ElkArte Community

General => Site Feedback => Topic started by: Joshua Dickerson on May 08, 2017, 01:36:27 am

Title: Please use HTTPS
Post by: Joshua Dickerson on May 08, 2017, 01:36:27 am
It's free with LetsEncrypt and certbot should be pretty easy to setup.
Title: Re: Please use HTTPS
Post by: kucing on May 08, 2017, 10:03:16 am
+1

agreed. :D i'm using let's encrypt too, it's easy. just setup and forget.
Title: Re: Please use HTTPS
Post by: ahrasis on May 08, 2017, 05:31:21 pm
I don't think it's just "setup and forget" unless you have a proper script to ensure it is renewed every 3 months.
Title: Re: Please use HTTPS
Post by: kucing on May 08, 2017, 08:18:14 pm
Quote from: ahrasis – I don't think it's just "setup and forget" unless you have a proper script to ensure it is renewed every 3 months.
i think that's already implied in setup process? :)
just add to cron
Code: [Select]
certbot-auto renew --no-self-upgrade
Title: Re: Please use HTTPS
Post by: ahrasis on May 09, 2017, 06:51:04 am
Well, that is not in the "setup" process. It is something you had to add if you want an auto renewal. :P
Title: Re: Please use HTTPS
Post by: Joshua Dickerson on May 11, 2017, 11:20:11 pm
It adds the cron for you and it's on the installation instructions. I'd call that part of the setup process, but you're arguing semantics.
Title: Re: Please use HTTPS
Post by: ahrasis on May 12, 2017, 07:38:37 am
LOL...
Title: Re: Please use HTTPS
Post by: Frenzie on May 12, 2017, 09:38:14 am
Quote from: kucing –
Quote from: ahrasis – I don't think it's just "setup and forget" unless you have a proper script to ensure it is renewed every 3 months.
i think that's already implied in setup process? :)
just add to cron
Code: [Select]
certbot-auto renew --no-self-upgrade
Is that new or was I making things (slightly) too complicated exactly one year ago? http://fransdejonge.com/2016/05/lets-encrypt-on-debianjessie/ I mean, even without something that helps you set up the cron job it's quite easy… :P
Title: Re: Please use HTTPS
Post by: ahrasis on May 12, 2017, 11:58:24 pm
I kinda have a mixed feeling when certbot's command is mixed with letsencrypt's, so does it really work that way or it really works that way?  :-X
Title: Re: Please use HTTPS
Post by: Frenzie on May 13, 2017, 01:21:56 am
I'm not really sure what you mean. It's the same thing. ;)

Code: [Select]
$ apt search certbot
Sorting... Done
Full Text Search... Done
certbot/testing,testing 0.10.2-1 all
  automatically configure HTTPS using Let's Encrypt

letsencrypt/testing,testing 0.10.2-1 all
  transitional dummy package
Title: Re: Please use HTTPS
Post by: kucing on May 14, 2017, 07:02:40 am
IIRC, because the client now maintained by EFF: https://certbot.eff.org/

The repository mentions that: https://github.com/certbot/certbot
QuoteCertbot, previously the Let's Encrypt Client, is EFF's tool to obtain certs from Let's Encrypt, and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

I forgot when exactly this happened, maybe when let's encrypt client still in beta. I hold back to deploy it, and when I'm ready to setup it suddenly certbot is the new client. haha. :D got me confused for few days.
Title: Re: Please use HTTPS
Post by: ahrasis on May 31, 2017, 10:24:14 pm
For Ubuntu 16.04, the default is still the old LE where only apt install letsencrypt is possible. You need to install certbot ppa to it or use Ubuntu 16.10 (with apt install certbot) if you want to use certbot instead.

That's said, when will we see the green pad lock here @emanuele45, @Spuds ... ?
Title: Re: Please use HTTPS
Post by: emanuele on June 03, 2017, 07:53:04 am
I have close to no knowledge on the matter (and I prefer not to touch the server LOL), so it's Spuds' call here. Or @TE if he comes around. :P

BTW: I just started researching how to set up ssl on my localhost before google kills desktop notifications support for non-SSL sites... what a pain. ::)
Title: Re: Please use HTTPS
Post by: ahrasis on June 03, 2017, 05:57:09 pm
Better open your own topic for your services and put some signature in your profile with a link to them @Brother John. You don't wanna hijack any topics just to promote your services, do you?
Title: Re: Please use HTTPS
Post by: TigerAnt on June 03, 2017, 08:54:18 pm
Thank you, Brother!
Title: Re: Please use HTTPS
Post by: Joshua Dickerson on June 05, 2017, 06:02:02 pm
Quote from: emanuele – I have close to no knowledge on the matter (and I prefer not to touch the server LOL), so it's Spuds' call here. Or @TE if he comes around. :P

BTW: I just started researching how to set up ssl on my localhost before google kills desktop notifications support for non-SSL sites... what a pain. ::)
It will always display an error for localhost
Title: Re: Please use HTTPS
Post by: TigerAnt on June 05, 2017, 06:18:51 pm
If you are using a Cpanel hosting platform it is really simple. The SSL/TLS Manager will allow you to generate SSL certificates, certificate signing requests, and private keys. These are all parts of using SSL to secure your website. SSL allows you to secure pages on your site so that information such as logins, credit card numbers, etc are sent encrypted instead of plain text. It is important to secure your site’s login areas, shopping areas, and other pages where sensitive information could be sent over the web.


If you will use the link, username, and password that I have provided for you below you will be able to see a real CPanel. Go to where it says SSL/TLS and click on it to see what I'm talking about.
Title: Re: Please use HTTPS
Post by: ahrasis on June 06, 2017, 12:57:17 am
@emanuele45, you can rename your localhost to any fqdn and get ssl certs for that fqdn. Other than using certbot, you can try acme.sh in obtaining and auto renewing LE ssl certs for it as well.
Title: Re: Please use HTTPS
Post by: emanuele on June 06, 2017, 01:11:15 am
I'm far before this step, I just managed to understand how to have the server respond when I point the browser to https. xD
Title: Re: Please use HTTPS
Post by: Joshua Dickerson on June 07, 2017, 12:44:41 am
Quote from: ahrasis – @emanuele45, you can rename your localhost to any fqdn and get ssl certs for that fqdn. Other than using certbot, you can try acme.sh in obtaining and auto renewing LE ssl certs for it as well.
I haven't done this, but would you still get a certificate error?
Title: Re: Please use HTTPS
Post by: ahrasis on June 07, 2017, 03:21:44 am
You shouldn't gel ssl error in your browser if LE certs can be issued and then properly installed for the localhost site.
Title: Re: Please use HTTPS
Post by: TigerAnt on June 07, 2017, 08:40:53 am
Joshua Dickerson, you could get an error if the certificate is bad. I have bought then and they were bad, of course, they were replaced by the co. I bought then from. it's just a pain when you get a bad certificate. It doesn't happen that often.



Title: Re: Please use HTTPS
Post by: vbgamer45 on October 25, 2017, 06:40:09 pm
I see HTTPS now but you can still visit non https:// http://www.elkarte.net/ shouldn't that be redirected to the https version?
Also I see HTTP/2.0 not supported and site is still using PHP 5.4
Title: Re: Please use HTTPS
Post by: TigerAnt on October 25, 2017, 08:47:28 pm
You may run into a problem with some anti-virus software showing an error if someone tries to visit your website. Not having one can end up doing you more harm than good and if you are selling products through your website you could be held liable for not protecting your client's info. They are cheap around $5.50/year. I use them to protect my clients and I own info. My site that I started here has one https://realchristchurch.com.  I use this site to test my SSL's with https://www.sslshopper.com/ssl-checker.html#hostname=www.realchristchurch.com
Title: Re: Please use HTTPS
Post by: Spuds on October 25, 2017, 09:11:49 pm
Quote from: vbgamer45 – I see HTTPS now but you can still visit non https:// http://www.elkarte.net/ shouldn't that be redirected to the https version?
Also I see HTTP/2.0 not supported and site is still using PHP 5.4
While "rolling" https out we chose to not to enable redirect, just in case we had to back things out.

I don't think the current version of nginx on the site supports http/2.

PHP could be updated nods

Title: Re: Please use HTTPS
Post by: TigerAnt on October 25, 2017, 10:43:22 pm
Very true about the PHP. I can change the PHP for my Clients from 5.4 - 7.1
Title: Re: Please use HTTPS
Post by: Frenzie on October 28, 2017, 05:42:52 am
Quote from: vbgamer45 – I see HTTPS now but you can still visit non https:// http://www.elkarte.net/ shouldn't that be redirected to the https version?
Also I see HTTP/2.0 not supported and site is still using PHP 5.4
Oh, is that why I've been seeing some weird logged in/not logged in stuff? I didn't bother investigating, thinking it was probably some cache fluke on my end.
Title: Re: Please use HTTPS
Post by: TE on October 28, 2017, 07:03:33 am
redirect has been enabled ;) Should be fixed within the next few minutes ...
Title: Re: Please use HTTPS
Post by: ahrasis on October 31, 2017, 12:36:54 am
I noted one page is not fully secure as IchBin avatar url is on non https in here (https://www.elkarte.net/community/index.php?topic=4712.msg34186#msg34186).
Title: Re: Please use HTTPS
Post by: emanuele on October 31, 2017, 07:03:12 am
/me bans @IchBin for not using a safe avatar! xD
Title: Re: Please use HTTPS
Post by: live627 on October 31, 2017, 07:25:26 am
Nah, it uses Telnet! :P
Title: Re: Please use HTTPS
Post by: Frenzie on November 01, 2017, 04:52:40 am
Quote from: TE – redirect has been enabled ;) Should be fixed within the next few minutes ...
It's not. The problem is related to elkarte.net vs www.elkarte.net. I don't know what the previous behavior was, but it must've been proper. I always type no-www and expect the site to 301 redirect if it wants to (and vice versa from www to no-www!). Anything else is bad website behavior.

1. I go to elkarte.net (not logged in).
2. I click login (link points to www.elkarte.net ?action=login).
3. I'm logged in on www.elkarte.net without being prompted for a password (as expected).

Of course you can replace 2 by just clicking on home or typing www.elkarte.net etc.
Title: Re: Please use HTTPS
Post by: emanuele on November 01, 2017, 12:29:50 pm
Quote from: ahrasis – I noted one page is not fully secure as IchBin avatar url is on non https in here (https://www.elkarte.net/community/index.php?topic=4712.msg34186#msg34186).
@Spuds regarding this, I updated the site with the pull request I sent https://github.com/Spuds/Elk_Image_Cache/pull/2 seems to work, but I'm not sure if I broke anything else... especially because I didn't check if the code here at elk.net was the same as the one in the repo... sorry, I realized only while writing this text and I have already closed the file, so undo is not an option anymore... :'(
/me feels stupid.
Title: Re: Please use HTTPS
Post by: Spuds on November 01, 2017, 04:47:34 pm
I should be fine  :) I had updated the repo with the change I made for 1.1 final.  Cool work on the avatar update !
Title: Re: Please use HTTPS
Post by: TE on November 03, 2017, 09:11:41 am
Quote from: Frenzie –
Quote from: TE – redirect has been enabled ;) Should be fixed within the next few minutes ...
It's not. The problem is related to elkarte.net vs www.elkarte.net. I don't know what the previous behavior was, but it must've been proper. I always type no-www and expect the site to 301 redirect if it wants to (and vice versa from www to no-www!). Anything else is bad website behavior.

1. I go to elkarte.net (not logged in).
2. I click login (link points to www.elkarte.net ?action=login).
3. I'm logged in on www.elkarte.net without being prompted for a password (as expected).

Of course you can replace 2 by just clicking on home or typing www.elkarte.net etc.
Should be fixed, I've added some code to our index.php (homepage).. Just posting it here so others could benefit from the solution..

Code: [Select]
if (substr($_SERVER['HTTP_HOST'], 0, 4) !== 'www.') {
    header('Location: https://www.'.$_SERVER['HTTP_HOST']);
    exit;
}

Title: Re: Please use HTTPS
Post by: Frenzie on November 03, 2017, 10:30:59 am
Seems to work okay. Btw, it probably doesn't matter much if at all unless you have really high traffic but doing it on the server ought to be faster: http://www.yes-www.org/redirection/
Title: Re: Please use HTTPS
Post by: TigerAnt on December 10, 2017, 04:16:04 pm
The best way to check your SSL certificate to see if it's good is here:  https://www.sslshopper.com/ssl-checker.html#hostname=https://www.elkarte.net/


You can see how I set it up to check the SSL for https://www.elkarte.net/
Title: Re: Please use HTTPS
Post by: Spuds on December 10, 2017, 06:37:57 pm
Cool !
Title: Re: Please use HTTPS
Post by: ahrasis on December 11, 2017, 12:35:40 am
QuoteServer Type: nginx/1.2.1
That's quite an old version of nginx.
Title: Re: Please use HTTPS
Post by: TigerAnt on December 11, 2017, 08:34:38 am
Quote from: ahrasis –
QuoteServer Type: nginx/1.2.1
That's quite an old version of Nginx.
Yes, but it serves its purpose.
Title: Re: Please use HTTPS
Post by: ahrasis on December 11, 2017, 09:57:28 am
Yeah, so long it works without any serious vulnerabilities, it should be fine, I think.
Title: Re: Please use HTTPS
Post by: JesusGod-Pope666.Info on October 01, 2020, 08:42:29 am
I still wonder if HTTPS can be used to sniff out people and control things somehow. Like they do a lot of weird things to ruin the internet these days. I just wonder if there is some Luciferian thing behind it, but know to litte about it.
I use it on my website as well, but I seem to hit into a lot of pages where I am told not to go into because there is an issue - and now FTP seems to have something of the same. Just more work it seems and I still wonder if there is anything that can further help the people who wants to control everything in this world by using HTTPS.
Well at least google are pusing https websites apparently as I understood, giving them preference compared to http sites. Just so anoying when you hit into pages where there is an issue because of it using https. Well... I don't know enough technical things to know if there is any backdoors in this system or not. Maybe some of you more Knowledgeable on that subject know. Sure safety for website and users it is said, but is there anything behind it that can be used to further control users.
It's really sad to see how the internet has become mainstream, like one of the reasons I got my TV out was because of all the propaganda - and now it is all over the internet. Not only is the mainstream nonsense propeganda all over, so is control and censuring.
Title: Re: Please use HTTPS
Post by: badmonkey on October 01, 2020, 09:18:15 am
Actually, https should serve to do quite the opposite. The premise is preventing third party snooping. ;)
Title: Re: Please use HTTPS
Post by: JesusGod-Pope666.Info on October 01, 2020, 09:33:46 am
Quote from: badmonkey – Actually, https should serve to do quite the opposite. The premise is preventing third party snooping. ;)

Yea, but what I'm thinking, if there is someway a backdoor or hidden agenda behind promoting it.
Title: Re: Please use HTTPS
Post by: badmonkey on October 01, 2020, 01:03:57 pm
Quote from: Darkijah –
Quote from: badmonkey – Actually, https should serve to do quite the opposite. The premise is preventing third party snooping. ;)
  
Yea, but what I'm thinking, if there is someway a backdoor or hidden agenda behind promoting it.
 
 Since the alternative is transmitting all information over the wire in plaintext, human readable format, Ima say there is not a hidden agenda. In terms of security it couldn't be any worse than that.

Is there a backdoor? Again Ima say no because high level governments are beginning to push for precisely that, as even they cannot reliably intercept encrypted intel. 

Is it foolproof? Of course not. Information security will always be a cat and mouse game. Each time a hole is discovered, it gets plugged. Then the search is on for a new hole. Repeat ad nauseum. 
Title: Re: Please use HTTPS
Post by: JesusGod-Pope666.Info on October 02, 2020, 09:11:22 am
@badmonkey What does ima mean?
Title: Re: Please use HTTPS
Post by: badmonkey on October 02, 2020, 01:41:47 pm
 
 It's internet lingo for "I am". 

If you don't feel comfortable using https, don't sweat it that much. We forum owners are unlikely to handle highly sensitive information, such as financial credentials. It is a personal choice.