fearedbliss Posted January 25, 2017 Share Posted January 25, 2017 Hey, I just noticed that logging into the website doesn't use SSL.. This should be implemented ASAP. It's a security risk having users logging in with plain text.. Link to comment Share on other sites More sharing options...
Jag_Rip Posted January 30, 2017 Share Posted January 30, 2017 We will look into this, thanks for bringing it up! Link to comment Share on other sites More sharing options...
John Eucist Posted January 31, 2017 Share Posted January 31, 2017 @fearedbliss I am coordinating with invision to get this done. However, I'm curious about whether or not most forums have SSL logins nowadays? I have no idea. Link to comment Share on other sites More sharing options...
John Eucist Posted February 1, 2017 Share Posted February 1, 2017 Logins are now SSL encrypted. Let me know if there are any problems. Link to comment Share on other sites More sharing options...
fearedbliss Posted March 3, 2017 Author Share Posted March 3, 2017 Hey @John Eucist, @Jag_Rip, It's a late response on my part but yea all major websites/forums/communities are SSL encrypted. There is also a push now to encrypt everything by lowering the barrier to entry (Making SSL certificates freely available rather than needing to pay the usual CA authorities). There are a lot of projects that even provide free SSL certificates that are already included in major browser's root certificates (Mozilla's Let's Encrypt Initiative - Which I see that's what this website is using as well). That's also what I use for my website as well (http://xyinn.org - gets redirected to https://). I see that the ssl lock is implemented only for the login page. It should be implemented for the forum subdomain completely, so any navigation and actions that are performed are encrypted as well. For example, If I tried to change my password, it would happen unencrypted still. One of the reasons for this is because you are still allowing people to visit the website on port 80 (unencrypted http). It's fine to leave port 80 open (And expected), but you should force redirect all HTTP traffic to HTTPS. On my server, I use something similar to this in my apache config: https://wiki.apache.org/httpd/RedirectSSL So yea, after the redirect is there, just make sure that every single request shows the green lock. There should be no empty/red locks. With the Let's Encrypt daemon, you can easily add more subdomains and domains to your certificate on demand. So if any changes on the certificate side are needed, it should just take 1-2 minutes max. For me to change my password safely now, I would have to manually append the https:// to the above url, which works since the certificate was installed correctly for this sub-domain: Link to comment Share on other sites More sharing options...
John Eucist Posted March 3, 2017 Share Posted March 3, 2017 @fearedbliss Thanks for the info. I'll look into this. Link to comment Share on other sites More sharing options...
steve454 Posted March 3, 2017 Share Posted March 3, 2017 Doesn't encryption slow things down? I guess for just logging in it would be a short time. Link to comment Share on other sites More sharing options...
fearedbliss Posted March 4, 2017 Author Share Posted March 4, 2017 @steve454Computers are fast enough now that this isn't a concern. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.