Secure login?

[razors edge]

Is it possible to make login a bit more secure using ssl or some other method? People using packet sniffer software are able to gain logins from the forum. Many of my members tend to be travelers and on the road alot so they login from hotels and coffee shops. What would be my best option for secure login?

Using smf 2.0.1

[razors edge]

I was looking at the ssl keys and wanted to know can I just purchase a ssl key and use that for the entire site including the forums?

[Kindred]

Based on another user's report... no, just purchasing the certificate and setting your site https will not actually work....   I assume there are probably places in the code which have to be changed form http to https....

[ACA_web]

I used to use the SMF Secure Login mod, http://custom.simplemachines.org/mods/index.php?mod=880,  on my forum before I upgraded to 2.0.1. It is not compatible with 2.0.1, so I tried modifying the url in settings.php, but numerous images in the theme are being delivered without ssl causing partial encryption errors.

I'm surprised that an ssl login option is not part of the forum itself as the application gets flagged if on a server that needs to have pci compliance scans. Any hope that this will be added in the future?

[MrPhil]

I agree that it would be a good idea to offer a way (a mod?) to allow at least a secure signon, as well as the entire site in SSL. It's not in the base code because most people couldn't care less that the public can read the posts (that's how you attract new members), and aren't concerned enough about password security to spring for the expense of an SSL certificate. If you have something else on the site that needs SSL (such as a store with credit card processing), it's no added expense. The one drawback is that the login procedure would have to be changed to go to a separate page (which could also handle registrations, password changes, lost passwords, etc.) in order to be under SSL. See Drupal as an example.

[Tony Reid]

Its an old topic - but I'm going to bump.

With the widespread proliferation of unsecured wireless access throughout our coffee shops et al  - we are seeing more emphasis on protecting users login credentials and non public conversations (pm's etc).

Its interesting to note that Facebook, twitter and other large networks are now looking at forcing https.

In my opinion - https 'at' and 'after' login should be built into the core (more so than other features).

It would bring around other issues such as needing wildcarded ssl for those of us using more than one server (image servers etc) and also the problems associated with SEO.... but thats another issue

but I do think its something we need and that our users are going to expect - especially in the not too distant future.

[Kindred]

the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget.

[Tony Reid]

the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget.

I totally agree, and those with small forums probably wouldn't need to bother so could turn it off.

But those of use with larger boards should really consider https.

[MrPhil]

It is inexcusable for SMF development to use the cost of an SSL certificate as a reason not to offer secure login. Make it optional, but make it available for those who want to spring for a certificate (or already have one for a store and such).

Secure login means moving login to its own (potentially https) page, and not having a quick login on nonprotected pages (where a password is not secured).

[ACA_web]

I've been waiting for this since moving to 2.0.x. Just letting people know that there is demand to have a secure login.

[Kindred]

Mr Phil,

You misinterpreted my statement... I never gave the cost as any sort of excuse.... merely as a concern.

However, I think it is unlikely that SSL will happen in the 2.0 line....
(said with the understanding that I am not a developer and am not the one making decisions)

[ACA_web]

Having the login behind ssl is not only good for security of passwords, but can also be a requirement when smf is running on a server that also has e-commerce apps running on it and has to go through pci compliance testing. Having form fields for passwords that are not encrypted is a red flag, even if it is just for the forum as many people use the same logins and passwords between sites. I think a plugin would be sufficient, like the one that worked for the 1.0.x versions of the software.

[razors edge]

Perhaps two thirds of members login away from home, usually on hotel, coffee, and wifi shops. I get on average 5 to 8 requests per week for secure login. Seems to me with the push with guarding your data these days in society this would be a built in feature. We are currently looking at other forums as an option to get this feature.

[MrPhil]

the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget.

You misinterpreted my statement... I never gave the cost as any sort of excuse.... merely as a concern.

So what's wrong with providing an option to use SSL-protected login (on a separate https page), in contrast to the every-page quick login? It could be done as a mod: replace the current quick login with a button to go to an https page, where the login fields will be. Other password-related functions could eventually be on that page, such as lost password request and change password, and even profile-maintenance. The page could either be hard coded as SSL, or there could be a check if it's available or at least, configured.

[Kindred]

there is nothing wrong with providing the option....  I never spoke against that.

and, if it's such an issue, then maybe someone could create a mod for it more quickly than we will get to adding it to the base code.

[razors edge]

the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget.

You misinterpreted my statement... I never gave the cost as any sort of excuse.... merely as a concern.

So what's wrong with providing an option to use SSL-protected login (on a separate https page), in contrast to the every-page quick login? It could be done as a mod: replace the current quick login with a button to go to an https page, where the login fields will be. Other password-related functions could eventually be on that page, such as lost password request and change password, and even profile-maintenance. The page could either be hard coded as SSL, or there could be a check if it's available or at least, configured.

That would be a great option and a method to having it done.

[planet9]

the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget.

SSL Cert can be created for free.  I just got mine at startssl.com    It wasn't the easiest process but it was free.

[razors edge]

the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget.

SSL Cert can be created for free.  I just got mine at startssl.com    It wasn't the easiest process but it was free.

Thank you

[Mikael Jokela]

Dear SMF community

I'd like to bring up this old topic since there isn't yet secure login support even though many users need that. Some organizations need to run SMF on a separate server since the lack of login security which is frustrating and expensive. The secure login option would be very much appreciated!!

To put in clear, we need a configuration option to transfer login information encrypted via https and take the user back to plain http after login because of all that included forum content which doesn't fit in https.

- Mikael

[Storman™]

Fair enough, but not sure thats a suitable "SMF Support" query.

Think you'd be better off posting in the  Feature Requests forum section.

[MrPhil]

If you happen to have SSL on your site for other purposes (e.g., a store), it would be wonderful to be able to tell SMF to use SSL-protected pages or popups for login, password changes, filling in personal data such as email addresses, etc. It would also be good to be able to run the entire forum under SSL, as we keep getting requests to do. Alas, every time I suggest this optional use of SSL, the response is "No, because we don't want to force forum owners to pay for SSL".

[ziycon]

Without me reading up on the history, whats the reason https doesn't work?

[Kindred]

https works just fine

--- IF --- you set the entire site to https.

What they are asking for is to just make the logins and admin checks https....

[MrPhil]

The biggest problem is sorting out and coordinating all the various links on a page so that you don't get warnings about mixing insecure content with your secure page. Ad content and other links to external sites, where you have to explicitly give http: or https:, is a tough nut to crack. Other than that, it's pretty straightforward.

[Kindred]

well, not quite...

what would need to be https?

login...
but there are several login triggers/locations... including the bottom of every page....

what about password changes?
Admin verification/password checks?

[ziycon]

Adding just areas would that not fall under server config to tell your web server to only secure certain areas!?

[MrPhil]

I haven't heard of securing only parts of a screen (e.g., a login form), though I suppose that might be possible (form action https: on an otherwise http: page?). The usual practice is to have the entire page (or popup?) under SSL (or not). To avoid ugly browser warnings, you can't mix http: and https: on the same https: page.

Being able to log in securely (as well as do things like change passwords and otherwise handle sensitive information) would make a lot of forum owners very happy, so I don't know why the developers are so adamantly against it.

Let me repeat: using SSL would be OPTIONAL (choice of the forum owner), not mandatory for all SMF installations. If you want to spring for SSL just for SMF, that's your business. If you happen to have it already, why not be able to use it?

[Kindred]

MrPhil,

I would not say the developers are "adamantly against it". I have not seen our developers speak out for or against it...

I'd more say that
a) it is actually much more complicated than it first appears
and
b) either none of the current developers on the team have looked into it or perhaps are not interested in coding it.


However, since our GitHub codebase is publically availble and anyone can submit pull requests and code changes, -- if someone is truly interested in this and willing to contribute time and/or development effort to the update, they can do so quite easily.

[Storman™]

Can't help thinking that if someone was really paranoid about having their password intercepted by a "sniffer" then use a secure VPN instead, it would be much easier to implement.

If your content is "that" sensitive then maybe you should be thinking about a more appropriate product.

Personally I've never had a request from a member requesting a secure SSL login.

[ziycon]

SSL wont stop PRISM

[Storman™]

lol