Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt November 11, 2024
Seth Jones Posted June 28, 2011 Posted June 28, 2011 I have a question, why is HTTPS only the login? I'm not real familiar with HTTPS, but I noticed vBulletin has it on their entire site. Does it make the server slower, or is it not worth doing the entire data protocol? If there's only positive it can do, why not add it to IP.Board or have a more advanced HTTPS settings module.
Management Charles Posted June 28, 2011 Management Posted June 28, 2011 HTTPS encrypts data transmitted between the server and your browser. It does slow down the data transactions. The only time we consider it even remotely important is on login because that is the only time your password is ever sent in plain text.
Seth Jones Posted June 28, 2011 Author Posted June 28, 2011 I understand, thanks for clearing that up. :)
Management Charles Posted June 28, 2011 Management Posted June 28, 2011 I should say that some of our clients use https for their entire community because they are talking about sensitive things. These are mostly banking or intranet clients. I cannot see the need to encrypt data on most communities.
shamil Posted June 28, 2011 Posted June 28, 2011 I should add that HTTPS communication doesn't automatically mean that the connection is secure. Since a lot of object on vBulletin's pages are not secured by SSL, the connection and data transmission can be eavesdropped by malicious bytes.
Management Charles Posted June 28, 2011 Management Posted June 28, 2011 That's only true of those non-secure parts though :)
bfarber Posted June 29, 2011 Posted June 29, 2011 It's also worth noting that IP.Board *does* allow you to encrypt the entire transaction as Charles alluded to earlier. You simply set your board_url or base_url in conf_global.php to use https instead of http. As Charles indicated, however, the extra overhead is generally not worth it for most communities.
Hexsplosions Posted June 30, 2011 Posted June 30, 2011 I've just switched my login and registration screens to HTTPS, going through a painful process if pleasing IE9 which insisted there was insecure content. What a pain in the proverbial behind. I've also secured my ACP through HTTPS as well, using a guide in the documentation area: http://community.invisionpower.com/resources/articles.html/_/ipboard-3x/simple-modifications/how-to-require-ssl-for-admin-cp-r532 I've seen other solutions for securing the ACP, but this one is definitely my preferred. The only other thing I am likely to do is rename the admin folder.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.