gravatar profile images not secure

bynw · June 23, 2022, 10:22:54 PM

Right now I know of at least 1 of my users is using the Gravatar option for their profile image. However it's coming from http://www.gravatar.com instead of https://www.gravatar.com

Thus making any page that has the gravatar image not fully secure.

Is there a fix available for this?

Diego Andrés · June 23, 2022, 10:27:27 PM

Check Maintenance > Server settings > Forum SSL mode > Force SSL throughout the forum.
That should make it use https... I think.

Arantor · June 23, 2022, 11:51:23 PM

This is a bug really; there is no reason for the Gravatar code not to get this right without resorting to the force SSL option.

Diego Andrés · June 23, 2022, 11:53:42 PM

It's what I found in get_gravatar_url, dunno why http_method is a thing in there.

Arantor · June 24, 2022, 12:06:04 AM

You could make the argument that you're conserving bandwidth if not secure but this shouldn't be predicated on the *force* option, but simply on whether the URL is secure or not. I would class this as a bug.

Especially since the secure option can be handled further up the stack, e.g. terminating the SSL at an ingress controller on a K8s stack. Or by CloudFlare and not encrypting the traffic between CloudFlare and your server. All sorts of ways.

Steve · June 24, 2022, 06:04:39 AM

Sorry Arantor, but I didnt' understand a lot of what you said at the end (and no need to explain) but would Diego's suggestion work for the OP until the bug is fixed?

Arantor · June 24, 2022, 07:01:50 AM

Possibly. It might also break the OP's forum if used, with potentially no way in to uncheck it.

A dirty fix might be to replace this line in Subs.php:

Code Select

$http_method = !empty($modSettings['force_ssl']) ? 'https://secure' : 'http://www';
With:

Code Select

$http_method = true ? 'https://secure' : 'http://www';
It's a rubbish fix but it should do for the OP until it can be properly fixed in a future version.

The issue is that when you do HTTPS, you can either run it in HTTPS mode or forced HTTPS mode - Gravatar seemingly relies on the latter but all the advice people give around in the current "convert to HTTPS" guides makes that option unnecessary.

In any case, if I were to tick that option on my production forums, they would all break because they're not set up to work the way SMF expects them to be to detect HTTPS in use or not.

Doug Heffernan · June 24, 2022, 07:06:09 AM

I have moved this to the Bug Reports board to bring it to the attention of our developers.

Kindred · June 24, 2022, 08:50:23 AM

Is this a bug in SMF or on the Gravatar site?

Doug Heffernan · June 24, 2022, 08:58:49 AM

Quote from: Arantor on June 24, 2022, 07:01:50 AMPossibly. It might also break the OP's forum if used, with potentially no way in to uncheck it.

It can be unchecked/undone with a simple sql query if things went south.

Code Select

UPDATE smf_settings SET force_ssl = 0;

Quote from: Kindred on June 24, 2022, 08:50:23 AMIs this a bug in SMF or on the Gravatar site?

It looks like it is a bug with Smf.

Arantor · June 24, 2022, 09:05:12 AM

Quote from: Kindred on June 24, 2022, 08:50:23 AMIs this a bug in SMF or on the Gravatar site?

SMF. I don't believe force_ssl is the correct basis for using secure Gravatars, and detecting if boardurl begins with HTTPS would be better (since you can quite legitimately have a secure site without using force_ssl)

Also just because it is a "simple query" doesn't change the fact that someone can be in the admin panel and then through the UI lock themselves and everyone else out of the entire platform depending on server configuration.

News:

gravatar profile images not secure