Post Reply 
Forum Security (SSL)
17-08-2014, 11:10 PM
Post: #1
Forum Security (SSL)
I just wondered why the forum does not run on SSL and are there any plans to rectify this?

It makes accessing the forum from public hotspots extremely risky as anyone could steal my session quite easily. Not generally a problem, but obviously right now I am relying on a public hot spot so its kinda worrying.

[Image: alexatkin.png][Image: referral-ad-120x60.png]
Visit this user's website Find all posts by this user
Quote this message in a reply
17-08-2014, 11:20 PM
Post: #2
RE: Forum Security (SSL)
you can use https if you wish when browsing the forum, this is the same for quite a few and on checking Sheffield forum they are exactly the same

Mirdragon
Forum Moderator

ISP: BT|Modem:HG612 (Modded)|Router: Smoothwall|Sync: 68Mbit/18Mbit
Network: HP Procurve|4 x TP-Link AP
Mobile: Nexus 4+6|Tab 3 8"|Asus VivoTab+Transformer TF101
Media Services: SkyHD|Xbox One|ChromeBox (OpenElec)|Samsung BDH6500|Youview|Netflix
Find all posts by this user
Quote this message in a reply
18-08-2014, 11:00 AM (This post was last modified: 18-08-2014 11:02 AM by Chalky.)
Post: #3
RE: Forum Security (SSL)
We don't have a SSL Certificate mainly because of the financial implications as well as it never being considered neccessary. This forum is run for the community by volunteers with zero funds, the domain name comes out of my pocket (previously @SpencerUk's) and the server that it resides on also comes out of mine and @mattyatty1's pockets. To then spend another £50+ a year for an SSL Certificate is unfeasible and to be frank an unreasonable expectation.

In order to fund doing such a thing, we'd have to consider plastering the forum with Ads which is something I don't really want to do.

There's also the time that would need to be spent to make sure everything works on HTTPS.

It would also mean having to enforce having no images in Signatures (bye bye ThinkBroadband Signatures), not allowing embedding of remote images (the [IMG] tags) and removing remotely hosted signatures because all of these would be on HTTP and would make IE in particular cry because some parts of the page will be delivered by HTTPS and other parts by HTTP.

This is why other sites, such as Sheffield Forum, do not allow the above.

ISP: Plusnet | Router: Mikrotik 2011UAS-2HnD-IN | Sync: 50Mbit/15Mbit | PCP: 600m | Exchange: Mosborough
Server: HP Microserver, Aspire V5-171
PC: MacBook Pro, ThinkPad X220
OD: Plex, Chromecast, Roku 2 XS, NowTV, YouView, PS4
Mobile: iPad, LG G3, Nexus 5


[Image: 1uq3DB4][Image: 1jo9ZvL]
Visit this user's website Find all posts by this user
Quote this message in a reply
18-08-2014, 02:06 PM
Post: #4
RE: Forum Security (SSL)
Chalky,

SSL is not expensive in the slightest.

A Class 1 certificate is available completely free of charge and will work perfectly in near all browsers. Valid for one year, but easily renewed... for free.

startssl.com

If you want any help with this, I use them extensively.
Find all posts by this user
Quote this message in a reply
18-08-2014, 02:22 PM
Post: #5
RE: Forum Security (SSL)
Appreciate the link but as I've said, it would also mean removing external images in signatures and all posts that currently have external images will upset some web browers.

ISP: Plusnet | Router: Mikrotik 2011UAS-2HnD-IN | Sync: 50Mbit/15Mbit | PCP: 600m | Exchange: Mosborough
Server: HP Microserver, Aspire V5-171
PC: MacBook Pro, ThinkPad X220
OD: Plex, Chromecast, Roku 2 XS, NowTV, YouView, PS4
Mobile: iPad, LG G3, Nexus 5


[Image: 1uq3DB4][Image: 1jo9ZvL]
Visit this user's website Find all posts by this user
Quote this message in a reply
18-08-2014, 02:34 PM (This post was last modified: 18-08-2014 02:36 PM by Chalky.)
Post: #6
RE: Forum Security (SSL)
The other issue is that MyBB which this forum runs on does not use relative links properly, so even when you do load the https:// version and accept the certificate error, none of the CSS works properly.


Attached File(s) Thumbnail(s)
   

ISP: Plusnet | Router: Mikrotik 2011UAS-2HnD-IN | Sync: 50Mbit/15Mbit | PCP: 600m | Exchange: Mosborough
Server: HP Microserver, Aspire V5-171
PC: MacBook Pro, ThinkPad X220
OD: Plex, Chromecast, Roku 2 XS, NowTV, YouView, PS4
Mobile: iPad, LG G3, Nexus 5


[Image: 1uq3DB4][Image: 1jo9ZvL]
Visit this user's website Find all posts by this user
Quote this message in a reply
18-08-2014, 02:38 PM (This post was last modified: 18-08-2014 03:16 PM by alexatkin.)
Post: #7
RE: Forum Security (SSL)
Loading images from remote insecure servers should work fine, plenty of sites do that as standard. When reading up on this all the documentation says its not generally recommended because it can make your site appear insecure as the browser will show there are insecure elements on the page, but otherwise it works as normal. That is far better than actually BEING insecure.

The only time you hit problems is trying to pull a remote iframe, its blocked for security reasons.

[Image: alexatkin.png][Image: referral-ad-120x60.png]
Visit this user's website Find all posts by this user
Quote this message in a reply
18-08-2014, 10:05 PM
Post: #8
RE: Forum Security (SSL)
Not to sound funny here but myself, @Chalky & @Mattyatty1 have placed substantial monies into the running of this forum since its been running so buying a certificate in my eyes is a waste of money considering its a forum; a community discussion board. Now as you say, we could put a free one in, but to test it to make sure it works with the forum, the potential image and attachments issue (and we now have a fair load of attachments!)..It's just too time consuming, especially given that the future of the forum post Digital Region is still not really confirmed or discussed as a community group...not to mention staff and members busy helping out disconnected users.

Whilst some of the newer users will only remember this this forum in this current layout (MyBB Forum system), we did use previously Vanilla forum on my Shared hosting and then VPS and on a subdomain from my blog site. From there it evolved to it's own domain and I migrated the users and the content over at cost (as I couldn't work out how to do it myself) and never really recouped any cash...Chalky then since took on the mantle as I considered letting the forum go.

If you're that bothered about privacy, use Tor or something...hell ditch your smartphone and go pigeon mail!

Regards
Spencer Davies
Administrator
[Image: 3552242034.png][Image: 3740977595.png]
Visit this user's website Find all posts by this user
Quote this message in a reply
19-08-2014, 08:56 AM
Post: #9
RE: Forum Security (SSL)
Agreed. There just isn't a risk and it isn't the accepted thing to do on forums at all. MoneySavingExpert is unencrypted and I'm yet to see a busier board than that.
Find all posts by this user
Quote this message in a reply
19-08-2014, 12:06 PM
Post: #10
RE: Forum Security (SSL)
How long has this forum been running without SSL and only now decides to query it. If it was that bad would have said something at the beginning.

Mirdragon
Forum Moderator

ISP: BT|Modem:HG612 (Modded)|Router: Smoothwall|Sync: 68Mbit/18Mbit
Network: HP Procurve|4 x TP-Link AP
Mobile: Nexus 4+6|Tab 3 8"|Asus VivoTab+Transformer TF101
Media Services: SkyHD|Xbox One|ChromeBox (OpenElec)|Samsung BDH6500|Youview|Netflix
Find all posts by this user
Quote this message in a reply
Post Reply 




User(s) browsing this thread: 1 Guest(s)