AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > Support > Forum & Site Feedback

Notices

Reply
 
Thread Tools
Old 2015-12-18, 07:46   Link #1
GHDpro
Administrator
*Administrator
 
 
Join Date: Jan 2001
Location: Netherlands
Age: 45
Let's make this forum HTTPS friendly

The usage of HTTPS (secure communication over the internet) is spreading. It is no longer something that is used only on banking or ecommerce sites. When you access Google, you see a green padlock in the address bar. The same with sites like Facebook.com, Reddit.com and Wordpress.org. Services like CloudFlare and Let's Encrypt make it (relatively) easy and free for webmasters to use SSL on their site(s).

For a while now the AnimeSuki Forum too has been accessible over HTTPS:
https://forums.animesuki.com/

Update 06-12-2016: The forum can as of now only be accessed through HTTPS. All HTTP requests are being redirected to the HTTPS site. HSTS has been enabled meaning your browser will also automatically use HTTPS from now on.

However not many people are using it yet, including myself I have to admit as you have to choose to use it (though for admin & moderator only sections of the forum, use of HTTPS is enforced). But there may be a time in the not too far future where I want to make HTTPS the default (or otherwise encourage its use).

TL;DR…
 
Sorry; dynamic content not loaded. Reload?

So that leads me to the points I want to make:


Keep your browser up-to-date

If you are using a reasonably modern OS (Windows 7+ or equivalent) and browser (at most 1-2 versions behind current stable versions), you should not have any problems. Please continue to keep your browser up-to-date, thanks.

However if your setup is older and for example you still use Internet Explorer on Windows XP, now is the time to upgrade. There will be no more security updates for XP and the latest version of IE on XP is quite old. I'd highly recommend you upgrade to a newer version of Windows as soon as possible.

If for some reason you can't upgrade your OS, please at least use an alternative browser like Chrome or Firefox.

For the time being only images are served through the CDN. If you don't have a browser that supports SNI the forum will look a bit weird (with images not loading). However I soon want to enable the CDN for all static files including Javascript and CSS. From that moment on the forum will effectively stop working if you have a browser that is too old.


If possible do not hotlink images to sites that do not support HTTPS

This one is a bit hard to enforce, so we probably won't but anyway.

If you load images from HTTP sites on a HTTPS page your browser may show a "Insecure Content" warning. In current versions of Firefox you'll see a warning sign in the padlock:



On other browsers the padlock will disappear on others (depending on security settings) images may not load at all.

How do you know a site supports HTTPS? Take an image hosted on that site and paste it in a new tab in your browser then edit the URL and change "http" into "https" and hit enter. If the image loads without error and you see a padlock in the address bar, it works. If the site doesn't load or shows an ugly certificate error, it doesn't work obviously.

To give you an easy answer: for hotlinking images please use https://imgur.com/ from now on, thanks.

In particular tinypic.com and imageshack.com at this time are not known to support HTTPS. Please do not hotlink to images on these services.

If you are currently hotlinking to images on sites or services that don't support HTTPS, please request the site owners to enable HTTPS, thanks.

Also do not forget to check your signature as well. You can upload a signature to the forum, external image hosting sites are not required if you only want to use one image in your signature.

Now you might ask: Do I need to use HTTPS in image links? The answer is no. I've written a small plugin that automatically rewrites all image links to the sites that support HTTPS. Of course linking straight to the HTTPS URL when making a post is certainly possible, but you don't have to change the URL yourself, it is done automatically for you.

The plugin currently supports the following domains -- you may use this list as reference guide for which sites & services you can (not necessarily should) hotlink to:

- forums.animesuki.com
- *.imgur.com
- *.photobucket.com
- *.minus.com
- *.puu.sh
- *.postimg.org (but oddly not postimage.org)
- *.fastpic.ru
- *.wordpress.com
- *.cdninstagram.com
- *.twimg.com
- *.tumblr.com
- *.dropbox.com
- *.dropboxusercontent.com
- *.ebayimg.com
- *.blogspot.com

If you know another domain that is being is used for hotlinking images and that supports HTTPS, please let me know.


Edit: Hmm, PhotoBucket does seem to support HTTPS and ImageShack does not (redirect to HTTP = no good), so post edited and plugin updated. Wordpress.com, Fastpic.ru, Twimg.com (Twitter), Tumblr.com also added.

Last edited by GHDpro; 2016-12-06 at 07:28.
GHDpro is offline   Reply With Quote
Old 2015-12-18, 11:37   Link #2
monster
Junior Member
 
Join Date: Dec 2005
Ooh, that's nice.

As an aside, as of January 12, 2016, Microsoft will end support for all versions of Internet Explorer except for the latest in each supported Windows version. That's Internet Explorer 9 for Windows Vista SP2 and Internet Explorer 11 for Windows 7 SP1 and Windows 8.1 Update (as well as Windows 10).

Source

So that's another reason to keep your Internet Explorer (and really, other browsers as well) up-to-date.
monster is offline   Reply With Quote
Old 2015-12-18, 13:09   Link #3
SonicSP
Sonic!I AM SONIC!!!!!
 
 
Join Date: Nov 2008
Location: Hot Non-Winter Place
Age: 33
Send a message via MSN to SonicSP
Well the not linking images thing from some services is rather inconvenient but I do think HTTPS is a good idea so......hopefully the widespread adoption will continue even further across the internet.

Also seems that my favorite link to Suki has been using HTTPS on this forum without me realizing it had it.
__________________
SonicSP is offline   Reply With Quote
Old 2015-12-18, 15:22   Link #4
blakstealth
Les Pays Bass
 
 
Join Date: Jun 2011
I'm all for it, baby.
blakstealth is offline   Reply With Quote
Old 2015-12-18, 15:28   Link #5
GHDpro
Administrator
*Administrator
 
 
Join Date: Jan 2001
Location: Netherlands
Age: 45
Quote:
Originally Posted by SonicSP View Post
Well the not linking images thing from some services is rather inconvenient ...
Yes I realize this is kind of a difficult thing to ask. I've noticed for example that in threads in the Video Games forum people hotlink to images on the official sites of certain game creators. It's kind of hard to avoid mixed content warnings then.

But things are changing, fortunately. Especially with the uptake in HTTPS usage hopefully more people will pester certain services about supporting HTTPS, like I did here.
GHDpro is offline   Reply With Quote
Old 2015-12-18, 18:15   Link #6
Liddo-kun
is this so?
 
 
Join Date: Mar 2007
Location: Gradius Home World
Oh no... I hope Imagebam will be supported by the upgraded Animesuki forum.. most of the cosplay images that I upload here hosted on that site. Because it has good thumbnail feature.

https://forums.animesuki.com/showpos...postcount=2603
Liddo-kun is offline   Reply With Quote
Old 2015-12-18, 19:11   Link #7
GHDpro
Administrator
*Administrator
 
 
Join Date: Jan 2001
Location: Netherlands
Age: 45
Quote:
Originally Posted by Liddo-kun View Post
Oh no... I hope Imagebam will be supported by the upgraded Animesuki forum.. most of the cosplay images that I upload here hosted on that site. Because it has good thumbnail feature.

https://forums.animesuki.com/showpos...postcount=2603
At this point I'm not banning any site. If you want to hotlink images to a particular site, go ahead.

But if you don't care either way, I'd prefer you use an image host that supports HTTPS like imgur.com

However if there is another image host you prefer, I am not going to stop you from using it.

Now in this case it would appear (test image from the post you linked: https://www.imagebam.com/image/efa9c7448378658) it sort-of works and doesn't: the page loads but shows a certificate error because the certificate is self-signed (which in my view isn't a huge problem but unfortunately browsers make a bit deal of it). Now the good news is if this means ImageBam wanted to support HTTPS but didn't want to pay for a certificate, there is now Let's Encrypt.

But to reiterate: I'm not banning any site. If HTTPS ever becomes the default then to start with I'd probably first ask people to fix images in their signatures, not in individual posts. Because there will always be thousands of older posts that I do not have any intention of messing with anyway.
GHDpro is offline   Reply With Quote
Old 2015-12-18, 19:54   Link #8
Liddo-kun
is this so?
 
 
Join Date: Mar 2007
Location: Gradius Home World
@GHDpro

That's a relief. Thanks. ",)

Hmm, the page loads but there's a certificate error. I guess Imagebam doesn't want to pay for one..
Liddo-kun is offline   Reply With Quote
Old 2015-12-20, 14:04   Link #9
Triple_R
Senior Member
*Author
 
 
Join Date: Jan 2008
Location: Newfoundland, Canada
Age: 42
Send a message via AIM to Triple_R
I'm not one of the sharper tech-guys here, so I'll just come out and ask it - Is Firefox on Windows 7 Ultimate Ok? That's my primary browser and my current OS.
__________________
Triple_R is offline   Reply With Quote
Old 2015-12-20, 14:10   Link #10
GHDpro
Administrator
*Administrator
 
 
Join Date: Jan 2001
Location: Netherlands
Age: 45
Quote:
Originally Posted by Triple_R View Post
I'm not one of the sharper tech-guys here, so I'll just come out and ask it - Is Firefox on Windows 7 Ultimate Ok? That's my primary browser and my current OS.
Yes, no problem.

If anyone wants to know as well, check this page: https://www.ssllabs.com/ssltest/viewMyClient.html

Scroll down a bit and check if Server Name Indication (SNI) (first item in the "Protocol Details" section) is set to Yes. If so, the upcoming change will not affect you.

Another test is this: https://sni.velox.ch/ -- it contains a lot of technical info, but it should load without error and it should say "Great! Your client " near the top.

I expect 99.9%+ of all forum members to not notice a thing.
GHDpro is offline   Reply With Quote
Old 2015-12-20, 14:14   Link #11
vaden
0118 999 881 999 119 7253
 
Join Date: May 2009
Location: (n.) A particular place or position.
Have you considered caching images from HTTP-only remote sites locally to avoid mixed content issues? I could see this being done with a rewrite of [img] tags on post submit.
vaden is offline   Reply With Quote
Old 2015-12-20, 14:58   Link #12
GHDpro
Administrator
*Administrator
 
 
Join Date: Jan 2001
Location: Netherlands
Age: 45
Quote:
Originally Posted by vaden View Post
Have you considered caching images from HTTP-only remote sites locally to avoid mixed content issues? I could see this being done with a rewrite of [img] tags on post submit.
I'm not sure if I thought of that before, but I did worry about making such a solution secure (so that nobody can exploit the reverse proxy).

I guess this solution shouldn't be that hard to implement: http://stackoverflow.com/a/3042738

However I would like to rely on such a solution as little as possible...

(btw I would implement the [img] rewriting on page display as I am already doing, as that will work on all older posts as well)
GHDpro is offline   Reply With Quote
Old 2015-12-20, 17:09   Link #13
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Age: 74
I link to images on my own server at http://www.takinganimeseriously.com/images/. I'd prefer not to have to purchase a certificate for that site just to link to the images there. If it becomes sufficiently annoying as to cause browsers to complain about a mix of HTTP and HTTPS content, I guess I'll have to capitulate. After all every one of the sixteen images in my signature are hosted on that site and get hits multiple times each day.
SeijiSensei is offline   Reply With Quote
Old 2015-12-20, 23:09   Link #14
Kotohono
Yuri µ'serator
 
 
Join Date: Nov 2009
Location: FL, USA
Age: 36
Quote:
Originally Posted by SeijiSensei View Post
I link to images on my own server at http://www.takinganimeseriously.com/images/. I'd prefer not to have to purchase a certificate for that site just to link to the images there. If it becomes sufficiently annoying as to cause browsers to complain about a mix of HTTP and HTTPS content, I guess I'll have to capitulate. After all every one of the sixteen images in my signature are hosted on that site and get hits multiple times each day.
As mentioned in the OP, Let's Encrypt offers HTTPS Encryption for free (besides the time to set it up). So you have options where you don't have to pay for anything .
__________________
Kotori Minami - Love Live! School Idol Project
Sig by Patchy
Avatar by TheEroKing
MAL
Kotohono is offline   Reply With Quote
Old 2015-12-21, 06:59   Link #15
GHDpro
Administrator
*Administrator
 
 
Join Date: Jan 2001
Location: Netherlands
Age: 45
Quote:
Originally Posted by Konakaga View Post
As mentioned in the OP, Let's Encrypt offers HTTPS Encryption for free (besides the time to set it up). So you have options where you don't have to pay for anything .
One downside to Let's Encrypt right now is that to use the official client you essentially need your own VPS or server, as it requires root access.

With alternative clients like letsencrypt-nosudo and acme-tiny you might be able to avoid needing root access, but it will make things harder.

One of the things that doesn't help is that Let's Encrypt certificates are only valid for 90 days, so they need to be renewed quite often. If you had trouble getting the first certificate from Let's Encrypt, you might not be amused to know you need to repeat the process 4 times a year.

(I myself used letsencrypt-nosudo to set up the initial certificate and acme-tiny to automate renewals)

As alternative to Let's Encrypt there is StartSSL (their website is closed atm?) and WoSign (not a direct link; blog with more info). They each have their own downsides (StartSSL has hidden costs and WoSign is well, Chinese).

Finally if you do want to get a proper "old-style" paid certificate like Comodo PositiveSSL, then try sites like www.cheapsslsecurity.com and www.gogetssl.com where you can get them for <$5/year (if prepaid for 3 years, but this means less work renewing so not a bad thing).

If you don't want to bother setting up SSL on your own at all, there is CloudFlare, which does the hard work for you by proxying SSL requests through their servers. I haven't used this service (AnimeSuki does use CloudFlare but only for DNS) so I don't know exactly how to set it up and what the downsides are, but I presume it is not complicated to enable.

Last, in my previous post in this thread I responded to someone suggesting proxying HTTP request through the forum server. That would work like this: if you link to an image like http://notsecure.com/image.jpg then I'll make it so that any such requests are rewritten to https://forums.animesuki.com/proxy.php?url=http://notsecure.com/image.jpg

That way you don't need to do anything. At the same time you will only see the forum server's IP address in your logs.

Last edited by GHDpro; 2015-12-21 at 07:13.
GHDpro is offline   Reply With Quote
Old 2015-12-21, 14:19   Link #16
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Age: 74
Quote:
Originally Posted by GHDpro View Post
Finally if you do want to get a proper "old-style" paid certificate like Comodo PositiveSSL, then try sites like www.cheapsslsecurity.com and www.gogetssl.com where you can get them for <$5/year (if prepaid for 3 years, but this means less work renewing so not a bad thing).
I might take this route. Thanks!
SeijiSensei is offline   Reply With Quote
Old 2015-12-21, 17:11   Link #17
Triple_R
Senior Member
*Author
 
 
Join Date: Jan 2008
Location: Newfoundland, Canada
Age: 42
Send a message via AIM to Triple_R
Quote:
Originally Posted by GHDpro View Post
Yes, no problem.

If anyone wants to know as well, check this page: https://www.ssllabs.com/ssltest/viewMyClient.html
Quote:
Originally Posted by Konakaga View Post
As mentioned in the OP, Let's Encrypt offers HTTPS Encryption for free (besides the time to set it up). So you have options where you don't have to pay for anything .
Thanks a lot for the answer and info. This is all very good to know.
__________________
Triple_R is offline   Reply With Quote
Old 2015-12-21, 18:29   Link #18
chikorita157
ひきこもりアイドル
*IT Support
 
 
Join Date: Feb 2009
Location: Pennsylvania , United States
Age: 34
I tried Let's Encrypt and it seems that my setup does not like having different certificates. Maybe it's something wrong with my setup or that it's not properly set up. Also, I do not like the idea of the certificates expiring in 90 days and having to shut off Apache temporary to update, so I mostly use it only for my home server and Webmin control panel since it's not being used for anything critical.

To avoid the SNI issue (which is needed for shared websites), I just went with a multi-domain certificate for my main blog and side blog without going to the hassle of trying to figure out the configuration or get another dedicated IP (since I'm using a VPS to host my website).

Note that those who uses a VPS and wants to implement SSL, you should disable all vulnerable encryption (TLS should be the only one that is enabled), enable forward secrecy and ciphers. This is what I have in the Apache VHost configuration file:
Code:
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
__________________
chikorita157 is offline   Reply With Quote
Old 2015-12-22, 04:33   Link #19
GHDpro
Administrator
*Administrator
 
 
Join Date: Jan 2001
Location: Netherlands
Age: 45
Hmm, this is turning in a "how do I set up SSL thread" , oh well...

For Let's Encrypt verification to work, Let's Encrypt needs to find a specific file in a specific folder on your site: /.well-known/acme-challenge

Code:
        Alias "/.well-known/acme-challenge" "/etc/ssl/acme-challenge"
        <Directory "/etc/ssl/acme-challenge">
                Header set Content-Type "application/jose+json"
                Require all granted
        </Directory>
Using above snippit in my Apache config* (or similar for nginx) I don't have to stop Apache, the secret file is served by the webserver itself.

But I should note that I use the acme-tiny alternative client, not sure how you integrate this with the official client.

*) Note that this snippit is for Apache v2.4+ and requires mod_headers to be enabled

And yes if you just add a SSL certificate and don't configure anything else you're leaving yourself open to known SSL flaws. Fortunately it is easy to fix, just don't forget it. Relevant links:

- Mozilla SSL Configuration Generator
- Strong SSL Security on Apache2 or nginx

On Apache, my SSL config looks like this (if you use an older version of Apache, not all commands are available):
Code:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Also a warning: if any tutorial encourages to set something like this (HSTS):
Code:
Header always set Strict-Transport-Security "max-age=15768000"
Be aware that is not easy to reverse. It forces browsers to switch to HTTPS on their own. If you are trying to setup SSL and can't get it working, any visitor that visits during that time will always visit the HTTPS version of your site for a long period after that, so be sure SSL is working perfectly before enabling that. Also if you want to give visitors the option to use HTTPS, this will essentially force it for them.
GHDpro is offline   Reply With Quote
Old 2016-01-13, 17:06   Link #20
DragonOsman
Dragon King
 
 
Join Date: Jul 2014
Location: Al Khobar, Saudi Arabia
Age: 33
Is there a special reason why the site isn't rendering well in MS Edge even though it's a Windows 10 browser? None of the icons or avatars are loading correctly for me on MS Edge.

Just as a note, MS Edge uses all of the latest browser technologies and doesn't conform to any of the "legacy" ones. I'm pointing this out just in case, here.
__________________
DragonOsman is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 16:23.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
We use Silk.