Simple Machines is glad to announce that we have enabled SSL security on our website.
2016 has been an eventful year for the security community. Password dumps, hacked sites, botnets (https://en.wikipedia.org/wiki/Botnet), DDOS Attacks (https://en.wikipedia.org/wiki/Denial-of-service_attack), global service interruptions and multiple vulnerabilities in software both on and off the internet. Additionally, more and more agencies/companies are attempting to capture and record browsing data. These trends will only continue to rise as the world becomes more connected to the internet. In light of these events, security experts all over the world are trying to educate the mass about better security practices such as using unique passwords (https://en.wikipedia.org/wiki/Password#Choosing_a_secure_and_memorable_password), Password Managers (https://en.wikipedia.org/wiki/Password_manager), multi factor authentication (https://en.wikipedia.org/wiki/Multi-factor_authentication) and multiple types of encryption.
Simple Machines has always prided itself on dedicating a significant amount of time and resources towards the safety and security of its software products. SMF has always been, and is still considered to be, one of the most, if not the most, secure free and open-source community software product available on the internet. We couldn't have done this without the help of our users and third-party security researchers who continue to monitor closely our software and its source code, and report (potential) security issues whenever they find something they deem to be a (potential) threat. We sincerely appreciate all of the feedback we have received over the years, and would like to take this opportunity to thank everyone that has contributed towards the security of our products and our website. This also includes people who reported a matter that turned out not to be a security issue (within our software) at all. We prefer to see "bogus" security reports once in a while, instead of people staying silent whilst they might actually be on to something.
As anyone dealing with security knows, there is always room for improvement. For that reason, we are always looking for ways to offer even better security and privacy protection both in and outside of our software. Simple Machines wants to contribute to a safer internet and, therefore, we have implemented HTTPS (https://en.wikipedia.org/wiki/HTTPS) encryption across the site here at SimpleMachines.org. Upon visiting any page, you will be sent over a TLS/SSL (https://en.wikipedia.org/wiki/Transport_Layer_Security) connection. This means that the connection between your computer and our servers is encrypted, and under normal circumstances nobody can read the content of the packets we exchange. This change is, among other reasons, to help to protect your privacy and, for example, to prevent your passwords from potentially being stolen in what is known as a Man-in-the-middle attack (https://en.wikipedia.org/wiki/Man-in-the-middle_attack), a type of attack that's possible when you're using an unencrypted HTTP (https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) connection on an insecure or compromised (WiFi-)network.
Where is HTTPS-support in SMF? As you may have noticed, we have just released SMF 2.0.14 which introduces full support for HTTPS. It also includes an image proxy feature to ensure that images are always served through HTTPS. Whenever it encounters an image that is hotlinked from a website without HTTPS, it temporarily caches the remote image on your server and subsequently serves it to your visitors through the HTTPS connection of your own website. This way, SMF can achieve a full HTTPS environment without warnings and notices of insecure/mixed content. The upcoming SMF 2.1 release (https://github.com/SimpleMachines/SMF2.1) also includes this image proxy.
As a reminder, there is no single solution to security and privacy protection. Many people look for the one solution that makes their account, computer, smartphones or servers secure. The best security reasonably possible can only be achieved by a multi-layer setup of security practices to lower the chances of unwanted intrusions/data theft from occurring. We say lower
, because there is no solution that will guarantee you 100% protection; instead there are only ways to make it (much) more difficult for botnets and/or malicious hackers from getting what they want.
Last but not least, if you don't have https enabled on your site, please contact your hosting provider to ask how you can get SSL support for your website. Many hosting providers are starting to support free SSL certificates via Lets Encrypt (https://letsencrypt.org/) and other certificate authorities. Your options may vary depending on what your hosting provider supports or offers. If your host uses cPanel, ask them to enable a new feature called AutoSSL (https://blog.cpanel.com/autossl/), which allows for the automatic and free generation of SSL certificates. Once your site supports https and thus has a valid SSL Certificate, you simply need to update the URLs on your site and your SMF powered community from "http" to "https". You can do this through the admin control panel to make SMF 2.0.14 or higher make use of SSL encryption. We have also released an updated Repair Settings (http://download.simplemachines.org/?tools) tool that supports both https and SMF 2.1, to help you to change your URLs quickly and efficiently.
As always, we thank you so much for using our products and services and we hope that you enjoy these changes and new features!
Thank you for your time,
And on a personal note, I'd like to add a big thank you to everyone, both on the (development) team as within the community, for their help developing and testing these features. Really good work, we're very happy that so many people are volunteering to help us! :)
I'd also like to add an extra thank you to SleePy, for his amazing work making our entire site properly compatible with SSL; which isn't an easy task.
Thanks to you all, it's truly appreciated!
Thank you all!
Many thanks to all involved. This is an excellent and very important update.
privacy lovers love https