BC Furries

Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1]   Go Down

Author Topic: HTTPS (SSL) Support?  (Read 916 times)

Kithop

  • Lead Vocals for Minor Eternity
  • Official BCFCB Member
  • BCFurries Regular
  • *
  • Offline Offline
  • Posts: 670
    • Kithop's Blog
HTTPS (SSL) Support?
« on: December 06, 2015, 08:00:16 pm »

With the recent opening of the Public Beta of the 'Let's Encrypt' initiative, and with almost every web server & browser now supporting the Server Name Indication standard for multiple HTTPS sites on the same IP, we should be able to migrate the forums (particularly the user creation & logon forms) to HTTPS for the low low price of 'free'. ;)

Not that someone sniffing your BC Furries password on Starbucks' or Timmies' WiFi is the end of the world, but we've got pretty much no excuse at this point, I feel.  I'm even down to help with the transition if needed, just let me know.
Logged

Sasha

  • a.k.a. Tigerface
  • Official BCFCB Member
  • BCFurries Regular
  • *
  • Offline Offline
  • Posts: 665
  • Tuned to E♭ Standard
    • My new [stagnant..] FA account!
Re: HTTPS (SSL) Support?
« Reply #1 on: December 07, 2015, 02:32:17 am »

Put it on the list, we've been waiting nearly two years since the site's crash to have even basic plugins like what we had before..

Sasha~
Logged
The farther one travels, the less one knows.

frysco

  • Official BCFCB Member
  • Known Member
  • **
  • Offline Offline
  • Posts: 28
Re: HTTPS (SSL) Support?
« Reply #2 on: December 08, 2015, 04:22:29 pm »

With the recent opening of the Public Beta of the 'Let's Encrypt' initiative, and with almost every web server & browser now supporting the Server Name Indication standard for multiple HTTPS sites on the same IP, we should be able to migrate the forums (particularly the user creation & logon forms) to HTTPS for the low low price of 'free'. ;)

It wouldn't be "free" because there'd be an underlying charge to get another public IP address for the server to tie the domain to, as - last time I looked - you couldn't run multiple SSL virtual hosts of a single IP address.

And while it'd easy to get, and cost around C$1.50/month, Rain Rat would have to say if he wanted to pay that or not.
Logged

Kithop

  • Lead Vocals for Minor Eternity
  • Official BCFCB Member
  • BCFurries Regular
  • *
  • Offline Offline
  • Posts: 670
    • Kithop's Blog
Re: HTTPS (SSL) Support?
« Reply #3 on: December 08, 2015, 11:23:23 pm »

Second link: Server Name Indication, aka 'many SSL sites on one IP'. ;)

I run all my sites on HTTPS where possible (or at least have the option to), all on one static IP and a bog-standard install of Apache 2.4, but nginx and others also support it.  The whole 'multiple IPs for multiple SSL sites' is long a thing of the past, which is part of why I brought it up now.
Logged

Kithop

  • Lead Vocals for Minor Eternity
  • Official BCFCB Member
  • BCFurries Regular
  • *
  • Offline Offline
  • Posts: 670
    • Kithop's Blog
Re: HTTPS (SSL) Support?
« Reply #4 on: November 28, 2016, 11:33:40 am »

Just bumping this as it's still an issue that really should be looked into.

https://twitter.com/ryanfeeley/status/801539237682302987

Firefox is going to start warning a lot harder about login forms on non-HTTPS sites, which include this one.

If you guys need help getting Let's Encrypt set up at the very least, using SNI + alternate names for all of the hosted sites on the same IP, please feel free to let me know.  I've got some experience with both Apache and NGINX, but they have a standalone client tool that I use under FreeBSD for now.  You can script it all up such that you temporarily shut down your main webserver, run the update script to get your SSL cert, then fire it back up again with said cert all in a few minutes.

Doesn't cost anything except time. :)
Logged

Sasha

  • a.k.a. Tigerface
  • Official BCFCB Member
  • BCFurries Regular
  • *
  • Offline Offline
  • Posts: 665
  • Tuned to E♭ Standard
    • My new [stagnant..] FA account!
Re: HTTPS (SSL) Support?
« Reply #5 on: February 07, 2017, 05:18:21 am »

Just bumping this as it's still an issue that really should be looked into.

There's Unition to contact, active circa 2015, if he or RainRat have more than FTP access that is. http://critter.net, the webmaster up the line, who hosts an array of personal furry-related websites - they seem to have wiped their server and installed a recent Apache with FreeBSD, with Letsencrypt active on their redcube portal - maybe they can be pushed to have certbot fetch for BCF too if asked on behalf of admins.
</cynic>
Logged
The farther one travels, the less one knows.

frysco

  • Official BCFCB Member
  • Known Member
  • **
  • Offline Offline
  • Posts: 28
Re: HTTPS (SSL) Support?
« Reply #6 on: February 07, 2017, 02:32:06 pm »

This domain now has an active SSL Certificate pulled via LetsEncrypt.

I'll leave it up to the forum admins as to whether they want to change the SMF config somehow to ensure that the base URL uses https, so that all the relative paths to images come through SSL too.
Logged

Kithop

  • Lead Vocals for Minor Eternity
  • Official BCFCB Member
  • BCFurries Regular
  • *
  • Offline Offline
  • Posts: 670
    • Kithop's Blog
Re: HTTPS (SSL) Support?
« Reply #7 on: February 14, 2017, 11:49:53 am »

Great news, thanks!

If the images and such are retrievable via HTTPS (and I can do some testing to that effect today), then this should be something we push for, for completeness' sake. But the main one is, of course, encrypting the logon page at least so user credentials aren't sent in plaintext any more.

While many of us know better, I wouldn't be surprised if many users here share their forum account password with other sites. ;/
Logged

Sasha

  • a.k.a. Tigerface
  • Official BCFCB Member
  • BCFurries Regular
  • *
  • Offline Offline
  • Posts: 665
  • Tuned to E♭ Standard
    • My new [stagnant..] FA account!
Re: HTTPS (SSL) Support?
« Reply #8 on: February 15, 2017, 04:28:08 pm »

If the images and such are retrievable via HTTPS (and I can do some testing to that effect today)S

I suppose if no further action is taken - for those who care - perhaps you could test HTTPS Everywhere et. al. to have GET/POST requests rewritten to its respective available HTTPS version.

While many of us know better, I wouldn't be surprised if many users here share their forum account password with other sites. ;/
That is of course the more notable issue here - password reuse - or this potentially vulnerable 3+ year old forum version being cracked in to ;) If only a decentralised 2-factor authenticated login starts to proliferate as much as Lets Encrypt one day, and web developers could easily plug this functionality in place of their own login pages - alas, maybe it goes the way of GPG. Hmm, a GPG-powered 2-FA login. Even better.

Sasha~
Logged
The farther one travels, the less one knows.
Pages: [1]   Go Up
 

Page created in 0.049 seconds with 23 queries.