SSL Encrypted Connections

Topics about or relating to the forum itself and how it's run.
Post Reply
User avatar
Allan
Posts: 933
Joined: 30 Aug 2003 20:44
Location: Victoria BC

SSL Encrypted Connections

Post by Allan » 11 Jan 2015 19:21

This is basically just a heads up that I've implemented HTTPS encrypted SSL/TLS connections to the forum. This means that, when you're connected to the forum and you see the little lock beside the domain name, like so:

Image

All communications between your browser and the server are encrypted.

I know that it's serious problem that I'm solving here ;) It was partially an academic exercise for me and I also sincerely believe that most communications over the interwebs should be encrypted by default. With the NSA/GCHQ collecting information on everything we do online, it makes sense to me to take some steps to make it just a little bit more difficult for them.

At the moment, but only for a little while longer, this is purely an optional thing. If you simply type "modified.in" into your browser (without the /footbag/), you'll automatically be redirected to the HTTPS URL and anywhere you go on the forums from there on out will be thusly encrypted. You can also manually add the 'S' to any forum URL. At some point in the not-so-distant future I'll be setting it so that all non-secure URLs will redirect to their secure versions. I'm still investigating how to do this most effectively, and I'm really not in any hurry.

Note that in some browsers (such as Firefox) video embedding will "break" until you choose to "allow insecure content" like so:

Image

Does anyone have any questions about this?

User avatar
Asmus
Ass Moose
Posts: 3773
Joined: 13 Jun 2004 08:18
Location: Copenhagen
Contact:

Re: SSL Encrypted Connections

Post by Asmus » 11 Jan 2015 23:44

Great job!

Does this mean that youtube embedding with https://www.youtube is now working?

User avatar
Allan
Posts: 933
Joined: 30 Aug 2003 20:44
Location: Victoria BC

Re: SSL Encrypted Connections

Post by Allan » 12 Jan 2015 09:31

Two things:
1) Embedding httpS youtube links has worked properly for a number of months now :) You can paste almost any YouTube link in and it should work...
2) You'll still see the "insecure content" content message as noted above, even if the embed is httpS. Honestly, I'm not entirely sure why this is the case. I'm planning on looking into how this might be avoided.

janis
Post Master General
Posts: 2707
Joined: 29 Dec 2005 18:46
Location: Australia

Re: SSL Encrypted Connections

Post by janis » 12 Jan 2015 15:40

So I was having a look around with firebug and I see that some of the content such as the images for the logo and stuff are being served over http. This mixed content is what is causing the browser security measure to be triggered. Are you considering a forced redirect for all clients to SSL?

By having both the http along with https you cause a situtation where man in the middle attacks are possible because people can spoof the certificate for the site. As far as I understand this makes it such that if the request originates over http first if you don't force the redirect and that allows someone to spoof the SSL connection that then gets set up. Now it might be that because of the lack of shared credentials/certificate I'm not able to verify that the connection is secure from my end to the modified servers anyway but this would be a problem even if that was set up. The issue with the mixed content is that at the moment it is currently not possible for me to reject the connection outright because I'm not able to tell if the http connection is legitimate or not as I know that some of the content is being served over http right now even if I want to connect over https.

disclaimer: I'm not a security expert.

User avatar
Allan
Posts: 933
Joined: 30 Aug 2003 20:44
Location: Victoria BC

Re: SSL Encrypted Connections

Post by Allan » 12 Jan 2015 16:07

janis wrote:So I was having a look around with firebug and I see that some of the content such as the images for the logo and stuff are being served over http. This mixed content is what is causing the browser security measure to be triggered.
Indeed. In most places I'm serving things like stylesheets via relative URLs, so it's not too much of a problem (there is no logo image BTW; it's just CSS), but in user posts where images are being used, this will continue to be a bit of an issue unless I manually write a script to comb through the database and rewrite those URLs (ugh). At this point it's primarily video embeds and externally hosted images that are causing the warnings, but I plan on going through with a fine-tooth comb and figuring out where other issues are. You should really only be seeing warnings on post/thread pages. Are you seeing warnings on the home page or forum index pages?
janis wrote:Are you considering a forced redirect for all clients to SSL?
I will more than likely force it, yes. But not until I've got the issues cleaned up so people see the warnings as little as possible. I'm not in a big hurry to do this, but it will happen eventually. At this point I just got it enabled and am looking for exactly this sort of feedback to work out any issues I might have missed and answer any questions folks have before I force things.

I've dealt with quite a few commerce sites before and have a fair amount of experience with this stuff, so unless I'm missing anything huge I should be able to get things mostly right...

EDIT: Where I'm inexperienced is with the fact that the certificate I'm using is a free one from StartSSL and it uses an intermediary cert to accomplish the "free" part. Firefox seems to not like this very much, so I still need to do some experimenting and see what I can do to remedy this. Perhaps it's unsolvable using the free option; I'm not too keen on ponying up any cash for a "real" cert. I'm hoping it'll just a be a configuration thing, but, yeah ... for now.

User avatar
Allan
Posts: 933
Joined: 30 Aug 2003 20:44
Location: Victoria BC

Re: SSL Encrypted Connections

Post by Allan » 15 Jan 2015 09:03

I think I have this mostly fixed for video embeds now where videos should no longer trigger the insecure content warning. I've also update the image host to spit out image links that are secure, so newly embedded photos won't trigger the warnings either. I still need to write a script to go through the most recent posts and update image URLs to be httpS so they don't trigger warnings either ...

User avatar
Allan
Posts: 933
Joined: 30 Aug 2003 20:44
Location: Victoria BC

Re: SSL Encrypted Connections

Post by Allan » 17 Jan 2015 20:44

I've made a bit more progress on this. Both the Badges page and Ianek's new moves list are now secure. This took a bit of doing, given how I had developed these pages, but a few quick scripts later and things are not only supporting SSL now, but the pages should actually load a bit faster :)

There are still some outstanding issues that I need to deal with, but, yeah, progress.

User avatar
Allan
Posts: 933
Joined: 30 Aug 2003 20:44
Location: Victoria BC

Re: SSL Encrypted Connections

Post by Allan » 05 Sep 2015 12:32

I just flipped a switch that will now redirect any non-secure http:// connections into httpS://.

If anyone sees any weird issues, do let me know. There shouldn't be problems with it.

Post Reply