Secure login?

Started by razors edge, November 27, 2011, 09:32:57 AM

Previous topic - Next topic

razors edge

Is it possible to make login a bit more secure using ssl or some other method? People using packet sniffer software are able to gain logins from the forum. Many of my members tend to be travelers and on the road alot so they login from hotels and coffee shops. What would be my best option for secure login?

Using smf 2.0.1


razors edge

I was looking at the ssl keys and wanted to know can I just purchase a ssl key and use that for the entire site including the forums?


Kindred

Based on another user's report... no, just purchasing the certificate and setting your site https will not actually work....   I assume there are probably places in the code which have to be changed form http to https....
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

ACA_web

I used to use the SMF Secure Login mod, http://custom.simplemachines.org/mods/index.php?mod=880,  on my forum before I upgraded to 2.0.1. It is not compatible with 2.0.1, so I tried modifying the url in settings.php, but numerous images in the theme are being delivered without ssl causing partial encryption errors.

I'm surprised that an ssl login option is not part of the forum itself as the application gets flagged if on a server that needs to have pci compliance scans. Any hope that this will be added in the future?

MrPhil

I agree that it would be a good idea to offer a way (a mod?) to allow at least a secure signon, as well as the entire site in SSL. It's not in the base code because most people couldn't care less that the public can read the posts (that's how you attract new members), and aren't concerned enough about password security to spring for the expense of an SSL certificate. If you have something else on the site that needs SSL (such as a store with credit card processing), it's no added expense. The one drawback is that the login procedure would have to be changed to go to a separate page (which could also handle registrations, password changes, lost passwords, etc.) in order to be under SSL. See Drupal as an example.

Tony Reid

Its an old topic - but I'm going to bump.

With the widespread proliferation of unsecured wireless access throughout our coffee shops et al  - we are seeing more emphasis on protecting users login credentials and non public conversations (pm's etc).

Its interesting to note that Facebook, twitter and other large networks are now looking at forcing https.

In my opinion - https 'at' and 'after' login should be built into the core (more so than other features).

It would bring around other issues such as needing wildcarded ssl for those of us using more than one server (image servers etc) and also the problems associated with SEO.... but thats another issue :)

but I do think its something we need and that our users are going to expect - especially in the not too distant future.





Tony Reid

Kindred

the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget. :(
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Tony Reid

Quote from: Kindred on February 29, 2012, 07:32:37 AM
the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget. :(

I totally agree, and those with small forums probably wouldn't need to bother so could turn it off.

But those of use with larger boards should really consider https.



Tony Reid

MrPhil

It is inexcusable for SMF development to use the cost of an SSL certificate as a reason not to offer secure login. Make it optional, but make it available for those who want to spring for a certificate (or already have one for a store and such).

Secure login means moving login to its own (potentially https) page, and not having a quick login on nonprotected pages (where a password is not secured).

ACA_web

I've been waiting for this since moving to 2.0.x. Just letting people know that there is demand to have a secure login.

Kindred

Mr Phil,

You misinterpreted my statement... I never gave the cost as any sort of excuse.... merely as a concern.

However, I think it is unlikely that SSL will happen in the 2.0 line....
(said with the understanding that I am not a developer and am not the one making decisions)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

ACA_web

Having the login behind ssl is not only good for security of passwords, but can also be a requirement when smf is running on a server that also has e-commerce apps running on it and has to go through pci compliance testing. Having form fields for passwords that are not encrypted is a red flag, even if it is just for the forum as many people use the same logins and passwords between sites. I think a plugin would be sufficient, like the one that worked for the 1.0.x versions of the software.

razors edge

Perhaps two thirds of members login away from home, usually on hotel, coffee, and wifi shops. I get on average 5 to 8 requests per week for secure login. Seems to me with the push with guarding your data these days in society this would be a built in feature. We are currently looking at other forums as an option to get this feature.


MrPhil

Quote from: Kindred on February 29, 2012, 07:32:37 AM
the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget. :(
Quote from: Kindred on February 29, 2012, 01:43:53 PM
You misinterpreted my statement... I never gave the cost as any sort of excuse.... merely as a concern.
So what's wrong with providing an option to use SSL-protected login (on a separate https page), in contrast to the every-page quick login? It could be done as a mod: replace the current quick login with a button to go to an https page, where the login fields will be. Other password-related functions could eventually be on that page, such as lost password request and change password, and even profile-maintenance. The page could either be hard coded as SSL, or there could be a check if it's available or at least, configured.

Kindred

there is nothing wrong with providing the option....  I never spoke against that.

and, if it's such an issue, then maybe someone could create a mod for it more quickly than we will get to adding it to the base code.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

razors edge

Quote from: MrPhil on March 04, 2012, 12:35:15 PM
Quote from: Kindred on February 29, 2012, 07:32:37 AM
the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget. :(
Quote from: Kindred on February 29, 2012, 01:43:53 PM
You misinterpreted my statement... I never gave the cost as any sort of excuse.... merely as a concern.
So what's wrong with providing an option to use SSL-protected login (on a separate https page), in contrast to the every-page quick login? It could be done as a mod: replace the current quick login with a button to go to an https page, where the login fields will be. Other password-related functions could eventually be on that page, such as lost password request and change password, and even profile-maintenance. The page could either be hard coded as SSL, or there could be a check if it's available or at least, configured.

That would be a great option and a method to having it done.

planet9

Quote from: Kindred on February 29, 2012, 07:32:37 AM
the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget. :(

SSL Cert can be created for free.  I just got mine at startssl.com    It wasn't the easiest process but it was free.

razors edge

Quote from: planet9 on March 10, 2012, 03:35:15 PM
Quote from: Kindred on February 29, 2012, 07:32:37 AM
the only problem that I see is that getting an SSL cert costs money... most forums are run on a shoe-string budget. :(

SSL Cert can be created for free.  I just got mine at startssl.com    It wasn't the easiest process but it was free.

Thank you

Mikael Jokela

Dear SMF community

I'd like to bring up this old topic since there isn't yet secure login support even though many users need that. Some organizations need to run SMF on a separate server since the lack of login security which is frustrating and expensive. The secure login option would be very much appreciated!!

To put in clear, we need a configuration option to transfer login information encrypted via https and take the user back to plain http after login because of all that included forum content which doesn't fit in https.

- Mikael

Storman™

Fair enough, but not sure thats a suitable "SMF Support" query.

Think you'd be better off posting in the  Feature Requests forum section.

Advertisement: