2015-12-18, 07:46 | Link #1 |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Let's make this forum HTTPS friendly
The usage of HTTPS (secure communication over the internet) is spreading. It is no longer something that is used only on banking or ecommerce sites. When you access Google, you see a green padlock in the address bar. The same with sites like Facebook.com, Reddit.com and Wordpress.org. Services like CloudFlare and Let's Encrypt make it (relatively) easy and free for webmasters to use SSL on their site(s).
For a while now the AnimeSuki Forum too has been accessible over HTTPS: https://forums.animesuki.com/ Update 06-12-2016: The forum can as of now only be accessed through HTTPS. All HTTP requests are being redirected to the HTTPS site. HSTS has been enabled meaning your browser will also automatically use HTTPS from now on. However not many people are using it yet, including myself I have to admit as you have to choose to use it (though for admin & moderator only sections of the forum, use of HTTPS is enforced). But there may be a time in the not too far future where I want to make HTTPS the default (or otherwise encourage its use). So that leads me to the points I want to make: Keep your browser up-to-date If you are using a reasonably modern OS (Windows 7+ or equivalent) and browser (at most 1-2 versions behind current stable versions), you should not have any problems. Please continue to keep your browser up-to-date, thanks. However if your setup is older and for example you still use Internet Explorer on Windows XP, now is the time to upgrade. There will be no more security updates for XP and the latest version of IE on XP is quite old. I'd highly recommend you upgrade to a newer version of Windows as soon as possible. If for some reason you can't upgrade your OS, please at least use an alternative browser like Chrome or Firefox. For the time being only images are served through the CDN. If you don't have a browser that supports SNI the forum will look a bit weird (with images not loading). However I soon want to enable the CDN for all static files including Javascript and CSS. From that moment on the forum will effectively stop working if you have a browser that is too old. If possible do not hotlink images to sites that do not support HTTPS This one is a bit hard to enforce, so we probably won't but anyway. If you load images from HTTP sites on a HTTPS page your browser may show a "Insecure Content" warning. In current versions of Firefox you'll see a warning sign in the padlock: On other browsers the padlock will disappear on others (depending on security settings) images may not load at all. How do you know a site supports HTTPS? Take an image hosted on that site and paste it in a new tab in your browser then edit the URL and change "http" into "https" and hit enter. If the image loads without error and you see a padlock in the address bar, it works. If the site doesn't load or shows an ugly certificate error, it doesn't work obviously. To give you an easy answer: for hotlinking images please use https://imgur.com/ from now on, thanks. In particular tinypic.com and imageshack.com at this time are not known to support HTTPS. Please do not hotlink to images on these services. If you are currently hotlinking to images on sites or services that don't support HTTPS, please request the site owners to enable HTTPS, thanks. Also do not forget to check your signature as well. You can upload a signature to the forum, external image hosting sites are not required if you only want to use one image in your signature. Now you might ask: Do I need to use HTTPS in image links? The answer is no. I've written a small plugin that automatically rewrites all image links to the sites that support HTTPS. Of course linking straight to the HTTPS URL when making a post is certainly possible, but you don't have to change the URL yourself, it is done automatically for you. The plugin currently supports the following domains -- you may use this list as reference guide for which sites & services you can (not necessarily should) hotlink to: - forums.animesuki.com - *.imgur.com - *.photobucket.com - *.minus.com - *.puu.sh - *.postimg.org (but oddly not postimage.org) - *.fastpic.ru - *.wordpress.com - *.cdninstagram.com - *.twimg.com - *.tumblr.com - *.dropbox.com - *.dropboxusercontent.com - *.ebayimg.com - *.blogspot.com If you know another domain that is being is used for hotlinking images and that supports HTTPS, please let me know. Edit: Hmm, PhotoBucket does seem to support HTTPS and ImageShack does not (redirect to HTTP = no good), so post edited and plugin updated. Wordpress.com, Fastpic.ru, Twimg.com (Twitter), Tumblr.com also added. Last edited by GHDpro; 2016-12-06 at 07:28. |
2015-12-18, 11:37 | Link #2 |
Junior Member
Join Date: Dec 2005
|
Ooh, that's nice.
As an aside, as of January 12, 2016, Microsoft will end support for all versions of Internet Explorer except for the latest in each supported Windows version. That's Internet Explorer 9 for Windows Vista SP2 and Internet Explorer 11 for Windows 7 SP1 and Windows 8.1 Update (as well as Windows 10). Source So that's another reason to keep your Internet Explorer (and really, other browsers as well) up-to-date. |
2015-12-18, 13:09 | Link #3 |
Sonic!I AM SONIC!!!!!
|
Well the not linking images thing from some services is rather inconvenient but I do think HTTPS is a good idea so......hopefully the widespread adoption will continue even further across the internet.
Also seems that my favorite link to Suki has been using HTTPS on this forum without me realizing it had it.
__________________
|
2015-12-18, 15:28 | Link #5 | |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Quote:
But things are changing, fortunately. Especially with the uptake in HTTPS usage hopefully more people will pester certain services about supporting HTTPS, like I did here. |
|
2015-12-18, 18:15 | Link #6 |
is this so?
Join Date: Mar 2007
Location: Gradius Home World
|
Oh no... I hope Imagebam will be supported by the upgraded Animesuki forum.. most of the cosplay images that I upload here hosted on that site. Because it has good thumbnail feature.
https://forums.animesuki.com/showpos...postcount=2603
__________________
|
2015-12-18, 19:11 | Link #7 | |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Quote:
But if you don't care either way, I'd prefer you use an image host that supports HTTPS like imgur.com However if there is another image host you prefer, I am not going to stop you from using it. Now in this case it would appear (test image from the post you linked: https://www.imagebam.com/image/efa9c7448378658) it sort-of works and doesn't: the page loads but shows a certificate error because the certificate is self-signed (which in my view isn't a huge problem but unfortunately browsers make a bit deal of it). Now the good news is if this means ImageBam wanted to support HTTPS but didn't want to pay for a certificate, there is now Let's Encrypt. But to reiterate: I'm not banning any site. If HTTPS ever becomes the default then to start with I'd probably first ask people to fix images in their signatures, not in individual posts. Because there will always be thousands of older posts that I do not have any intention of messing with anyway. |
|
2015-12-20, 14:10 | Link #10 | |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Quote:
If anyone wants to know as well, check this page: https://www.ssllabs.com/ssltest/viewMyClient.html Scroll down a bit and check if Server Name Indication (SNI) (first item in the "Protocol Details" section) is set to Yes. If so, the upcoming change will not affect you. Another test is this: https://sni.velox.ch/ -- it contains a lot of technical info, but it should load without error and it should say "Great! Your client " near the top. I expect 99.9%+ of all forum members to not notice a thing. |
|
2015-12-20, 14:58 | Link #12 | |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Quote:
I guess this solution shouldn't be that hard to implement: http://stackoverflow.com/a/3042738 However I would like to rely on such a solution as little as possible... (btw I would implement the [img] rewriting on page display as I am already doing, as that will work on all older posts as well) |
|
2015-12-20, 17:09 | Link #13 |
AS Oji-kun
Join Date: Nov 2006
Age: 74
|
I link to images on my own server at http://www.takinganimeseriously.com/images/. I'd prefer not to have to purchase a certificate for that site just to link to the images there. If it becomes sufficiently annoying as to cause browsers to complain about a mix of HTTP and HTTPS content, I guess I'll have to capitulate. After all every one of the sixteen images in my signature are hosted on that site and get hits multiple times each day.
__________________
|
2015-12-20, 23:09 | Link #14 | |
Yuri µ'serator
Join Date: Nov 2009
Location: FL, USA
Age: 36
|
Quote:
__________________
|
|
2015-12-21, 06:59 | Link #15 | |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Quote:
With alternative clients like letsencrypt-nosudo and acme-tiny you might be able to avoid needing root access, but it will make things harder. One of the things that doesn't help is that Let's Encrypt certificates are only valid for 90 days, so they need to be renewed quite often. If you had trouble getting the first certificate from Let's Encrypt, you might not be amused to know you need to repeat the process 4 times a year. (I myself used letsencrypt-nosudo to set up the initial certificate and acme-tiny to automate renewals) As alternative to Let's Encrypt there is StartSSL (their website is closed atm?) and WoSign (not a direct link; blog with more info). They each have their own downsides (StartSSL has hidden costs and WoSign is well, Chinese). Finally if you do want to get a proper "old-style" paid certificate like Comodo PositiveSSL, then try sites like www.cheapsslsecurity.com and www.gogetssl.com where you can get them for <$5/year (if prepaid for 3 years, but this means less work renewing so not a bad thing). If you don't want to bother setting up SSL on your own at all, there is CloudFlare, which does the hard work for you by proxying SSL requests through their servers. I haven't used this service (AnimeSuki does use CloudFlare but only for DNS) so I don't know exactly how to set it up and what the downsides are, but I presume it is not complicated to enable. Last, in my previous post in this thread I responded to someone suggesting proxying HTTP request through the forum server. That would work like this: if you link to an image like http://notsecure.com/image.jpg then I'll make it so that any such requests are rewritten to https://forums.animesuki.com/proxy.php?url=http://notsecure.com/image.jpg That way you don't need to do anything. At the same time you will only see the forum server's IP address in your logs. Last edited by GHDpro; 2015-12-21 at 07:13. |
|
2015-12-21, 14:19 | Link #16 | |
AS Oji-kun
Join Date: Nov 2006
Age: 74
|
Quote:
__________________
|
|
2015-12-21, 17:11 | Link #17 | ||
Senior Member
Author
|
Quote:
Quote:
__________________
|
||
2015-12-21, 18:29 | Link #18 |
ひきこもりアイドル
IT Support
Join Date: Feb 2009
Location: Pennsylvania , United States
Age: 34
|
I tried Let's Encrypt and it seems that my setup does not like having different certificates. Maybe it's something wrong with my setup or that it's not properly set up. Also, I do not like the idea of the certificates expiring in 90 days and having to shut off Apache temporary to update, so I mostly use it only for my home server and Webmin control panel since it's not being used for anything critical.
To avoid the SNI issue (which is needed for shared websites), I just went with a multi-domain certificate for my main blog and side blog without going to the hassle of trying to figure out the configuration or get another dedicated IP (since I'm using a VPS to host my website). Note that those who uses a VPS and wants to implement SSL, you should disable all vulnerable encryption (TLS should be the only one that is enabled), enable forward secrecy and ciphers. This is what I have in the Apache VHost configuration file: Code:
SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
__________________
|
2015-12-22, 04:33 | Link #19 |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Hmm, this is turning in a "how do I set up SSL thread" , oh well...
For Let's Encrypt verification to work, Let's Encrypt needs to find a specific file in a specific folder on your site: /.well-known/acme-challenge Code:
Alias "/.well-known/acme-challenge" "/etc/ssl/acme-challenge" <Directory "/etc/ssl/acme-challenge"> Header set Content-Type "application/jose+json" Require all granted </Directory> But I should note that I use the acme-tiny alternative client, not sure how you integrate this with the official client. *) Note that this snippit is for Apache v2.4+ and requires mod_headers to be enabled And yes if you just add a SSL certificate and don't configure anything else you're leaving yourself open to known SSL flaws. Fortunately it is easy to fix, just don't forget it. Relevant links: - Mozilla SSL Configuration Generator - Strong SSL Security on Apache2 or nginx On Apache, my SSL config looks like this (if you use an older version of Apache, not all commands are available): Code:
SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) Code:
Header always set Strict-Transport-Security "max-age=15768000" |
2016-01-13, 17:06 | Link #20 |
Dragon King
Join Date: Jul 2014
Location: Al Khobar, Saudi Arabia
Age: 33
|
Is there a special reason why the site isn't rendering well in MS Edge even though it's a Windows 10 browser? None of the icons or avatars are loading correctly for me on MS Edge.
Just as a note, MS Edge uses all of the latest browser technologies and doesn't conform to any of the "legacy" ones. I'm pointing this out just in case, here.
__________________
|
Thread Tools | |
|
|