fearedbliss Posted January 25, 2017 Posted January 25, 2017 Hey, I just noticed that logging into the website doesn't use SSL.. This should be implemented ASAP. It's a security risk having users logging in with plain text..
Jag_Rip Posted January 30, 2017 Posted January 30, 2017 We will look into this, thanks for bringing it up!
John Eucist Posted January 31, 2017 Posted January 31, 2017 @fearedbliss I am coordinating with invision to get this done. However, I'm curious about whether or not most forums have SSL logins nowadays? I have no idea.
John Eucist Posted February 1, 2017 Posted February 1, 2017 Logins are now SSL encrypted. Let me know if there are any problems.
fearedbliss Posted March 3, 2017 Author Posted March 3, 2017 Hey @John Eucist, @Jag_Rip, It's a late response on my part but yea all major websites/forums/communities are SSL encrypted. There is also a push now to encrypt everything by lowering the barrier to entry (Making SSL certificates freely available rather than needing to pay the usual CA authorities). There are a lot of projects that even provide free SSL certificates that are already included in major browser's root certificates (Mozilla's Let's Encrypt Initiative - Which I see that's what this website is using as well). That's also what I use for my website as well (http://xyinn.org - gets redirected to https://). I see that the ssl lock is implemented only for the login page. It should be implemented for the forum subdomain completely, so any navigation and actions that are performed are encrypted as well. For example, If I tried to change my password, it would happen unencrypted still. One of the reasons for this is because you are still allowing people to visit the website on port 80 (unencrypted http). It's fine to leave port 80 open (And expected), but you should force redirect all HTTP traffic to HTTPS. On my server, I use something similar to this in my apache config: https://wiki.apache.org/httpd/RedirectSSL So yea, after the redirect is there, just make sure that every single request shows the green lock. There should be no empty/red locks. With the Let's Encrypt daemon, you can easily add more subdomains and domains to your certificate on demand. So if any changes on the certificate side are needed, it should just take 1-2 minutes max. For me to change my password safely now, I would have to manually append the https:// to the above url, which works since the certificate was installed correctly for this sub-domain:
John Eucist Posted March 3, 2017 Posted March 3, 2017 @fearedbliss Thanks for the info. I'll look into this.
steve454 Posted March 3, 2017 Posted March 3, 2017 Doesn't encryption slow things down? I guess for just logging in it would be a short time.
fearedbliss Posted March 4, 2017 Author Posted March 4, 2017 @steve454Computers are fast enough now that this isn't a concern.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.