Please enforce https on the forum

John Kenney
Posts: 94
Joined: Sat Mar 29, 2014 2:20 pm
os: linux
Location: Sheffield, England
Contact:

Please enforce https on the forum

Post by John Kenney » Tue Jun 17, 2014 11:21 pm

and secure cookies... it should just be a setting in phpBB's admin cp & maybe a little .htaccess line to be sure. There's no excuse for allowing plain text logins now. I even get redirected to http when I've tried to use https, I think it's after I post.

domob
Posts: 1124
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: Please enforce https on the forum

Post by domob » Wed Jun 18, 2014 5:46 am

Yes, that's a really annoying problem. You can "fix" it locally using a custom HTTPS Everywhere rule (which is what I did), but I agree it should be fixed on the server.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

biolizard89
Posts: 1997
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Please enforce https on the forum

Post by biolizard89 » Fri Jun 20, 2014 6:52 am

John Kenney wrote:and secure cookies... it should just be a setting in phpBB's admin cp & maybe a little .htaccess line to be sure. There's no excuse for allowing plain text logins now. I even get redirected to http when I've tried to use https, I think it's after I post.
Agreed, this needs to be fixed. (HTTPS Everywhere is what I'm using at the moment as a workaround.)
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

renne
Posts: 80
Joined: Fri May 30, 2014 7:09 pm
os: linux

Re: Please enforce https on the forum

Post by renne » Fri Jun 20, 2014 10:45 am

Simple solution for Lighttpd.

biolizard89
Posts: 1997
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Please enforce https on the forum

Post by biolizard89 » Fri Jun 20, 2014 11:12 am

renne wrote:Simple solution for Lighttpd.
My understanding is that HSTS will be enabled on the Namecoin websites in the next couple months. (This is subject to revision if Ryan encounters problems.)
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

renne
Posts: 80
Joined: Fri May 30, 2014 7:09 pm
os: linux

Re: Please enforce https on the forum

Post by renne » Fri Jun 20, 2014 12:04 pm

It's just a standardized header telling the browsers to switch to HTTPS. As long as your servers can handle the additional SSL-CPU-load, there shouldn't be any problem. I use it with Apache myself. You will also get better rating at SSL Server Test.

biolizard89
Posts: 1997
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Please enforce https on the forum

Post by biolizard89 » Fri Jun 20, 2014 12:46 pm

renne wrote:It's just a standardized header telling the browsers to switch to HTTPS. As long as your servers can handle the additional SSL-CPU-load, there shouldn't be any problem. I use it with Apache myself. You will also get better rating at SSL Server Test.
Yes, problem is that if it messes up, the website goes down for as long as the HSTS duration is. So it has to be tested for a little while first. In theory it shouldn't cause issues though.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

ryanc
Posts: 147
Joined: Wed Dec 18, 2013 8:10 pm
os: linux

Re: Please enforce https on the forum

Post by ryanc » Sun Jun 22, 2014 5:10 pm

I've enabled secure cookies, set up http -> https redirects and enabled HSTS with a one hour lifetime.

biolizard89
Posts: 1997
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Please enforce https on the forum

Post by biolizard89 » Mon Jun 23, 2014 1:08 am

ryanc wrote:I've enabled secure cookies, set up http -> https redirects and enabled HSTS with a one hour lifetime.
Thanks Ryan.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

John Kenney
Posts: 94
Joined: Sat Mar 29, 2014 2:20 pm
os: linux
Location: Sheffield, England
Contact:

Re: Please enforce https on the forum

Post by John Kenney » Mon Jun 23, 2014 2:40 am

Thanks for that, seems to be working ok now.

Post Reply