Skip to main content
Topic: HTTPS for Elkarte?  (Read 8011 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

HTTPS for Elkarte?

This article started me thinking:
https://techcrunch.com/2016/09/08/chrome-is-helping-kill-http/

Is HTTPS really needed for Elkarte? Are we encouraged to do it?
Also, if we do use it, does it affect the installation paths etc?

What do you guys think?
Facta, non verba.

Re: HTTPS for Elkarte?

Reply #1

I guess, irrespective of your software, you should go for SSL. Because Google values it.

Re: HTTPS for Elkarte?

Reply #2

If you are on your own hosting, where you can install a signed certificate, or your shared hosting provides one then there a few things to keep in mind / update.

First you really want a signed certificate, not a self signed one (the type you can easily create on your server). A self singed one I think will make the browser show a warning about the site may not be secure, which will turn people away (even though the connection is in fact more secure than without it).

You can use https://www.startssl.com or https://letsencrypt.org for "free" ssl certs, I prefer Lets Encrypt fwiw.

Once you have done that, you will need to set secure cookies in the ACP, then update your theme / site urls to use https in the ACP.  All site JS/CSS/Images etc need to be over https.

Next search your db for http://yoursite and replace them with https://yoursite, else existing pages will force the browser to show the insecure content warning.

Image proxy, I know @emanuele started on one of these, what it does is proxy images that people post to be served from your site.  Its a proxy / cache where it temporally copies http images to the local host / proxy where they can be served securely from your https domain.

I'm sure there is more, but thats what comes to mind.  Does make me think we should have a "easy" ACP setting, at least such that the theme stuff is taken care of automatically.

Re: HTTPS for Elkarte?

Reply #3

I wrote something similar to what Spuds said, but I forgot to post it and Spuds ninja'ed me. :P

Quote from: Spuds – I'm sure there is more, but thats what comes to mind.  Does make me think we should have a "easy" ACP setting, at least such that the theme stuff is taken care of automatically.
That would be pretty nice I guess! :D

Quote from: meetdilip – I guess, irrespective of your software, you should go for SSL. Because Google values it.
Wrong answer.
You should not do things to please google, you should do things to please your users.

That said, yes, https is a thing that is likely a good thing (basically pointless if you don't have any private-ish interaction with your users (i.e. if you don't have login info).
I guess we have to think to (at some point) implement it here as well...

BTW:
QuoteThe warning will appear in the address bar of the browser and will call users’ attention to the fact that their personal information could be snooped or stolen.
Isn't it what IE does as well since... a long time?[1]
Yes, obviously the check "don't show this message again" is pressed as soon as the box appears the first time you use it, but that's another story. :P
Bugs creator.
Features destroyer.
Template killer.

Re: HTTPS for Elkarte?

Reply #4

There is one downside that I recently had to deal with.

If for some reason you'll decide to drop SSL - all urls to your site posted on other forums will be dead. Maybe there is some way to force Google to redirect them but I couldn't do it. Redirection in htaccess isn't going to work because it needs to have valid cert..

anyway it wasn't big deal for me because I used it only for tests :)

Re: HTTPS for Elkarte?

Reply #5

be careful with HSTS, once it activated you can't go back to plain HTTP. I got bitten with this once and that's why I'm using HTTPS.
192.MY.ID: Forum ISP Indonesia.

Re: HTTPS for Elkarte?

Reply #6

Wow much info. Thanks guys! :) Will try it out......... some how.. :O from the guide Spuds gave..
Facta, non verba.

Re: HTTPS for Elkarte?

Reply #7

Wosign also have a free ssl up to two years and renewable too. You can find it here: https://www.wosign.com/english/freessl.htm
Currently, I am using Wosign (for site) and StartSSL (for server) and they are good.

I try to use Let'sEncrypt but failed miserably, may be because I tried to use from ISPConfig 3.1 (beta) Panel. Anyway, to note, Let'sEncrypt have to be renewed every 3 months or something, so you need to set a cron job to update it, every three months.

Further note will be, your site will also be prompted to SSL warning, especially in the page where you allowed user to have outside avatar or picture inside it. The only way to avoid this will be to upload all avatar and picture to your site, which will definitely cost you more spaces.[1]
I think I have another question for support now but I'll open a new feature thread for that.
Last Edit: September 09, 2016, 11:16:55 pm by ahrasis

Re: HTTPS for Elkarte?

Reply #8

Good point on Lets Encrypt ... it does require more frequent certificate updates then others (cron job will work).  Really its a choice, SSL is better than nothing but its certainly not infallible, a number of exploits have exposed weakness.  Changing the certificate keys is a good practice for best security.  That said, for a forum you probably don't need that level.

External avatars .. indeed had not thought of those. Don't know if the proxy @emanuele worked on takes care of those as well.

Re: HTTPS for Elkarte?

Reply #9

Good question, I don't remember either. xD

ETA: nope, it's just for the img BBC tag:
http://www.elkarte.net/community/index.php?topic=1791.0
Last Edit: September 10, 2016, 07:20:34 am by emanuele
Bugs creator.
Features destroyer.
Template killer.

Re: HTTPS for Elkarte?

Reply #10

There are performance considerations attached as well.  Some claim it isn't so.  However, my experiences backed it up.  Theory says this or that, but the bottom line is there are more handshakes occuring.  And it involves handshakes outside your own hosting.  So.... connection establishment time triples off the bat.  Not that I know much about it at all.  It was noticeably slower to me.  Users noticed it as well.  It was especially noticeable on mobile devices. 

I returned my sites to non HTTPS without issue.


Re: HTTPS for Elkarte?

Reply #12

yeah, now wosign is not accepting new certificate request for good reason. but the old one still functioning well. i'm using let's encrypt and cloudflare for most.

@Keiro , your second & third link in signature is incorrect, there is additional http in the url.
192.MY.ID: Forum ISP Indonesia.

Re: HTTPS for Elkarte?

Reply #13

Quote from: kucing – yeah, now wosign is not accepting new certificate request for good reason. but the old one still functioning well. i'm using let's encrypt and cloudflare for most.

@Keiro , your second & third link in signature is incorrect, there is additional http in the url.

Damn, I thought I'd gotten those. Fixed, thanks for the heads-up.

WoSign and StartSSL... yeah, they shouldn't be used any longer. If you're using them, I would suggest switching to Let's Encrypt ASAP.

Re: HTTPS for Elkarte?

Reply #14

Yes, all websites should be https.

Soon (relative) all (99.999999999%) browsers will drop (by default) support for http. ;)

First come the warnings though for a long time (relative, could be a few years or decades).

PS: Wonder why "Force cookies to be secure" is grayed out on new install. Odd. https is working fine.