HTTPS for Elkarte? September 09, 2016, 05:44:16 am This article started me thinking:https://techcrunch.com/2016/09/08/chrome-is-helping-kill-http/Is HTTPS really needed for Elkarte? Are we encouraged to do it?Also, if we do use it, does it affect the installation paths etc?What do you guys think?
Re: HTTPS for Elkarte? Reply #1 – September 09, 2016, 07:33:57 am I guess, irrespective of your software, you should go for SSL. Because Google values it.
Re: HTTPS for Elkarte? Reply #2 – September 09, 2016, 07:39:14 am If you are on your own hosting, where you can install a signed certificate, or your shared hosting provides one then there a few things to keep in mind / update.First you really want a signed certificate, not a self signed one (the type you can easily create on your server). A self singed one I think will make the browser show a warning about the site may not be secure, which will turn people away (even though the connection is in fact more secure than without it).You can use https://www.startssl.com or https://letsencrypt.org for "free" ssl certs, I prefer Lets Encrypt fwiw.Once you have done that, you will need to set secure cookies in the ACP, then update your theme / site urls to use https in the ACP. All site JS/CSS/Images etc need to be over https.Next search your db for http://yoursite and replace them with https://yoursite, else existing pages will force the browser to show the insecure content warning.Image proxy, I know @emanuele started on one of these, what it does is proxy images that people post to be served from your site. Its a proxy / cache where it temporally copies http images to the local host / proxy where they can be served securely from your https domain.I'm sure there is more, but thats what comes to mind. Does make me think we should have a "easy" ACP setting, at least such that the theme stuff is taken care of automatically.
Re: HTTPS for Elkarte? Reply #3 – September 09, 2016, 03:05:35 pm I wrote something similar to what Spuds said, but I forgot to post it and Spuds ninja'ed me. Quote from: Spuds – September 09, 2016, 07:39:14 amI'm sure there is more, but thats what comes to mind. Does make me think we should have a "easy" ACP setting, at least such that the theme stuff is taken care of automatically.That would be pretty nice I guess! Quote from: meetdilip – September 09, 2016, 07:33:57 amI guess, irrespective of your software, you should go for SSL. Because Google values it.Wrong answer.You should not do things to please google, you should do things to please your users.That said, yes, https is a thing that is likely a good thing (basically pointless if you don't have any private-ish interaction with your users (i.e. if you don't have login info).I guess we have to think to (at some point) implement it here as well...BTW:QuoteThe warning will appear in the address bar of the browser and will call users’ attention to the fact that their personal information could be snooped or stolen.Isn't it what IE does as well since... a long time?[1]1 Yes, obviously the check "don't show this message again" is pressed as soon as the box appears the first time you use it, but that's another story. ↵
Re: HTTPS for Elkarte? Reply #4 – September 09, 2016, 04:29:56 pm There is one downside that I recently had to deal with.If for some reason you'll decide to drop SSL - all urls to your site posted on other forums will be dead. Maybe there is some way to force Google to redirect them but I couldn't do it. Redirection in htaccess isn't going to work because it needs to have valid cert..anyway it wasn't big deal for me because I used it only for tests
Re: HTTPS for Elkarte? Reply #5 – September 09, 2016, 05:02:06 pm be careful with HSTS, once it activated you can't go back to plain HTTP. I got bitten with this once and that's why I'm using HTTPS.
Re: HTTPS for Elkarte? Reply #6 – September 09, 2016, 08:44:16 pm Wow much info. Thanks guys! Will try it out......... some how.. :O from the guide Spuds gave..
Re: HTTPS for Elkarte? Reply #7 – September 09, 2016, 11:10:45 pm Wosign also have a free ssl up to two years and renewable too. You can find it here: https://www.wosign.com/english/freessl.htmCurrently, I am using Wosign (for site) and StartSSL (for server) and they are good.I try to use Let'sEncrypt but failed miserably, may be because I tried to use from ISPConfig 3.1 (beta) Panel. Anyway, to note, Let'sEncrypt have to be renewed every 3 months or something, so you need to set a cron job to update it, every three months.Further note will be, your site will also be prompted to SSL warning, especially in the page where you allowed user to have outside avatar or picture inside it. The only way to avoid this will be to upload all avatar and picture to your site, which will definitely cost you more spaces.[1]1 I think I have another question for support now but I'll open a new feature thread for that.↵
Re: HTTPS for Elkarte? Reply #8 – September 10, 2016, 06:41:08 am Good point on Lets Encrypt ... it does require more frequent certificate updates then others (cron job will work). Really its a choice, SSL is better than nothing but its certainly not infallible, a number of exploits have exposed weakness. Changing the certificate keys is a good practice for best security. That said, for a forum you probably don't need that level.External avatars .. indeed had not thought of those. Don't know if the proxy @emanuele worked on takes care of those as well.
Re: HTTPS for Elkarte? Reply #9 – September 10, 2016, 07:15:29 am Good question, I don't remember either. xDETA: nope, it's just for the img BBC tag:http://www.elkarte.net/community/index.php?topic=1791.0
Re: HTTPS for Elkarte? Reply #10 – September 10, 2016, 01:27:49 pm There are performance considerations attached as well. Some claim it isn't so. However, my experiences backed it up. Theory says this or that, but the bottom line is there are more handshakes occuring. And it involves handshakes outside your own hosting. So.... connection establishment time triples off the bat. Not that I know much about it at all. It was noticeably slower to me. Users noticed it as well. It was especially noticeable on mobile devices. I returned my sites to non HTTPS without issue.
Re: HTTPS for Elkarte? Reply #11 – October 20, 2016, 02:57:18 am I would NOT recommend WoSign or StartSSL. Why? sauce 1 and sauce 2.
Re: HTTPS for Elkarte? Reply #12 – October 20, 2016, 07:30:19 am yeah, now wosign is not accepting new certificate request for good reason. but the old one still functioning well. i'm using let's encrypt and cloudflare for most.@Keiro , your second & third link in signature is incorrect, there is additional http in the url.
Re: HTTPS for Elkarte? Reply #13 – October 20, 2016, 08:29:36 am Quote from: kucing – October 20, 2016, 07:30:19 amyeah, now wosign is not accepting new certificate request for good reason. but the old one still functioning well. i'm using let's encrypt and cloudflare for most.@Keiro , your second & third link in signature is incorrect, there is additional http in the url.Damn, I thought I'd gotten those. Fixed, thanks for the heads-up.WoSign and StartSSL... yeah, they shouldn't be used any longer. If you're using them, I would suggest switching to Let's Encrypt ASAP.
Re: HTTPS for Elkarte? Reply #14 – November 13, 2016, 12:11:10 pm Yes, all websites should be https.Soon (relative) all (99.999999999%) browsers will drop (by default) support for http. First come the warnings though for a long time (relative, could be a few years or decades).PS: Wonder why "Force cookies to be secure" is grayed out on new install. Odd. https is working fine.
Modern, Free, Powerful