let's Encrypt, which, at this time, isn't released and we have no idea how its going to work either. The other alternatives require a unique IP which, obviously, cost money.
Gotta love how they try to "minimize" the user's responses at the end of the faq, quite amusing.
yup... it's an extremely short-sighted and stupid move on their part that will end up losing them market share, guaranteed.... because *I* have no intention of paying for a cert on 7 sites (none of which have anything worth protecting with a cert... no personal data aside from email)
So... if they do this -- then my answer to anyone who complains about not being able to get into my sites will be - don't use firefox.
Quote from: Suki on May 03, 2015, 10:55:11 AM
Thats the whole point, sure for every question raised theres an answer:
- Shared host wont be happy: there is SNI
- I will have to pay for a CA: there is lets encrypt.
And so on but the reality is that most of this "answers" doesn't really exists yet (Lets encrypt), are pretty new (SNI) or simply doesn't work at all (cloudflare).
Regarding CloudFlare, we attempted to use them and a few others to handle HTTPS for us, among other things, and I agree, it didn't work out well. So, we went to Incapsula. All of our sites have self-signed certificates, which Incapsula uses in their connections to our sites, and Incapsula delivers their own certificate for our sites that they pay for and maintain. So, the solution you implied involving CloudFlare DOES work in general form, but with Incapsula instead.
Incapsula is expensive, but the techniques they are using could become cheaper and more easily available in the future, especially on shared hosting sites. In other words, complaints about Firefox's plans are completely solved as far as our sites are concerned, just from usage of Incapsula alone.
And, as I mentioned before, if you use Perspectives in Firefox, you wouldn't even need Incapsula. Perspectives can validate an expired HTTPS certificate the same way it can validate any other. All of our certificates are expired, and we haven't bothered to update them because Incapsula "covers" that problem for us, even if our users don't have Perspectives.
Now, with all of that said, I agree that Firefox/Mozilla has done some stupid things in the past. Maybe someday this idea will be added to the list. If some other solution ends up being used instead, like perhaps something more advanced that is similar to Tor as I speculated earlier, then this idea about radicalizing support for HTTPS would go in the garbage heap. The only reason Firefox has my support is because our sites will be unaffected if they screw it up, and because it is forcing people to have conversations like this one.
I recently added ssl to my site, it's a pain in the neck with smf you have to change the paths (url's) to HTTPS:// about 10 different settings by Theme, database & paths, smiley's, attachment, avatar, ...
There should be one global setting for the global path.
Quote from: badon on May 03, 2015, 05:18:56 PM
Incapsula is expensive, but the techniques they are using could become cheaper and more easily available in the future, especially on shared hosting sites. In other words, complaints about Firefox's plans are completely solved as far as our sites are concerned, just from usage of Incapsula alone.
Except for the tiny little detail that your site(s) doesn't even represent 0.000000000001% of the total websites available across all the almighty interwebz...
You see, you don't having an issue doesn't mean others will not have issues as well... and it seems that whoever made this decision on Mozilla also has this narrow point of view: "If it doesn't affect me then it doesn't affect anyone" thats just plain wrong, narrow-minded and quite narcissists if you ask me.
Sure, those with money and/or knowledge will be just fine but what about the rest?
Besides all the other issues this decision will create there is also another one: this change will inevitable push "technological illiterate people" towards "easy to use" "one click ready" services such as facebook pages and/or WP blogs, effectively killing the initiative or innovation these people might have, they will no longer be interested on creating their own webpages since it will be too difficult to start building one, people like me who started learning HTML will simply cease to exists.
Want to move to https? fine by me! I'm not against this but first do try to solve all its issues and whats more importantly, make it easy to understand/deploy because the alternatives that do exists right now (and those that doesn't even eixts yet!) either requires some important money investment or requires you to have a certain level of server knowledge not every one has.
So please, do try to see this from a different point of view.
I don't disagree with anything you said. But, I remain supportive of progress moving forward with this. As I mentioned, our sites are already taken care of, so as far as website owners go, my support for this is not for my own benefit, it is for yours - for everyone who can't afford expensive services like Incapsula. What is good for everyone is good for me too, because I'm a regular internet user like everyone else is.
As you hinted, our usage of Incapsula could be construed as a symptom of an unfortunate trend toward the consolidation of private sites into much bigger systems like Facebook etc. That would be bad, and that's why I mentioned that Tor's way of doing things has merit. It is accessible to everyone, no matter how small, and it has none of the difficulties that HTTPS has.
Furthermore, Tor has the so-far-unrealized potential to solve a lot of problems with NAT traversal because Tor hidden services are able to get through any degree of NAT. That means Tor opens the door not only those with very modest means to afford shared website hosting, it will even work on the lowliest of devices that do not even have their own IP address! Isn't that the coolest thing ever?
There is nothing about internet security that can't be solved in a straightforward manner. This is one reason why I support this decision by Firefox. The other reason why I support this decision by Firefox is not what you would expect: If they screw it up, it will cause such widespread dissatisfaction that regular internet users will be looking for alternatives. What will they choose? I'm guessing something like Tor, Perspectives, etc. In short, if necessity is the mother of invention, then making everyone uncomfortable with the WRONG solution will only serve to encourage somebody somewhere to come up with the RIGHT solution.
Quote from: Suki on May 04, 2015, 12:49:05 PM
So please, do try to see this from a different point of view.
If you want everyone to use dangerous drugs, outlaw them! Playing Devil's Advocate can be done by the well-meaning masses just as surely as it can be done by evil corrupt governments creating artificial black markets and then monopolizing it to fund secret illegal activities. Can you foresee how when Firefox proposes something everyone hates, it could indirectly lead to something much better? It's crystal clear for me.
Again, and I'm sorry to say this to you but you are seeing this from a very narrow angle...
You just naively assume everyone knows what TOR is, you just naively assume the regular internet users will know what "Perspetive" is and how to use it.
Quote
There is nothing about internet security that can't be solved in a straightforward manner
Sure but this has nothing to do about solving issues... take a look ad share hosting companies, right now they offer unique IPs for shared hosting with some extra cash, they have absolutely no issues doing it, their model works great for them and they have absolutely no intentions to switch to something like apache's SNI extension... specially if that requires some (or any) change in their server infrastructure...
So, most hosting companies have no real incentive to follow this "lets go https" campaign... hosting companies still sees "https" as just another way to make money... its not a priority, its a service they provide and for which they receive an income, they have absolutely no reason to change their current business model.
Quote
If you want everyone to use dangerous drugs, outlaw them! Playing Devil's Advocate can be done by the well-meaning masses just as surely as it can be done by evil corrupt governments creating artificial black markets and then monopolizing it to fund secret illegal activities. Can you foresee how when Firefox proposes something everyone hates, it could indirectly lead to something much better? It's crystal clear for me.
Again, I'm not against going https all the way... if Mozilla wants to encrypt their underwear thats fine by me! what I'm saying is that this is a pretty premature move, apparently they didn't thought it out pretty well either...
Its all upside down... they started with what should have been the end of a long process.
If you want to move to https then the first thing you need to do is make sure https is sufficiently affordable to become an Industry/Technical standard.
The way I see it, Mozilla pushing forwards https and hosting companies without any incentive to move forward to it, the small but very precious field for shared hosting websites will become narrow and narrow, small websites who cannot afford unique IPs will be segregated until they disappear too.
Quote
Can you foresee how when Firefox proposes something everyone hates, it could indirectly lead to something much better?
Assuming things again :( the vast majority of users will simply change their browser when they start to see their favorite website no longer works on firefox or whats worse, they will all move to websites that do render correctly on firefox (segregating those websites incapable of moving to https), they don't give a rat ass about TOR or NAT connections...
So no... this move will certainly not ignite any "internet revolution"... internet people are sheep, they aren't interested on TOR, NAT or https, they only care about their facebook wall.
Quote
As you hinted, our usage of Incapsula could be construed as a symptom of an unfortunate trend toward the consolidation of private sites into much bigger systems like Facebook etc. That would be bad, and that's why I mentioned that Tor's way of doing things has merit. It is accessible to everyone, no matter how small, and it has none of the difficulties that HTTPS has.
Furthermore, Tor has the so-far-unrealized potential to solve a lot of problems with NAT traversal because Tor hidden services are able to get through any degree of NAT. That means Tor opens the door not only those with very modest means to afford shared website hosting, it will even work on the lowliest of devices that do not even have their own IP address! Isn't that the coolest thing ever?
Thats pretty idealistic on your part... you again assume TOR as a solution to everything but lets face it... TOR will never become the defacto internet protocol... for whatever reason.... doesn't matter, one thing is to idealize and romanticizes about TOR being the solution to everything but another thing is to look at the real problem and propose real, feasible alternatives.
So, how about getting more real and propose some real alternatives to this? how would you incentive hosting companies to embrace https by default on their hosting plans?
Read this (http://blog.ircmaxell.com/2014/12/on-php-version-requirements.html)
The chain effect if everyone demands, they supply
Ex: Google mobile friendly like it or not here it is (http://www.simplemachines.org/community/index.php?topic=535720.0)
Quote from: Kindred on April 20, 2015, 06:38:08 AMAlthough we do not necessarily agree with this new policy, we recognize our users' desire and need to be "compliant", so we have worked out something
it might be a stupid move
and it might change everything to the right side
I don't know if you are following the same argument as us.... but oh well...
Your example couldn't be any more further from what I was talking about, sorry.
Hosting companies has absolutely no incentive to move to https, users who uses share hosting accounts CANNOT demand anything since https is ALREADY been offered by hosting companies for quite a long time now...
Want https? buy a unique IP, thats what hosting companies will tell you, as simple as that. Mozilla pushing for https is actually a pretty good thing for hosting companies as they will see a quite substantial increase in their unique IPs sales... they will have to be absolutely out of their minds if they pass this wonderful business opportunity...
Web hosting companies couldn't care less about your data or its encryption... (unless of course you have some shaddy business but thats another story altogether) they only care about THEIRS.
or - it will have exactly the effects that I predicted.
1- sites will stop working
2- people will stop using firefox
3- admins who can not afford to pay for certs will lose their membership and their sites
it is shortsited and idiotic - even more so that google's idiocy.
I run a small site. I want the additional privacy of full encryption for my users, for their entire session. I am willing to pay for the certificate and endure the maintenance overhead. I'd like to see the configuration support in a single setting, and I can figure out how to patch the embedded links in a conversion process. I don't care what firefox does or not. Thanks.
Quote from: mj. on August 09, 2015, 09:50:07 AM
I run a small site. I want the additional privacy of full encryption for my users, for their entire session. I am willing to pay for the certificate and endure the maintenance overhead. I'd like to see the configuration support in a single setting, and I can figure out how to patch the embedded links in a conversion process. I don't care what firefox does or not. Thanks.
SMF 2.1 has even better HTTPS support. It provides proxies for embedded media, secure cookies, and more.
Fantastic! Thanks for the information zilladotexe! I'm really happy to see SMF taking HTTPS as seriously as it does with other forms of security.
Going to mark this solved. :)
Thank you for the reply, zilladotexe. I'm going to check out what's going on with Beta 2. I'm guilty of not keeping up. I'm going to try to be more supportive of SMF. I can code, but I am rusty, I only work in IT architecture now, so when I get my hands dirty it is never with procedural code. Perhaps I can find other ways to be supportive. :)
Wordpress is moving towards SSL (https://wordpress.org/news/2016/12/moving-toward-ssl/). Google also weighs SSL as a search engine ranking factor (https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html) and will begin flagging unencrypted sites in Chrome (http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https). Let's Encrypt (https://letsencrypt.org/)provides free, automated, and open SSL certification. There is even a CPanel plugin (https://documentation.cpanel.net/display/CKB/The+Let's+Encrypt+Plugin) for that.
I think this is a good time for SMF to implement it.
it has been added in SMF 2.1 already. the only way for it to be added to SMF 2.0 beyond what is available already is by mods as SMF 2.0 does not get features added to it.
ummmmmm... https works just fine on 2.0.x with no mods at all. I have it implemented on 5 sites now.
The only exception is the external images/avatars
Yes, I had it tested on this site (https://www.nonsmokersclub.com/forum/index.php) and everything worked (I only had to change manually the path of a theme image). The only issue I can see is that links to http are not redirected to https. I found this page (http://stackoverflow.com/questions/4083221/how-to-redirect-all-http-requests-to-https) but not sure which approach is best.
So? WHat was the point of your post in this VERY OLD thread then?
Quote from: spiros on December 05, 2016, 02:27:28 AM
Wordpress is moving towards SSL (https://wordpress.org/news/2016/12/moving-toward-ssl/). Google also weighs SSL as a search engine ranking factor (https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html) and will begin flagging unencrypted sites in Chrome (http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https). Let's Encrypt (https://letsencrypt.org/)provides free, automated, and open SSL certification. There is even a CPanel plugin (https://documentation.cpanel.net/display/CKB/The+Let's+Encrypt+Plugin) for that.
I think this is a good time for SMF to implement it.
Help people who find this thread via search or Google (as it had the highest ranking).
and yet, that is not what your comment implies. Wording matters when trying to spike search results.
Quote from: Kindred on December 05, 2016, 06:54:00 AM
ummmmmm... https works just fine on 2.0.x with no mods at all. I have it implemented on 5 sites now.
The only exception is the external images/avatars
The image proxy from 2.1 is easy to back port to 2.0. I'll share when I have time.
Example
https://www.sicomm.us/t/19/
Image
https://www.sicomm.us/img/?request=http%3A%2F%2Fsinends.2-si.net%2Fwp-content%2Fuploads%2F2015%2F09%2FIMG_20150925_184115.jpg&hash=953892253dc6478beb914ca96f58fdc6
I'd really appreciate some hints on that image proxy. I've been running an SMF forum for 4 years, but I've not been able to dig into the SSL area as I have mostly been occupied trying to patch up the abandoned theme I want to keep so that my mods work. Just some basic pointers would be fine, I'm a quick study.
Just to bump this with new easy info about using SSL on SMF
This only applies to users that have hosting, either dedicated or shared that use Cpanel
Since Cpanel now offer free SSL certificates there is an option in Cpanel/WHM to install a free SSL certificate for any domain you own in the account.
This option needs to be enabled by your hosting provider.
Some hosts will enable it. Others will refuse to because they make a lot of money from selling over priced SSL certificates.
If you do not see an auto-ssl certificate in your Cpanel control panel, then ask your hosting company to enable it on the server and then you will be able to use your forum as SSL with absolutely no changes on forum software itself.
You can force SSL for all connections but that can cause problems with SMF. It is far better to leave it as set and let Cpanel/server do all the work.
Users can log in or visit forum using either HTTP or HTTPS
If you allow linked images for non HTTPS sites when HTTPS has been enabled, you will get browser warnings of insecure content and no padlock shown in browser bar and error messages.
I disagree.
If you have SSL, then use it.... and force it using .htaccess.
the image proxy is a minor thing at the moment - and is solved in 2.1
Give me some time as I am on mobile at the time and have some other important business to attend to before I get to this.
I'll share my dirty hack for experienced webmasters to install the image proxy. I'll include the image proxy back ported to 2.0, the subs.php BBC rewrite for img and xpath QueryString.p hp rewriter to catch any missed urls.
I'm cool if it's solved in 2.1 but when is that? I understand free means no promises. I probably only have 20 active users, and I provide for free as well but it's important to me, these are my imaginary friends. :) I've thought about just putting the beta on but from what I gather it isn't just an upgrade, I don't have a clue as to what I'd need to convert and not lose content, and I haven't really seen anyone's judgement as to the beta stability.
As I said, I'm on a flaky theme and the original dev won't even take money to fix it. What can I do to help out? I'm an IT guy but PHP I can just barely hack. Would donating a decent sum to SMF development help? I don't want to switch to BB or the other suspects, I'm partial to SMF.
I apologize if any of y'all think I'm asking too much, but life is a bear I'm 10 years behind on now really.
No problem nend, thank you, whenever you have the opportunity, I have notification turned on for this thread.
while we appreciate donations, and they help to keep our services running, no one on the team gets paid -- so donating money to "development" doesn't actually have any effect on the speed of said development.
And no... we never give dates, even SWAG dates for releases.
As noted, you can currently switch to SSL/HTTPS with no issues, except on pages where an external image (like an avatar or an included images in a post) will "warn" the browser that the whole page is not fully secure.
However, for the form submission pages (which is what Google is going to demand), the SSL will work fine.
Thanks for your response Kindred. I understand. The most difficult part of this for me is I'm sick and tired of being sick and tired of security and privacy not being taken seriously. Most forum software is a leaky boat and SMF is not an exception to that. This site itself isn't even secure. I'm not trying to start a fuss but I believe priorities are misplaced. Function over form is the way. I don't know, I'd like to help but you've basically told me I can't do a darned thing regardless. How can things get better? Do you have any ideas?
well, first and foremost - SMF still has one of the best reords, in terms of security.
As of 2.0.12, there are no known security issues in SMF.
So, saying that "security and privacy (are) not being taken seriously." is really rather untrue.
Making your forum https or not is not actually much of a security issue.
The only place that it might actually matter is the login or registration forms... and those can currently be made fully https already.
As a matter of fact, the only updates needed are to handle offsite images (which, as stated are alreayd being worked on backporting the 2.1 proxy to a future 2.0.x release)
How can things get better?
Better in what way? As I indicated, above, things are not actually "bad" right now, when it comes to this area.
Yes, the 2.1 release process is slow - we are all volunteers, and we have varying amounts of time to spend on this project. That has been true since Day 1...
Quote from: Kindred on December 05, 2016, 06:54:00 AM
ummmmmm... https works just fine on 2.0.x with no mods at all. I have it implemented on 5 sites now.
The only exception is the external images/avatars
Hi, care to explain the steps to do it? (like very basic because I know nothing about SSL/https) ;D
We're on a Centos7 environment with nginx + php-fpm + mariadb.
EDIT: Or is it better to wait for that backporting?
add a cert to your server
add the following lines to your .htaccess file
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
You can try using repair_settings.php now -- some people have complained that they don't think it works on https... if you think so, then do the folowing
access your forum
change the root forum URL
change the avatars directory URL
change the attachments directories URL(s)
change the theme directories URL(s)
check any mods that define the site/mod URLs
I don't know the process to update PrettyURLs, if you are using that mod...
I guess we may just need to agree to disagree, Kindred. You've done more work here than me, and obviously we think about this a little differently. It seems contradictory to me in 2016 with a zillion security breaches under the belt that what some folks more knowledgeable of the code than I say what's 'easy' isn't a backport in some fashion, or even implemented at this site. I spent a year and a half working in IT security a decade back or so, so I do believe I have a bit of experience in this area. I've been signing NDA's and spending weeks per year doing 'training' in how to properly handle other folks private information for at least 10 years. IMO if things aren't TLS https at any site I consider it insecure at this point. I didn't mean to demean the software itself, but I will take the time to give you bullet points on why I think it's not **better** security than other forum software at the very least if you would like. Maybe you could see my point of view better if I did that, I dunno.
You seem to be missing the point. Https works just fine for all submission that include any data. The only place where it is lacking is the cross site references that call for an image that is on another site which is not https. Which means your issues about security are essentially nonissues since everything you mentioned is covered under the current SMF release
Here is the hack, it doesn't do avatars so don't allow external avatars for now. Also like Kindred mentioned this is being worked on a future 2.0 release, so when that version comes out, you'll have to undo these changes or you'll more than likely break your forum.
File Sources/Subs.php
Find
'content' => '<img src="$1" alt="" class="bbc_img" />',
'validate' => create_function('&$tag, &$data, $disabled', '
$data = strtr($data, array(\'<br />\' => \'\'));
if (strpos($data, \'http://\') !== 0 && strpos($data, \'https://\') !== 0)
$data = \'http://\' . $data;
'),
Replace
'content' => '<img src="$1" alt="" class="bbc_img" />',
'validate' => function (&$tag, &$data, $disabled)
{
global $image_proxy_enabled, $image_proxy_secret, $boardurl;
$data = strtr($data, array('<br>' => ''));
if (strpos($data, 'http://') !== 0 && strpos($data, 'https://') !== 0)
$data = 'http://' . $data;
if (substr($data, 0, 8) != 'https://' && $image_proxy_enabled)
$data = $boardurl . '/proxy.php?request=' . urlencode($data) . '&hash=' . md5($data . $image_proxy_secret);
},
Find
'content' => '<img src="$1" alt="{alt}"{width}{height} class="bbc_img resized" />',
'validate' => create_function('&$tag, &$data, $disabled', '
$data = strtr($data, array(\'<br />\' => \'\'));
if (strpos($data, \'http://\') !== 0 && strpos($data, \'https://\') !== 0)
$data = \'http://\' . $data;
'),
Replace
'content' => '<img src="$1" alt="{alt}"{width}{height} class="bbc_img resized" />',
'validate' => function (&$tag, &$data, $disabled)
{
global $image_proxy_enabled, $image_proxy_secret, $boardurl;
$data = strtr($data, array('<br>' => ''));
if (strpos($data, 'http://') !== 0 && strpos($data, 'https://') !== 0)
$data = 'http://' . $data;
if (substr($data, 0, 8) != 'https://' && $image_proxy_enabled)
$data = $boardurl . '/proxy.php?request=' . urlencode($data) . '&hash=' . md5($data . $image_proxy_secret);
},
Add this to Settings.php, being sure to replace 'aSecretKeyHere' with a unique key.
########## Image Proxy ##########
# This is done entirely in Settings.php to avoid loading the DB while serving the images
$image_proxy_enabled = 1;
$image_proxy_secret = 'aSecretKeyHere';
$image_proxy_maxsize = 5192;
Download Sources/Class-CurlFetchWeb.php and proxy.php from the 2.1 GitHub repo and upload them to the respectable folders.
https://github.com/SimpleMachines/SMF2.1
Kindred, I'm quite cognizant of what you think the single security weakness is. I disagree. I see folks here having a cow about iframes support but y'all think 4 character passwords of the same character are an okeydokey option? Maybe some other members of the community have some opinions. I believe SSL efforts outta the box would also help mitigate some other possible weaknesses other than that which I won't bullet point so the world can see them. I have been a software developer for 25 years, the most valuable experience I've gained from that is learning how NOT to fall in all the holes that the evil people in this world can exploit. I'm not the smartest guy in the world or the best coder but I have a ton of experience in that area. My comments here are not intended to malign the software, but improve it. I don't have a lot more to say, but I will offer to communicate privately to give you those bullet points. It'll likely take me 2 hours, but I will do so if you are interested in that. All I'm saying is I will give a little bit for free if you can try to see my point of view here. I think that's what open source (or near so) is about. I think it's a possible future big problem, and I'm offering to help.
Agreed, SSL support out of the box is the goal. We are working on it :). Thanks MJ.
Well MJ, I happen to disagree with your contention... However I am always open to hearing about possible security improvements even if we disagree on the severity of them; Plus as I said, SMF does support https out of the box for all critical form submissions... But if you have NE security information that you want to share we will definitely listen. And as we've said several times now, default HTTPS implementation is planned but there are more critical issues that need to get dealt with before we get to that.
Also, to clarify I never thought you were trying to malign the software.
Kindred, we've already hit the gold standard for internet communication, several internet exchanges without any Godwins, so I think we can disagree and still talk productively. I don't mean to malign your point of view either, it resembles mine from 10 years ago, so I believe I understand why you feel this way for a couple reasons. A while back the tinfoil hat guys were right and my thinking made a major paradigm shift on security and I just feel like it's been too darned long for SMF to adapt. Just because you're paranoid doesn't mean they're not all out to get you. I think the thing that matters we fundamentally agree on. Good secure community open source software, yes? I have a few RL problems ahead of this, but I will put together more detailed thoughts for you on potential security issues soon. I'll share them with you via a secure method of your choice, one on one or with key devs, again, your choice. I want to be clear that I'm not here yanking your chain on a whim, this has been on my mind for years, and I hold these types of concerns as long as I reasonably can, but when I can't hold them any longer I speak up.
if you believe you have found a security issue, please fill out our security form.
http://www.simplemachines.org/about/smf/security.php
MJ... as a note, I have been in software and websites as a professional for over 20 years now.... so, I do have a background in security protocols, etc, as well. :P
As I said, I look forward to your points... We are always willing to accept input (especially constructive input) even if we eventually decide that the report is not an issue. :) So speaking up is welcome.
Quote from: Kindred on December 09, 2016, 07:14:22 PM
Https works just fine for all submission that include any data. The only place where it is lacking is the cross site references that call for an image that is on another site which is not https.
I solve this problem by forbidding hotlinking outside of the forum. I can't enforce that automatically without a mod I don't have, and this problem is still borking things for people:
Your attachment has failed security checks and cannot be uploaded (http://www.simplemachines.org/community/index.php?topic=544243.0)
Hotlinking screws up CloudFlare too, so they end up being blocked, but the internet hasn't realized this yet. In general, hotlinking is kind of awkward for the internet, with lots of broken hotlinks. In my opinion, they should be eliminated as much as is practical. Maybe a future version of SMF can forbid hotlinking of images at least. That would be helpful. Save the internet.
Or not...
Quote from: Kindred on December 09, 2016, 08:13:38 AM
The only place that it might actually matter is the login or registration forms... and those can currently be made fully https already.
Can you explain the process to enable this? We've started to get warnings from Google about our registration/login forms not being HTTPS. We would like to make these secure but without forcing HTTPS on the whole site.
well, the easiest way is just to make the whole site https.
Https has gotten much easier with the advent of letsencrypt. If you're on a managed hosting site get with your host and see if they support certbot/letsencrypt.
It really is simple to obtain and maintain your cert with certbot.
I have been using Cloudflare's SSL on my forums (using Hostinger as my host) and I have had no problems at all. All I really had to do was add https:// to the start of a lot of my paths. The repair_settings.php script helped a lot with this.
Quote from: Kindred on January 23, 2017, 09:59:08 AMwell, the easiest way is just to make the whole site https.
But then you will have problems with mixed content from all the hot linked images etc.
There really ought to be an official mod package to implement an image proxy or implement https login pages (there is an existing mod for this but it is ages out of date).
Come Feb these boards are going to be bombarded by people asking these questions and it really needs to be addressed.
it is addressed in 2.0.14
and the mod is not out of date... it still works just fine.
I got all hot and bothered about the Google email too. But I was mad at google. I decided they can stick it, I'm the customer, I pay them. I'm giving some thought to making a full site https transition still, for my own reasons. If I do so I'll document my struggles after I emerge victorious for those who don't understand the technical subject matter intimately (like me) to use as a guide.
Quote from: mj. on February 12, 2017, 06:42:23 PM
I got all hot and bothered about the Google email too. But I was mad at google. I decided they can stick it, I'm the customer, I pay them. I'm giving some thought to making a full site https transition still, for my own reasons. If I do so I'll document my struggles after I emerge victorious for those who don't understand the technical subject matter intimately (like me) to use as a guide.
I could probably add in some of my story along too and provide some help. An https switch is a certainly tricky thing and really annoying thing to setup but once you finally get it, it's worth it. It would be pretty cool if you started a topic for how to switch to https and have others' provide their stories and advice.
I have found this thread really interesting and am only adding to it to put my point of view as an smf forum owner for many years... I'm not a tech or coder but manage my own websites as best as I can.
Recently my members have been asking for a mobile friendly forum so I am right now working installing a responsive theme to keep them happy and also to keep my forum as competetive as I can with the likes of FB TW etc etc....
The subject of https or ssl came up mostly because my members hate the popups telling them that their (my) site is unsecure.... When it loads on a mobile device its ugly, threatening and horible no matter what browser is being used.
So, today I bought an ssl from my host at 29 uk pounds (one year)... The https was set up in 30 minutes by my host (I am on a shared server) and then I had to edit config in smf admin in various places to get the green padlock across the site... The one that took most time was working out the the smiley set as well was set to http (saw that posted in this topic back on page 3 I think) .... adding an s to http in the config in 6 places seemed to get it working...
Regardless of whether people agree or not that https shouldor should not be implemented (and I note that this forum does not use it) the fact remains that my members (and any future new members) were (are) being scared by the messages they got in their browsers when navigating my site...
I have implemented it because it seems I have to not because I want to....
Looking forward to many more years with a fantastic forum. (I havent posted here for quite a while and have changed emails, hence the new account)
Best regards to all
Hi,
I managed to change my SMF in HTTPS.
Everything seems working fine, thank you all for the help given in this topic.
Sadly I still have one problem i can't manage to solve and this problem don"t seem to generate error in log.
When I want to edit a post, from myself, or from a user, at the moment I push the save button SMF send me to the a page to create a new post and the previous post is not edit.
Creation of new posts still work, but i can't edit anything, post, add poll,... nothing is working.
does anyone know where this problem can come from?
Thank you.
Edit: Ok found it by reading pretty URLs mod page:
https://code.google.com/archive/p/prettyurls/wikis/TroubleShooting.wiki
QuoteLinks point to old domain after moving forum
This is very simple to fix, in addition to updating all the other settings with repair_settings.php, this mod has one more setting to fix. You can either manually fix the pretty_root_url setting yourself, or else create a new .php with this code:
<?php require_once(dirname(__FILE__) . '/SSI.php'); require_once($sourcedir . '/Subs-PrettyUrls.php'); updateSettings(array('pretty_root_url' => $boardurl)); pretty_update_filters(); ?>
Upload the file to the same location as your forum's SSI.php and open it with your web browser. Then don't forget to delete it!