Apfelstrudel Posted January 24, 2017 Posted January 24, 2017 Hello, now we have to think about enabling SSL because Google Chrome starts to show warning messages beginning in Jan 17 for all pages which have a login (PW form). This is the case for almost all forum pages. ? https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn Here in the forum I read a lot of topics about SSL and that it will cause many mixed-content warnings. Normally it should be no problem running the standard pages in http because our forum (and I think most the forums out there) have nothing special which needs encryption. Is it possible to use SSL for standard logins only? I don't mean the acp login. I'm talking about the member login. I know that there is a "SSL for login only" setting in acp but this doesn't affect the member logins. There must be a feature to replace the login pulldown in the forum header with a link to the SSL login page. Is there any built-in feature to do this`? Thanks in advance for any help.
opentype Posted January 24, 2017 Posted January 24, 2017 52 minutes ago, Apfelstrudel said: Is there any built-in feature to do this`? No. You need to move over everything because the login form is available on every page.
Apfelstrudel Posted January 24, 2017 Author Posted January 24, 2017 Unfortunately that's what I assumed. ? Thanks, opentype. So I have to run some replace queries in mysql to get rid of this mixed content warnings. But what about the external pics?
opentype Posted January 24, 2017 Posted January 24, 2017 There is this 3rd party option, but I much rather see a native IPS function for this.
Rhett Posted January 24, 2017 Posted January 24, 2017 36 minutes ago, opentype said: No. You need to move over everything because the login form is available on every page. That's not really true, we have the option to use SSL for logins and acp only, which then makes those links/urls use https/ssl. Google is only concerned with login info, checkout etc.
opentype Posted January 24, 2017 Posted January 24, 2017 10 minutes ago, Rhett said: That's not really true, we have the option to use SSL for logins and acp only, which then makes those links/urls use https/ssl. What is not true? If that option is turned on, can I not pull down the login form as guest from an http page?
Rhett Posted January 24, 2017 Posted January 24, 2017 1 minute ago, opentype said: What is not true? If that option is turned on, can I not pull down the login form as guest from an http page? If you set the site to use SSL for logins, all login pages use https/ssl. If you are having any trouble with this, please submit a ticket if needed.
Nathan Explosion Posted January 24, 2017 Posted January 24, 2017 Rhett - the login process will use https, that is correct. But the username/password field is still on a http only page, and the drop down of it doesn't change that That is what the issue is with what people are getting from Google.
Colonel_mortis Posted January 24, 2017 Posted January 24, 2017 4 minutes ago, Rhett said: If you set the site to use SSL for logins, all login pages use https/ssl. If you are having any trouble with this, please submit a ticket if needed. Every page is a login page, since every page has a login dropdown. That means that it is not secure (even if you submit to HTTPS, because an attacker can modify the page), and Chrome and Firefox both flag it as such.
Rhett Posted January 24, 2017 Posted January 24, 2017 9 minutes ago, Nathan Explosion said: Rhett - the login process will use https, that is correct. But the username/password field is still on a http only page, and the drop down of it doesn't change that That is what the issue is with what people are getting from Google. 7 minutes ago, Colonel_mortis said: Every page is a login page, since every page has a login dropdown. That means that it is not secure (even if you submit to HTTPS, because an attacker can modify the page), and Chrome and Firefox both flag it as such. That sounds more like a false positive in this case on googles end if so, if the form is loaded and submitted over https, it's not insecure.
Colonel_mortis Posted January 24, 2017 Posted January 24, 2017 4 minutes ago, Rhett said: The login form on all pages should be using https if you have it set to, even the drop down, if it's not please submit a ticket. No, the dropdown login box, #elUserSignIn_menu, is embedded into every page, including the ones loaded over HTTP. The form submits to a HTTPS origin (probably, I've not actually checked since I don't have a site with that configuration to hand), but, as I explained in my previous post, that is not sufficient. My site uses HTTPS for everything, so I can't submit a ticket (which would result in me being told to submit a feature request anyway), but this is an issue. Admins should have the option to remove the dropdown login box.
Rhett Posted January 24, 2017 Posted January 24, 2017 Just now, Colonel_mortis said: No, the dropdown login box, #elUserSignIn_menu, is embedded into every page, including the ones loaded over HTTP. The form submits to a HTTPS origin (probably, I've not actually checked since I don't have a site with that configuration to hand), but, as I explained in my previous post, that is not sufficient. My site uses HTTPS for everything, so I can't submit a ticket (which would result in me being told to submit a feature request anyway), but this is an issue. Admins should have the option to remove the dropdown login box. I'll do some testing, the sole purpose for ssl for logins to do just that, if it's not working in this manner, we can get it fixed. Thanks for the info.
bradl Posted January 24, 2017 Posted January 24, 2017 Quote But what about the external pics? IPS now has natively an option to copy-and-cache remote images so that 'remote' images are served from the local (SSL) source, avoiding mixed-content. In the ACP you can also specify an expiry time for the cache after which the image will be re-fetched and re-cached if called for.
EricT Posted January 24, 2017 Posted January 24, 2017 1 hour ago, bradl said: IPS now has natively an option to copy-and-cache remote images so that 'remote' images are served from the local (SSL) source, avoiding mixed-content. In the ACP you can also specify an expiry time for the cache after which the image will be re-fetched and re-cached if called for. I can't find the settings on ACP. Coudl you help me ? Thank you
bradl Posted January 24, 2017 Posted January 24, 2017 Systems → Settings → Posting although I usually get to it by typing SSL in the ACP search pane and it pops up automatically.
Apfelstrudel Posted January 25, 2017 Author Posted January 25, 2017 That was my point. At the moment all pages are login pages and from Googles point of view they need to be within a SSL page. So we need a feature to replace the pulldown with a link to the ssl login page. Then there is no need to have the complete forum ssl-ed. 11 hours ago, bradl said: Systems → Settings → Posting although I usually get to it by typing SSL in the ACP search pane and it pops up automatically. 12 hours ago, bradl said: IPS now has natively an option to copy-and-cache remote images Thanks. I already found this setting but I'm a little bit concerned about the copyright issue. If I cache those remote images that they are on my server (from technical point of view) and this could cause troubles.
Andy Millne Posted January 25, 2017 Posted January 25, 2017 1 hour ago, Apfelstrudel said: Thanks. I already found this setting but I'm a little bit concerned about the copyright issue. If I cache those remote images that they are on my server (from technical point of view) and this could cause troubles. This is not legal advice but it is no different to users copying an image from another site and uploading to yours. You can still remove the images after a report of any infringement.
Apfelstrudel Posted January 25, 2017 Author Posted January 25, 2017 Sorry Andy, but here in Europe it might be different. Some courts said that having an image on my server (even as cache) is "some sort of" owning it. Unfortunately. But it could be different depending on the location and country.
Andy Millne Posted January 25, 2017 Posted January 25, 2017 Just now, Apfelstrudel said: Sorry Andy, I have to correct you. Here in Europe it might be different. Some courts said that having an image on my server (even as cache) is "some sort of" owning it. Unfortunately. But it could be different depending on the location and country. Yes I realise what you are saying and I'm not getting into the law but like I say if you have attachment uploads enabled you are already allowing this. I am also in Europe btw
Apfelstrudel Posted January 25, 2017 Author Posted January 25, 2017 6 minutes ago, Andy Millne said: if you have attachment uploads enabled you are already allowing this On the other side that's true. But in this case I, as the owner, can say it was the decision of the user and the admin was not aware of it but caching all images by script it was definitely my intension to do so. In the meantime here in our country admins are only responsible for problems if they are aware of issues. So here it might be a difference. Anyway I understand you and I'm just asking how I could eliminte this issue. But I think I can't.
Andy Millne Posted January 25, 2017 Posted January 25, 2017 Yes it's one of the many vagaries in Internet law unfortunately and I'm not aware of it ever being tested in court. If you're concerned, in practice I would expect so long as you stated in your terms that links should not be added to copyrighted material, you only cached on a temporary basis and were pro active about removal after reports of infringement then I would be extremely surprised if anything more came of it.
opentype Posted January 25, 2017 Posted January 25, 2017 12 minutes ago, Andy Millne said: … it is no different to users copying an image from another site and uploading to yours. Correct, but uploading/local caching is very different in a legal sense than just embedding from a different server. So a forum site in Europe can have thousands of images like that, which are no problem, but become one after the switch to SSL.
Andy Millne Posted January 25, 2017 Posted January 25, 2017 1 minute ago, opentype said: So a forum site in Europe can have thousands of images like that, which are no problem, but become one after the switch to SSL. You should probably just Brexit
opentype Posted January 25, 2017 Posted January 25, 2017 I am not opposed to these copyright laws. I am a creator myself and don’t want my content to by uploaded to other server without my permission and out of my control.
Apfelstrudel Posted January 25, 2017 Author Posted January 25, 2017 16 hours ago, Rhett said: I'll do some testing, the sole purpose for ssl for logins to do just that, if it's not working in this manner, we can get it fixed. Thanks for the info. Could you please keep us posted on this testings? We would need this solution asap.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.