https login

February 11, 2015, 02:27:16 am

Is it possible to use https instead of http? But be careful: I am a newbie with this!

A user asked me about this. He wants his password crypted when sending it over the net.

Re: https login

Reply #1 – February 11, 2015, 07:32:22 am

Honestly I never tried https, so I'm a newbie as well.
In theory it should work.
There may be some oddities here and there (for example embedding images from a non-https website would not show any image in most of the browsers, if not all, this addon was meant to help with that aspect), but I don't think there is anything badly broken in https.

Actually, have the possibility to know for sure what's broken would be quite helpful.

Re: https login

Reply #2 – February 11, 2015, 12:36:44 pm

Should work, its been something I've been meaning to try.

Anyway most of the work is on the server end where you will need to install an X.509 certificate. Buying a certificate can be expensive but you can also get some free ones (with lower crypt levels) or do your own, “self-signed” certificate for free. A self signed one will give the user an initial security prompt warning since its self signed.

Re: https login

Reply #3 – February 12, 2015, 02:33:03 am

Quote from: emanuele – February 11, 2015, 07:32:22 am...embedding images from a non-https website would not show any image in most of the browsers, if not all, this addon was meant to help with that aspect...

Quote from: Spuds – February 11, 2015, 12:36:44 pmAnyway most of the work is on the server end where you will need to install an X.509 certificate. Buying a certificate can be expensive...

Okay, let's forget this. I don't want to install a plugin just for one user.

Re: https login

Reply #4 – February 12, 2015, 10:01:48 am

Ohhh... okay, I misunderstood the question then!
I thought your user wanted to setup the https on his site.

Well, the answer is mostly the same. What I can add is that it may be possible to "protect" just the login page (provided the quick-login is disabled), but then again, do it without addons may not be possible (even though, it may be using an htaccess redirect of sort I think)... more doubts than answers I guess. LOL

Re: https login

Reply #5 – February 16, 2015, 04:31:12 pm

That seems like the best option, disable quick login and use htaccess fot tge login page.

Alternatively someone who knows https could do a plugin just to secure the login system (i dont imagine it woukd be overly hard, as long as ssl is configured correctly).

If someond does, i can test (i have ssl enabled on my server).

Re: https login

Reply #6 – February 16, 2015, 04:54:28 pm

Quote from: emanuele – February 11, 2015, 07:32:22 amHonestly I never tried https, so I'm a newbie as well.

Heh, yes.

Technically, SSL has been cracked since 1997. That said: you will have to install a certificate (not a plug-in) in order to use SSL. The most interesting part is to adjust the theme though. All http: links will destroy your site security.

Re: https login

Reply #7 – February 16, 2015, 05:25:43 pm

This is an interesting read: http://stackoverflow.com/questions/4515283/using-ssl-across-entire-site

Quote from: forumsearch0r2 – February 16, 2015, 04:54:28 pmTechnically, SSL has been cracked since 1997.

I'd like to see the case study on this if you have it handy. That being said, it would stop a lot of the more obvious attempts at data theft (remembering even minimal security is better than no security)

Quote from: forumsearch0r2 – February 16, 2015, 04:54:28 pmThat said: you will have to install a certificate (not a plug-in) in order to use SSL.

Yes this is correct, the plugin just facilitates the establishment of https throughout the site without the need for htaccess redirects. Having a working SSL configuration takes time and effort, but it needs to be done first.

Quote from: forumsearch0r2 – February 16, 2015, 04:54:28 pmAll http: links will destroy your site security.

Not true at all, a link is just that... A link... It seems mostly a non-issue, I run my wedge powered forum entirely over SSL and haven't come across any major problems, although that being said from memory if you are showing content inline you may run in to problems if the content is http only, but that being said most major sutes are moving to https, or alternatively have SSL enabled (think Youtube and IMGUR as the major players for inline content) so just link the HTTPS version (again, which is what I do).

It's essentially personal preference, and TBH someone who is looking to investigate would run up a test site to see how it works, and then make an assessment from there.

Re: https login

Reply #8 – February 16, 2015, 06:37:51 pm

Quote from: Bunstonious – February 16, 2015, 05:25:43 pmI'd like to see the case study on this if you have it handy.

I could provide some. You could as well search the web for "SSL strip". There are even smartphone apps to do that.

Quote from: Bunstonious – February 16, 2015, 05:25:43 pmYes this is correct, the plugin just facilitates the establishment of https throughout the site without the need for htaccess redirects.

Pointless and even less secure IMO.

Quote from: Bunstonious – February 16, 2015, 05:25:43 pmHaving a working SSL configuration takes time and effort, but it needs to be done first.

It actually takes about 5 minutes, including actually generating and validating the certificate.

Quote from: Bunstonious – February 16, 2015, 05:25:43 pmNot true at all, a link is just that...

Not hyperlinks - link tags (links, not anchors).

Re: https login

Reply #9 – February 16, 2015, 06:41:35 pm

If "plug-in" you mean what I linked, that is just something to help Elk deal with embedding of images from non-https websites, nothing to do with the installation of the certificate.