With the recent opening of the Public Beta of the 'Let's Encrypt' initiative (https://letsencrypt.org/), and with almost every web server & browser now supporting the Server Name Indication (https://en.wikipedia.org/wiki/Server_Name_Indication) standard for multiple HTTPS sites on the same IP, we should be able to migrate the forums (particularly the user creation & logon forms) to HTTPS for the low low price of 'free'. ;)
Not that someone sniffing your BC Furries password on Starbucks' or Timmies' WiFi is the end of the world, but we've got pretty much no excuse at this point, I feel. I'm even down to help with the transition if needed, just let me know.
Put it on the list, we've been waiting nearly two years since the site's crash to have even basic plugins like what we had before..
Sasha~
: Kithop December 06, 2015, 08:00:16 -07:00
With the recent opening of the Public Beta of the 'Let's Encrypt' initiative (https://letsencrypt.org/), and with almost every web server & browser now supporting the Server Name Indication (https://en.wikipedia.org/wiki/Server_Name_Indication) standard for multiple HTTPS sites on the same IP, we should be able to migrate the forums (particularly the user creation & logon forms) to HTTPS for the low low price of 'free'. ;)
It wouldn't be "free" because there'd be an underlying charge to get another public IP address for the server to tie the domain to, as - last time I looked - you couldn't run multiple SSL virtual hosts of a single IP address.
And while it'd easy to get, and cost around C$1.50/month, Rain Rat would have to say if he wanted to pay that or not.
Second link: Server Name Indication (https://en.wikipedia.org/wiki/Server_Name_Indication), aka 'many SSL sites on one IP'. ;)
I run all my sites on HTTPS where possible (or at least have the option to), all on one static IP and a bog-standard install of Apache 2.4, but nginx and others also support it. The whole 'multiple IPs for multiple SSL sites' is long a thing of the past, which is part of why I brought it up now.
Just bumping this as it's still an issue that really should be looked into.
https://twitter.com/ryanfeeley/status/801539237682302987 (https://twitter.com/ryanfeeley/status/801539237682302987)
Firefox is going to start warning a lot harder about login forms on non-HTTPS sites, which include this one.
If you guys need help getting Let's Encrypt (https://letsencrypt.org/) set up at the very least, using SNI + alternate names for all of the hosted sites on the same IP, please feel free to let me know. I've got some experience with both Apache and NGINX, but they have a standalone client tool that I use under FreeBSD for now. You can script it all up such that you temporarily shut down your main webserver, run the update script to get your SSL cert, then fire it back up again with said cert all in a few minutes.
Doesn't cost anything except time. :)
: Kithop November 28, 2016, 11:33:40 -07:00
Just bumping this as it's still an issue that really should be looked into.
There's Unition to contact, active circa 2015, if he or RainRat have more than FTP access that is. http://critter.net, the webmaster up the line, who hosts an array of personal furry-related websites - they seem to have wiped their server and installed a recent Apache with FreeBSD, with Letsencrypt active on their redcube portal - maybe they can be pushed to have certbot fetch for BCF too if asked on behalf of admins.
</cynic>
This domain now has an active SSL Certificate pulled via LetsEncrypt.
I'll leave it up to the forum admins as to whether they want to change the SMF config somehow to ensure that the base URL uses https, so that all the relative paths to images come through SSL too.
Great news, thanks!
If the images and such are retrievable via HTTPS (and I can do some testing to that effect today), then this should be something we push for, for completeness' sake. But the main one is, of course, encrypting the logon page at least so user credentials aren't sent in plaintext any more.
While many of us know better, I wouldn't be surprised if many users here share their forum account password with other sites. ;/
: Kithop February 14, 2017, 11:49:53 -07:00If the images and such are retrievable via HTTPS (and I can do some testing to that effect today)S
I suppose if no further action is taken - for those who care - perhaps you could test HTTPS Everywhere (https://www.eff.org/Https-everywhere) et. al. to have GET/POST requests rewritten to its respective available HTTPS version.
: Kithop February 14, 2017, 11:49:53 -07:00While many of us know better, I wouldn't be surprised if many users here share their forum account password with other sites. ;/
That is of course the more notable issue here - password reuse - or this potentially vulnerable 3+ year old forum version being cracked in to ;) If only a decentralised 2-factor authenticated login starts to proliferate as much as Lets Encrypt one day, and web developers could easily plug this functionality in place of their own login pages - alas, maybe it goes the way of GPG. Hmm, a GPG-powered 2-FA login. Even better.
Sasha~
Hi guys. Necroing an old thread to note that while HTTPS support is enabled, there's still references to plain HTTP that need fixing (plus, we really need to start redirecting all HTTP traffic to HTTPS).
Looks like the culprit is the BCFurries header logo up top, which does load if I manually ask for it via HTTPS instead.
You can probably just replace the http:// with // (if the software supports it), because then the browser will use whatever the main page was accessed with. This also works with other resources, such as scripts.