Author Topic: HTTPS for the forum and unsecured username/password  (Read 3996 times)

0 Members and 1 Guest are viewing this topic.

Offline Jhaierr

  • Neophyte
  • *
  • Posts: 21
  • OIC Points +0/-0
HTTPS for the forum and unsecured username/password
« on: March 14, 2018, 02:26:02 AM »
Hello! The forum does not seem to allow us to use https:// as an option, and it seems that our forum username/password is sent over an unsecured connection. (Please correct me if I'm wrong.) Would there be a way to remedy this in the near future?

Offline Merkir

  • Senior Adept
  • **
  • Posts: 667
  • OIC Points +0/-0
  • Long lost GM
    • Information Technology
Re: HTTPS for the forum and unsecured username/password
« Reply #1 on: March 14, 2018, 05:46:18 AM »
I concur with Jhaierr.

Also there's another important reason to upgrade to https. It improves the site's google search ranking. In google's own words, "we're starting to use HTTPS as a ranking signal."

From https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html.

Offline jdale

  • RMU Dev Team
  • ****
  • Posts: 7,102
  • OIC Points +25/-25
Re: HTTPS for the forum and unsecured username/password
« Reply #2 on: March 14, 2018, 04:47:11 PM »
Let's Encrypt offers free certificates. https://letsencrypt.org/ We used it for our LARP's web site.

I don't think your host supports it directly (some hosts do, including Dreamhost, which makes it super easy) but it might still be possible to use.
System and Line Editor for Rolemaster

Offline Jhaierr

  • Neophyte
  • *
  • Posts: 21
  • OIC Points +0/-0
Re: HTTPS for the forum and unsecured username/password
« Reply #3 on: April 01, 2018, 04:55:25 AM »
Any word on this? I would love to not have my username/password sent over an unencrypted connection.  :)

Offline OLF, i.e. Olf Le Fol

  • Revered Elder
  • ***
  • Posts: 1,222
  • OIC Points +0/-0
Re: HTTPS for the forum and unsecured username/password
« Reply #4 on: April 23, 2018, 09:25:49 AM »
Any news about whether it'd be possible to have this?
The world was then consumed by darkness, and mankind was devoured alive and cast into hell, led by a jubilant 紗羽. She rejoiced in being able to continue serving the gods, thus perpetuating her travels across worlds to destroy them. She looked at her doll and, remembering their promises, told her: "You see, my dear, we succeeded! We've become legends! We've become villains! We've become witches!" She then laughed with a joyful, childlike laughter, just as she kept doing for all of eternity.

Offline Jhaierr

  • Neophyte
  • *
  • Posts: 21
  • OIC Points +0/-0
Re: HTTPS for the forum and unsecured username/password
« Reply #5 on: April 29, 2018, 04:32:15 AM »
In July, all sites that do not use HTTPS, regardless of form fields or login information on the page, will be marked as "Not Secure" by Chrome and Firefox in the address bar: https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html This site is already displaying that warning whenever you login or type in any form field.

I believe the forum (and all of ironcrown.com) should move to HTTPS for all pages. I think SMF 2.0.15 has this as an option, so if you upgrade the forum to that version, it should be easier to make the transition in the forums. (I believe you are using 2.0.* right now.)

Offline Thom @ ICE

  • Aurigas Staff
  • ******
  • Posts: 3,810
  • OIC Points +0/-0
  • Thom@ironcrown.com
Re: HTTPS for the forum and unsecured username/password
« Reply #6 on: April 29, 2018, 08:18:23 PM »
We are reviewing it.
Email -    Thom@ironcrown.com

Offline Peter R

  • Navigator
  • ***
  • Posts: 1,850
  • OIC Points +480/-480
    • Rolemaster Blog
Re: HTTPS for the forum and unsecured username/password
« Reply #7 on: April 30, 2018, 01:27:24 AM »
We are reviewing it.

I think that is the most insipid response I have ever seen to a suggestion by a supporter.
Rolemasterblog http://www.rolemasterblog.com
Twitter https://twitter.com/RolemasterBlog
Facebook https://www.facebook.com/rolemasterblog/

Spectre771 A couple of weeks ago, I disemboweled one of my PCs with a...

Offline Jhaierr

  • Neophyte
  • *
  • Posts: 21
  • OIC Points +0/-0
Re: HTTPS for the forum and unsecured username/password
« Reply #8 on: April 30, 2018, 03:40:04 AM »
I think that is the most insipid response I have ever seen to a suggestion by a supporter.

Well, I personally interpreted Thom's response as merely a quick message to let us know they are looking into it.

I'm a bit tenacious, and my last message was somewhat forward. So I apologize if I was a little too much there.

Offline Thom @ ICE

  • Aurigas Staff
  • ******
  • Posts: 3,810
  • OIC Points +0/-0
  • Thom@ironcrown.com
Re: HTTPS for the forum and unsecured username/password
« Reply #9 on: April 30, 2018, 04:56:54 AM »
I am not an IT expert, so any change like this requires some degree of outside support and along with that requires research.  I am reviewing what is involved considering how our site is hosted and what I am comfortable doing myself vs outside contracting, as well as who to deal with to get it done. The concern will be addressed but the detailed plan is not yet determined.

In short, we are reviewing it.
Email -    Thom@ironcrown.com

Offline Jhaierr

  • Neophyte
  • *
  • Posts: 21
  • OIC Points +0/-0
Re: HTTPS for the forum and unsecured username/password
« Reply #10 on: May 02, 2018, 03:22:17 AM »
I am not an IT expert, so any change like this requires some degree of outside support and along with that requires research.  I am reviewing what is involved considering how our site is hosted and what I am comfortable doing myself vs outside contracting, as well as who to deal with to get it done. The concern will be addressed but the detailed plan is not yet determined.

In short, we are reviewing it.

Good luck! I hope it's easier than expected.

Offline Jhaierr

  • Neophyte
  • *
  • Posts: 21
  • OIC Points +0/-0
Re: HTTPS for the forum and unsecured username/password
« Reply #11 on: June 20, 2018, 05:30:10 PM »
Just a quick update on upcoming security-related changes to Chrome:

https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html

tl;dr: In October, with Chrome 70, sites that do not use a secure connection (i.e., use HTTPS) will be marked with a red "! Not secure" warning once someone begins to type in a form field.  Other browsers are moving in this direction as well.

I know you're working on it. :) I just thought folks would find this informative.

Offline OLF, i.e. Olf Le Fol

  • Revered Elder
  • ***
  • Posts: 1,222
  • OIC Points +0/-0
Re: HTTPS for the forum and unsecured username/password
« Reply #12 on: July 18, 2018, 09:58:25 AM »
FYI, it's now apparently working (tested with Safari, Firefox, I.E. and Chrome so it should cover most browsers).
The world was then consumed by darkness, and mankind was devoured alive and cast into hell, led by a jubilant 紗羽. She rejoiced in being able to continue serving the gods, thus perpetuating her travels across worlds to destroy them. She looked at her doll and, remembering their promises, told her: "You see, my dear, we succeeded! We've become legends! We've become villains! We've become witches!" She then laughed with a joyful, childlike laughter, just as she kept doing for all of eternity.

Offline jdale

  • RMU Dev Team
  • ****
  • Posts: 7,102
  • OIC Points +25/-25
Re: HTTPS for the forum and unsecured username/password
« Reply #13 on: July 18, 2018, 12:02:10 PM »
Nice! I still get a "parts of this page are not secure (such as images)" but otherwise working. I think that message is because a couple of images (from the theme I think) are hosted on http://gator1849.hostgator.com, it would probably work if they were just copied and linked to somewhere on https://www.ironcrown.com. Also, a couple of the avatar pictures are also not stored locally and are on www.gwathyr.net. I'm not sure if that's true for avatar images from the gallery or only when the user has specified a URL for the image themself (which you could probably disable and just have them upload it here).

Still a nice improvement, thanks!
System and Line Editor for Rolemaster

Offline terefang

  • Initiate
  • *
  • Posts: 195
  • OIC Points +0/-0
Re: HTTPS for the forum and unsecured username/password
« Reply #14 on: July 20, 2018, 09:21:03 AM »
may i propose a http to https redirect ?
https://geekflare.com/http-to-https-redirection/
I'd swallow cthulhu whole, with sushi and soy-sauce.

Currently: [BME] [FitD]
Legacy: [d6] [Genesys] [ArsMagicka] [MERP] [HARP] [Ubiquity] [d20] [WoD] [SR] [WHFRP] [WOIN/O.L.D.] [RM2/C]